You can search for a single indicator by selecting the Indicator tab after selecting the Search tab.
The Indicator tab
Search for objects
You can search for one of the following indicator types:
To search for an indicator:
The search result will appear in the Detections section.
Indicator search syntax
You can search for a URL in two ways:
When searching for a hash or an IP address, specify the full indicator, as described in the section about indicator search syntax.
Search result
After a search is performed, CyberTrace Web displays the result in the Detections section.
The Detections section
The search result consists of the following data:
This information is displayed in the Category column.
If the feeds do not contain information about the requested indicator, a message about this is displayed.
This information is displayed in the Context column.
The links are displayed as fields in the Context column.
If the indicator is not detected because it belongs to the FalsePositive supplier, the search result consists of the following data:
If no information is found for the requested indicator, the message about it appears. This message displays a link that redirects you to the search page of Kaspersky Threat Intelligence Portal.
Notice that if you run a search and then switch to another tab, the search results will become available in the search request history.
Downloading search reports
You can download a report with the results of the search operation. The report is a .csv file.
To download a report:
Click the Download report link and specify the directory to which you want to save the report.
Regular expressions for searching indicators
To search for indicators, CyberTrace Web uses the regular expressions defined in the Feed Service configuration file. The regular expressions are specified by a special event source called http_single_lookup
.