Viewing detections
April 11, 2024
ID 193678
The Detections tab of Kaspersky CyberTrace Web displays information about the incoming events that have produced detections in Kaspersky CyberTrace, including source events and detection events. You can use this tab to search events and filter them by criteria. The Detections tab contains the following elements:
- Search bar
- Search also in detection events toggle button
- Auto-update table toggle button
- Table with information about detections
Searching in detections
You can use the search bar to perform a full-text search in detections. The text string in a search query is tokenized so that search results contain both exact and fuzzy matches. Wildcards are not supported.
Search results are displayed in the table below.
If the Search also in detection events toggle button is switched on, Kaspersky CyberTrace will search for a text string in incoming events and detection events. Otherwise, it will search only in incoming events. By default, the Search also in detection events toggle button is switched on.
The table with information about detections contains the following columns:
- Detection date
This column contains the system date and time of the detection (in the
yyyy-mm-dd HH:MM:SS
format). - Tenant
This column contains the name of the tenant. It is displayed only in multitenancy mode when there are several tenants.
- Source
This column contains the name of the event source.
This column may contain the source name, which is not present in CyberTrace already. This is possible for a retrospective scan detection if the source was deleted or renamed after saving the incoming event.
- Category
This column contains the category of the detected object.
Once recorded, the category name does not change, even if the supplier name changes.
- Tag
This column contains the list of tags assigned to the indicator that triggered the detection.
- Total tag weight
This column contains the total weight of the tags listed in the Tags column.
- Retroscan
This column displays check marks or dashes to indicate the presence or absence of detections as a result of retrospective scan.
- Details
This column contains the indicator from the database that was matched to the incoming event.
Each row of the table contains information about one detection. You can click a detection to view the following detailed information:
- Source event
This section contains the substrings extracted from the incoming event by regular expressions, as well as the whole source event.
- Detection event
This section contains the context fields of the matched indicator in the
%FieldName%=%Value%
format and the whole detection event.Where:
%FieldName%
is the name of the regular expression that was used for parsing the incoming event or the field name of the feed record that matched the detected indicator.%Value%
is the value of the regular expression that was used for parsing the incoming event or the value of the feed record that matched the detected indicator.
Detections in the table are sorted by date and time, in descending order.
If the Auto-update table toggle button is switched on, Kaspersky CyberTrace updates the table with information about detections every 10 seconds.
Filtering detections
You can filter detections in the table by the following criteria:
- Detection date
You can specify a time period or a particular date.
- Tenant
If there is more than one tenant, you can specify one or several tenant names.
- Source
If there is more than one event source, you can specify one or several event sources.
- Category
If there is more than one category, you can specify one or several categories of the detected object.
- Retroscan
You can select either all detections, retroscan detections, or non-retroscan detections to be displayed in the table.
To filter detections in the table by criteria:
- Click the column that you want to use as a filtering criterion.
- Specify the filtering condition, and then click Apply.
The content of the table is updated so that it contains only detections that meet the specified conditions.
You can specify several filtering criteria.
By default, filtering conditions are not applied.
Below is the list of available detection categories. These categories are applicable to Kaspersky feeds and OSINT feeds supported by Kaspersky CyberTrace.
Detection category | Description |
KL_APT_Hash_MD5 | Hash of a malicious file used in an APT campaign is detected by Kaspersky CyberTrace. |
KL_APT_Hash_SHA1 | Hash of a malicious file used in an APT campaign is detected by Kaspersky CyberTrace. |
KL_APT_Hash_SHA256 | Hash of a malicious file used in an APT campaign is detected by Kaspersky CyberTrace. |
KL_APT_IP | IP address used in an APT campaign is detected by Kaspersky CyberTrace. |
