Kaspersky Threat Intelligence Portal

Contents

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal delivers all of the knowledge acquired by Kaspersky about cyberthreats and legitimate objects, and their relationships, which are brought together into a single, powerful web service. The goal is to provide your security teams with as much data as possible in order to prevent cyberattacks from impacting your organization. The portal retrieves the latest detailed threat intelligence about web addresses, domains, IP addresses, file hashes, statistical/behavioral data, WHOIS data, etc. The result is visibility of new and emerging threats globally, thus helping you to secure your organization and boost incident response.

Kaspersky Threat Intelligence Portal is available for desktops, tablets, and mobile devices.

Threat intelligence is aggregated from a wide variety of highly reliable sources. Then, in real time, all of the aggregated data is carefully inspected and refined by using several preprocessing techniques and technologies, such as statistical systems, similarity tools, sandboxing, behavioral profiling, allowlist-based verification, and analyst validation.

Every submitted file is analyzed by a set of advanced threat detection technologies, such as reputational services, behavior detection technologies, heuristic analysis, Urgent Detection System, and Kaspersky Cloud Sandbox, to monitor its behavior and actions, including network connections and downloaded/dropped objects. The Sandbox is based on the company’s proprietary and patented technology, which is used internally and allows Kaspersky to detect more than 350,000 new malicious objects every day.

Besides advanced threat detection technologies, information about submitted files, web addresses, IP addresses, and hashes is enriched with the most recent threat intelligence aggregated from fused, heterogeneous, and highly reliable sources, such as:

  • Kaspersky Security Network
  • Botnet Tracking service
  • Proprietary web crawlers
  • Spam traps
  • APT research findings (thanks to our GReAT team)
  • Security partners information
  • Technical Intelligence (passive DNS, WHOIS)
  • OSINT

Finally, the service analyzes the data for malicious and suspicious activity, and then returns a status report for the submitted objects (files, web addresses, IP addresses, or hashes).

How it works

Files or Indicators of Compromise can be submitted through a web interface or RESTful API. Kaspersky Threat Intelligence Portal lets you submit and retrieve threat intelligence on the following objects:

  • Files
  • MD5, SHA1, and SHA256 hashes
  • IP addresses (IPv4)
  • Domains
  • Web addresses

Kaspersky Threat Intelligence Portal shows whether an object is in the Good, Bad, or Not Categorized zone, while providing contextual data to help you respond to or investigate objects more effectively.

For users with Premium Access, additional functionality includes access to detailed Threat Lookup and Kaspersky Cloud Sandbox reports, APT Intelligence, Crimeware, and Industrial Threat Intelligence, as well as Digital Footprint Reporting.

Page top
[Topic About]

Premium Kaspersky Threat Intelligence Portal services

Tracking, analyzing, interpreting, and mitigating constantly evolving IT security threats is a massive undertaking. Companies in every sector lack of the up-to-the-minute, relevant data they need to manage the risks associated with IT security threats. To help these companies access the most relevant threat information, and to support their ongoing struggles against complex cybercrime, Kaspersky offers premium access through our Kaspersky Threat Intelligence Portal—the ultimate web service to help researchers and Security Operation Center analysts work more efficiently while managing thousands of security alerts.

Premium Kaspersky Threat Intelligence Portal services include:

APT Intelligence Reporting

Subscribers to Kaspersky APT Intelligence Reporting receive unique ongoing access to our investigations and discoveries, including threat actor profiles, their TTPs mapped to MITRE ATT&CK, and full technical data provided in a range of formats on every APT as it's discovered, including all the threats that are never made public. The information in these reports helps you to respond quickly to various threats and vulnerabilities—blocking attacks via known vectors, reducing the damage caused by advanced attacks, and enhancing your overall security strategy.

Crimeware Threat Intelligence Reporting

Enables financial institutions to inform their defensive strategies by providing timely information on attacks targeting banks, payment processing companies, insurance companies, etc. Reports include detailed insights into attacks on specific infrastructures, like ATMs and Point-of-Sale devices, and information on tools tailored to attack financial networks, which are used, developed, and sold by cybercriminals on the dark web.

