Support

Support for business applications

Kaspersky CyberTrace

User guides

Using Kaspersky CyberTrace Web

Viewing detections

About retrospective scan detections
Kaspersky CyberTrace
Нет результатов
Online Help
FAQ System requirements Download Contact support Recovery tools Product videos

About retrospective scan detections

April 11, 2024

ID 270640

Retrospective scan detections have differences in certain aspects from detections, based on matching. The specifics of retrospective scan detections are described in this section.

During retrospective scan, the incoming event saved for analysis in CyberTrace represents only the values obtained by means of the regular expressions specified in the retrospective scan settings, located on the Fields saved for retroscan tab. Due to this, in the Whole source event field on the Detections page, there will be a placeholder instead of incoming event.

The Reception date field for retroscan detections contains the date of receiving the initial event, not the date of detection, which is specified in the Detection date column.

If the names of the regular expressions were changed in the settings from the moment the incoming event was saved until the retroscan detection was formed, the context of the detection event, which uses the changed regular expressions, will not include the corresponding values, because they are named differently in the saved event. See the example below:

Incoming event:

CEF:0|Kaspersky|CyberTrace Verification Kit|1.2|0|Verification_test|2| request=http://fakess123bn.nu suser=EvalTestUserName src=192.168.0.0 dvc=127.0.0.0 dst=192.0.2.0 act=VerificationTest eventId=110

Configured regular expressions at the moment of receiving an event:

RE_URL: (?:\:\/\/)((?:\S+(?::\S*)?+@)?(?:(?:(?:[a-z\x{00a1}-\x{ffff}0-9]+-*)*[a-z\x{00a1}-\x{ffff}0-9]*)(?:\.(?:[a-z\x{00a1}-\x{ffff}0-9]+-)*+[a-z\x{00a1}-\x{ffff}0-9]++)*(?:\.(?:[a-z\x{00a1}-\x{ffff}\-0-9]+)))(?:\.*:\d{2,5})?+(?:\.*\/[^\s\"\<\>]*+)?+)

 

SRC_IP: (?:\:\/\/)((?:\S+(?::\S*)?+@)?(?:(?:(?:[a-z\x{00a1}-\x{ffff}0-9]+-*)*[a-z\x{00a1}-\x{ffff}0-9]*)(?:\.(?:[a-z\x{00a1}-\x{ffff}0-9]+-)*+[a-z\x{00a1}-\x{ffff}0-9]++)*(?:\.(?:[a-z\x{00a1}-\x{ffff}\-0-9]+)))(?:\.*:\d{2,5})?+(?:\.*\/[^\s\"\<\>]*+)?+)

 

UserName: suser\=(.*?)(?:$|\s)

 

Configured regular expressions at the moment of forming a retroscan detect:

REGEX_URL: (?:\:\/\/)((?:\S+(?::\S*)?+@)?(?:(?:(?:[a-z\x{00a1}-\x{ffff}0-9]+-*)*[a-z\x{00a1}-\x{ffff}0-9]*)(?:\.(?:[a-z\x{00a1}-\x{ffff}0-9]+-)*+[a-z\x{00a1}-\x{ffff}0-9]++)*(?:\.(?:[a-z\x{00a1}-\x{ffff}\-0-9]+)))(?:\.*:\d{2,5})?+(?:\.*\/[^\s\"\<\>]*+)?+)

 

SRC_IP: (?:\:\/\/)((?:\S+(?::\S*)?+@)?(?:(?:(?:[a-z\x{00a1}-\x{ffff}0-9]+-*)*[a-z\x{00a1}-\x{ffff}0-9]*)(?:\.(?:[a-z\x{00a1}-\x{ffff}0-9]+-)*+[a-z\x{00a1}-\x{ffff}0-9]++)*(?:\.(?:[a-z\x{00a1}-\x{ffff}\-0-9]+)))(?:\.*:\d{2,5})?+(?:\.*\/[^\s\"\<\>]*+)?+)

 

USER_NAME: suser\=(.*?)(?:$|\s)

 

Detection format:

CEF:0|Kaspersky|Kaspersky CyberTrace for ArcSight|2.0|2|CyberTrace Detection Event|8| reason=%Category% src=%SRC_IP% request=%REGEX_URL% suser=%USER_NAME% msg=CyberTrace detected %Category% cs5Label=MatchedIndicator

Formed retroscan detection event:

CEF:0|Kaspersky|Kaspersky CyberTrace for ArcSight|2.0|2|CyberTrace Detection Event|8| reason=KL_BotnetCnC_URL src=192.168.0.0 request=- suser=- msg=CyberTrace detected KL_BotnetCnC_URL cs5Label=MatchedIndicator cs5=fakess123bn.nu

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.