KL_APT_URL | URL used in an APT campaign is detected by Kaspersky CyberTrace. |
KL_BotnetCnC_Hash_MD5 | Botnet hash is detected by Kaspersky CyberTrace. |
KL_BotnetCnC_Hash_SHA1 | Botnet hash is detected by Kaspersky CyberTrace. |
KL_BotnetCnC_Hash_SHA256 | Botnet hash is detected by Kaspersky CyberTrace. |
KL_BotnetCnC_URL | Botnet C&C URL is detected by Kaspersky CyberTrace. |
KL_ICS_Hash_MD5 | ICS hash is detected by Kaspersky CyberTrace. |
KL_ICS_Hash_SHA1 | ICS hash is detected by Kaspersky CyberTrace. |
KL_ICS_Hash_SHA256 | ICS hash is detected by Kaspersky CyberTrace. |
KL_InternalTI_URL | URL of the InternalTI list of Kaspersky CyberTrace. |
KL_InternalTI_IP | IP of the InternalTI list of Kaspersky CyberTrace. |
KL_InternalTI_Hash_MD5 | Hash of the InternalTI list of Kaspersky CyberTrace. |
KL_InternalTI_Hash_SHA1 | Hash of the InternalTI list of Kaspersky CyberTrace. |
KL_InternalTI_Hash_SHA256 | Hash of the InternalTI list of Kaspersky CyberTrace. |
KL_IoT_Hash_MD5 | Hash of an IoT is detected by Kaspersky CyberTrace. |
KL_IoT_Hash_SHA1 | Hash of an IoT is detected by Kaspersky CyberTrace. |
KL_IoT_Hash_SHA256 | Hash of an IoT is detected by Kaspersky CyberTrace. |
KL_IoT_URL | URL that infects Internet of Things-enabled (IoT) devices is detected by Kaspersky CyberTrace. |
KL_IP_Reputation | Malicious IP address is detected by Kaspersky CyberTrace. |
KL_IP_Reputation_Hash_MD5 | Hash of a file hosted on a malicious IP address is detected by Kaspersky CyberTrace. |
KL_IP_Reputation_Hash_SHA1 | Hash of a file hosted on a malicious IP address is detected by Kaspersky CyberTrace. |
KL_IP_Reputation_Hash_SHA256 | Hash of a file hosted on a malicious IP address is detected by Kaspersky CyberTrace. |
KL_Malicious_URL | Malicious URL is detected by Kaspersky CyberTrace. |
KL_Malicious_URL_Hash_MD5 | Hash of a file hosted on a malicious URL is detected by Kaspersky CyberTrace. |
KL_Malicious_URL_Hash_SHA1 | Hash of a file hosted on a malicious URL is detected by Kaspersky CyberTrace. |
KL_Malicious_URL_Hash_SHA256 | Hash of a file hosted on a malicious URL is detected by Kaspersky CyberTrace. |
KL_Malicious_Hash_MD5 | Malicious hash is detected by Kaspersky CyberTrace. |
KL_Malicious_Hash_SHA1 | Malicious hash is detected by Kaspersky CyberTrace. |
KL_Malicious_Hash_SHA256 | Malicious hash is detected by Kaspersky CyberTrace. |
KL_Mobile_Malicious_Hash_MD5 | Mobile malicious hash is detected by Kaspersky CyberTrace. |
KL_Mobile_Malicious_Hash_SHA1 | Mobile malicious hash is detected by Kaspersky CyberTrace. |
KL_Mobile_Malicious_Hash_SHA256 | Mobile malicious hash is detected by Kaspersky CyberTrace. |
KL_Mobile_BotnetCnC_Hash_MD5 | Mobile botnet C&C hash is detected by Kaspersky CyberTrace. |
KL_Mobile_BotnetCnC_Hash_SHA1 | Mobile botnet C&C hash is detected by Kaspersky CyberTrace. |
KL_Mobile_BotnetCnC_Hash_SHA256 | Mobile botnet C&C hash is detected by Kaspersky CyberTrace. |
KL_Mobile_BotnetCnC_URL | Mobile botnet C&C URL is detected by Kaspersky CyberTrace. |
KL_Phishing_URL | Phishing URL is detected by Kaspersky CyberTrace. |
KL_Ransomware_URL | URL that hosts ransomware is detected by Kaspersky CyberTrace. |
KL_Ransomware_URL_Hash_MD5 | Hash of ransomware is detected by Kaspersky CyberTrace. |
KL_Ransomware_URL_Hash_SHA1 | Hash of ransomware is detected by Kaspersky CyberTrace. |
KL_Ransomware_URL_Hash_SHA256 | Hash of ransomware is detected by Kaspersky CyberTrace. |
AbuseCh_Feodo_Block_IP | IP address from the Abuse.Ch_Feodo_Block_IP feed is detected by Kaspersky CyberTrace. |
AbuseCh_Ransomware_Block_URL | URL from the Abuse.Ch_Ransomware_Block_URL feed is detected by Kaspersky CyberTrace. |
AbuseCh_Ransomware_Block_Domain | Domain from the Abuse.Ch_Ransomware_Block_Domain feed is detected by Kaspersky CyberTrace. |
AbuseCh_Ransomware_Block_IP | IP address from the Abuse.Ch_Ransomware_Block_IP feed is detected by Kaspersky CyberTrace. |
AbuseCh_Ransomware_Common_URL | URL from the Abuse.Ch_Ransomware_Common_URL feed is detected by Kaspersky CyberTrace. |
AbuseCh_SSL_Certificate_Block_IP | IP address from the AbuseCh_SSL_Certificate_Block_IP feed is detected by Kaspersky CyberTrace. |
AbuseCh_SSL_Certificate_Hash_SHA1 | Hash from the AbuseCh_SSL_Certificate_Hash_SHA1 feed is detected by Kaspersky CyberTrace. |
BlocklistDe_Block_IP | IP from the BlocklistDe_Block_IP feed is detected by Kaspersky CyberTrace. |
CyberCrime_Tracker_Block_Url | URL from the CyberCrime_Tracker_Block_Url feed is detected by Kaspersky CyberTrace. |
EmergingThreats_Block_IP | IP address from the EmergingThreats_Block_IP feed is detected by Kaspersky CyberTrace. |
EmergingThreats_Compromised_IP | IP address from the EmergingThreats_Compromised_IP feed is detected by Kaspersky CyberTrace. |