Digital Footprint Intelligence

A digital risk monitoring solution that provides detailed information on attack vectors associated with an organization's entire digital footprint. These include items such as compromised credentials, information leakages, vulnerable services on the network perimeter, and insider threats. By revealing signs of any past, present, or planned attacks, and identifying weak spots vulnerable to exploitation, the solution helps companies to focus their defensive strategy on prime cyberattack targets.

Threat Data Feeds

By integrating up-to-the-minute Threat Data Feeds containing information on not trusted and dangerous IP addresses, web addresses, and file hashes into existing security controls like SIEM systems, security teams can automate the initial alert triage process while providing their triage specialists with enough context to immediately identify alerts to be investigated or escalated to incident response teams for further investigation and response.

CyberTrace

Kaspersky CyberTrace is a threat intelligence fusion and analysis tool that enables seamless integration of any threat intelligence feed you might want to use (in JSON, STIX, XML, and CSV formats) with SIEM solutions and other log sources to help analysts more effectively leverage threat intelligence in their existing security operations workflow. The tool uses an internal process of parsing and matching incoming data, which significantly reduces SIEM workload. By automatically parsing incoming logs and events, and matching them against threat intelligence feeds, Kaspersky CyberTrace provides real-time situational awareness, which helps security analysts make swift, well-informed decisions.

Threat Lookup

Kaspersky Threat Lookup delivers all of the knowledge acquired by Kaspersky about cyberthreats, and legitimate objects and their relationships, brought together into a single, powerful web service. The goal is to provide security teams with as much data as possible in order to prevent cyberattacks from impacting your organization. Threat Lookup retrieves the latest detailed threat intelligence about web addresses, domains, IP addresses, file hashes, detected object names, statistical/behavior data, WHOIS/DNS data, file attributes, geolocation data, download chains, timestamps, etc. The result is visibility into new and emerging threats globally, helping you secure your organization and boost incident response and improve threat-hunting missions.

Basic access to Kaspersky Threat Lookup is available to all users.

Cloud Sandbox

Making an intelligent decision based on a file's behavior, while simultaneously analyzing the process memory, network activity, etc. is the best way to understand current sophisticated targeted and tailored threats. Based on our proprietary and patented technologies, Kaspersky Cloud Sandbox provides detailed reports on the behavior of probably infected files.

It incorporates all of the knowledge about malware behaviors acquired by Kaspersky over 20 years of continuous threat research, which allows us to detect more than 350,000 new malicious objects each day. While Threat Lookup retrieves the latest and historical threat intelligence, Kaspersky Cloud Sandbox allows that knowledge to be linked to the IOCs generated by the analyzed sample, revealing the full scope of an attack and helping you plan effective response measures.

Sandboxing of web addresses is also available.

Basic summary reports are available to all users.

Industrial Threat Intelligence Reporting

The Kaspersky Industrial Threat Intelligence Reporting Service provides the customer with in-depth intelligence and greater awareness of malicious campaigns targeting industrial organizations, as well as information on vulnerabilities found in the most popular industrial control systems and underlying technologies.

These premium services enable companies to run highly effective and complex incident investigations—gaining an immediate understanding of the nature of threats, connecting the dots as you drill down to reveal interrelated threat indicators, and linking incidents to specific APT actors, campaigns, their motivation, and TTPs.

For more information, please visit https://www.kaspersky.com/enterprise-security/threat-intelligence and https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting.

Page top
[Topic PremiumServices]

Comparison of Kaspersky Threat Intelligence Portal versions

The table below shows the difference between features available for General and Premium Access to Kaspersky Threat Intelligence Portal.

Available features for General and Premium Access to Kaspersky Threat Intelligence Portal

Feature

General Access

Premium Access

Home page

Worldwide cyber-map

Yes.

Yes.

TOPs of threats worldwide and for individual countries

Yes.

Yes.

Threat dynamics worldwide and for individual countries

No.

Yes.

Event list displaying recent events

No.

Yes.

APT Intelligence and Crimeware Threat Intelligence Reporting

Access to service using web interface

No.

Yes.

