The Evolution of Kaspersky SIEM: From Static Rules to Dynamic Threat Detection
Kaspersky outlines the significant evolution of its Security Information and Event Management (SIEM) system, shifting from static correlation rules to dynamic, continuously updated detection processes. Traditional SIEM logic, which relies on fixed event sequences, is increasingly ineffective against sophisticated modern attacks that utilize legitimate tools and supply chain compromises, such as the recent Notepad++ incident. To address this, Kaspersky now employs dynamically updated content derived from real-world threat research and Managed Detection and Response (MDR) insights. In 2025 alone, the company released 55 rule-package updates, adding hundreds of new detection rules covering much of the MITRE ATT&CK framework. The system now focuses on identifying entire attack chains rather than isolated events, integrating closely with Kaspersky EDR and Active Directory monitoring. Additionally, expanded data sources from various Kaspersky security solutions enhance internal visibility, allowing for better monitoring of administrator actions and service status. This transformation positions the SIEM not merely as a rule-based alerting tool, but as a coherent, adaptive system capable of accurately reflecting actual attacker behaviors and reducing false positives in complex corporate environments.
Wire timeline
The Evolution of Kaspersky SIEM: From Static Rules to Dynamic Threat Detection
Kaspersky outlines the significant evolution of its Security Information and Event Management (SIEM) system, shifting from static correlation rules to dynamic, continuously updated detection processes. Traditional SIEM logic, which relies on fixed event sequences, is increasingly ineffective against sophisticated modern attacks that utilize legitimate tools and supply chain compromises, such as the recent Notepad++ incident. To address this, Kaspersky now employs dynamically updated content derived from real-world threat research and Managed Detection and Response (MDR) insights. In 2025 alone, the company released 55 rule-package updates, adding hundreds of new detection rules covering much of the MITRE ATT&CK framework. The system now focuses on identifying entire attack chains rather than isolated events, integrating closely with Kaspersky EDR and Active Directory monitoring. Additionally, expanded data sources from various Kaspersky security solutions enhance internal visibility, allowing for better monitoring of administrator actions and service status. This transformation positions the SIEM not merely as a rule-based alerting tool, but as a coherent, adaptive system capable of accurately reflecting actual attacker behaviors and reducing false positives in complex corporate environments.
Kaspersky official blog