Access to service using RESTful API

No.

Yes.

Email notifications for new or updated reports

No.

Yes.

APT Intelligence reports

No.

Yes.

APT C&C Tracking

No.

Yes.

Crimeware Threat Intelligence reports

No.

Yes.

Actor profiles

No.

Yes.

IoC downloads

No.

Yes.

Industrial Reporting

Industrial reports

No.

Yes.

Threat Lookup: Hash investigation

Access to service using web interface

Yes.

Yes.

Access to service using RESTful API

Yes.

(for registered users, API token required)

Yes.

Export results to JSON / STIX / CSV formats

No.

Yes.

Hash report contents:

 

 

General information

Yes.

Yes.

Detection names

Yes.

Yes.

File signatures and certificates

No.

Yes.

Container signatures and certificates

No.

Yes.

File paths

No.

Yes.

File names

No.

Yes.

File downloaded from web addresses and domains

No.

Yes.

File accessed following web addresses

No.

Yes.

File started following objects

No.

Yes.

File was started by following objects

No.

Yes.

File downloaded following objects

No.

Yes.

File was downloaded by following objects

No.

Yes.

Threat Lookup: IP address investigation

Access to service using web interface

Yes.

Yes.

Access to service using RESTful API

Yes.

(for registered users, API token required)

Yes.

Export results to JSON / STIX / CSV formats

No.

Yes.

IP address report contents:

 

 

General information

Yes.

Yes.

IP WHOIS

Yes.

Yes.

Threat score

No.

Yes.

DNS resolutions for IP address

No.

Yes.

Files related to IP address

No.

Yes.

Hosted web addresses

No.

Yes.

Threat Lookup: Web address investigation

Access to service using web interface

Yes.

Yes.

Access to service using RESTful API

Yes.

(for registered users, API token required)

Yes.

Export results to JSON / STIX / CSV formats

No.

Yes.

Web address report contents:

 

 

General information

Yes.

Yes.

Domain/IP WHOIS

Yes.

Yes.

DNS resolutions for domain

No.

Yes.

Files downloaded from requested web address

No.

Yes.

Files accessed requested web address

No.

Yes.

Referrals to requested web address

No.

Yes.

Requested object linked, forwarded, or redirected to following web addresses

No.

Yes.

Masks (record ID in Data Feeds)

No.

Yes.

Threat Lookup: Domain investigation

Access to service using web interface

Yes.

Yes.

Access to service using RESTful API

Yes.

(for registered users, API token required)

Yes.

Export results to JSON / STIX / CSV formats

No.

Yes.

Domain report contents:

 

 

General information

Yes.

Yes.

Domain WHOIS

Yes.

Yes.

DNS resolutions for domain

No.

Yes.

Files downloaded from requested domain

No.

Yes.

Files accessed requested domain

No.

Yes.

Subdomains

No.

Yes.

Referrals to domain

No.

Yes.

Domain referred to following web addresses

No.

Yes.

Web address masks

No.

Yes.

WHOIS Lookup

No.

Yes.

WHOIS Hunting

No.

Yes.

Cloud Sandbox: Upload and execute file

Custom file execution parameters

No.

Yes.

Access to service using web interface

Yes.

Yes.

Access to service using RESTful API

Yes.

(for registered users, API token required)

Yes.

Export results to JSON / STIX / CSV formats

No.

Yes.

File analysis report contents:

 

 

General information

Yes.

Yes.

Detection names (including Sandbox detects and Triggered Network Rules)

Yes.

Yes.

Execution map

Yes.

(limited)

Yes.

Suspicious activities

Yes.

(limited)

Yes.

Screenshots

Yes.

(limited)

Yes.

Loaded PE images

Yes.

(limited)

Yes.

File operations

Yes.

(limited)

Yes.

Registry operations

Yes.

(limited)

Yes.

Process operations

Yes.

(limited)

Yes.

Synchronize operations

Yes.

(limited)

Yes.

Downloaded files

Yes.

(limited)

Yes.

Dropped files

Yes.

(limited)

Yes.

HTTP(S) requests

Yes.

(limited)

Yes.

DNS requests

Yes.

(limited)

Yes.

Cloud Sandbox: Download and execute file

File download from a web resource

No.

Yes.

Custom file execution parameters

No.

Yes.

Access to service using web interface

No.

Yes.

Access to service using RESTful API

No.

Yes.

Export results to JSON / STIX / CSV formats

No.

Yes.

File analysis report contents:

 

 

File download information

No.

Yes.

Download request

No.

Yes.

Download responses

No.

Yes.

General information

No.

Yes.

Detection names (including Sandbox detects and Triggered Network Rules)

No.

Yes.

Execution map

No.

Yes.

Suspicious activities

No.

Yes.

Screenshots

No.

Yes.

Loaded PE images

No.

Yes.

File operations

No.

Yes.

Registry operations

No.

Yes.

Process operations

No.

Yes.

Synchronize operations

No.

Yes.

Downloaded files

No.

Yes.

Dropped files

No.

Yes.

HTTP(S) requests

No.

Yes.

DNS requests

No.

Yes.

Cloud Sandbox: Browse web address

Custom web address browsing parameters

No.

Yes.

Access to service using web interface

Yes.

Yes.

Access to service using RESTful API

Yes.

(for registered users, API token required)

Yes.

Export results to JSON / STIX / CSV formats

No.

Yes.

Web address analysis report contents:

 

 

General information

Yes.

Yes.

Detection names (including Sandbox detects and Triggered Network Rules)

Yes.

Yes.

Connected hosts

Yes.

(limited)

Yes.

WHOIS

Yes.

(limited)

Yes.

HTTP(S) requests

Yes.

(limited)

Yes.

DNS requests

Yes.

(limited)

Yes.

Screenshots

Yes.

(limited)

Yes.

Digital Footprint Intelligence

Digital Footprint Intelligence reports

No.

Yes.

Digital Footprint Intelligence notifications

No.

Yes.

Threat notifications

No.

Yes.

Export threat notifications

No.

Yes.

Viewing and changing organization's information

No.

Yes.

Data Feeds

Threat Intelligence Data Feeds

No.

Yes.

Incident Response Tools

No.

Yes.

Threat Data Feeds Supplementary Tools

No.

Yes.

SIEM Connectors

No.

Yes.

Related Materials

No.

Yes.

User account management

View all group accounts

No.

Yes.

Manage group accounts (create, edit, delete)

No.

Yes.

Configure email notifications

No.

Yes.

Page top
[Topic CompareVersions]

Software requirements

Kaspersky Threat Intelligence Portal has the following hardware and software requirements:

Desktop version

Minimum general requirements:

  • 2 GB of free disk space on hard drive
  • Internet connection for working with Kaspersky Threat Intelligence Portal online
  • Open 443 (HTTPS) and 80 (HTTP) ports
  • Monitor that supports a display resolution of 1366x768

Minimum hardware requirements:

  • Intel Pentium 1 GHz (or a compatible equivalent) for a 32-bit operating system
  • Intel Pentium 2 GHz (or a compatible equivalent) for a 64-bit operating system
  • 1 GB of free RAM

Supported browsers:

  • Mozilla Firefox
  • Google Chrome
  • Microsoft Edge
  • Safari

Mobile version

Minimum general requirements:

  • For mobile version: mobile devices that support a minimum screen resolution of 320x568
  • For tablet version: tablets that support a minimum screen resolution of 1024x768

Minimum and recommended hardware requirements:

  • CPU 1.2 GHz (recommended 1.5 GHz)
  • 50 MB of free RAM
  • 50 MB of free disk space on hard drive

Supported operating systems:

  • Android 10 or later
  • iOS 14.0 or later
  • iPadOS 14 or later

Supported browsers:

  • Google Chrome
  • Safari

We recommend that you always use the latest version of the supported browsers. You can download the latest versions from their vendors' official websites:
Mozilla Firefox Google Chrome Microsoft Edge Safari
If you use an unsupported browser, the functionality of Kaspersky Threat Intelligence Portal may be limited.

Page top
[Topic Requirements]
© 2025 AO Kaspersky Lab