Single indicator search
You can search for a single indicator by selecting the Indicator tab after selecting the Search tab.
The Indicator tab
Search for objects
You can search for one of the following indicator types:
- Hash
- IP address
- Domain
- URL
To search for an indicator:
- Enter the indicator in the search field.
- Click the Search button.
The search result will appear in the Detections section.
Indicator search syntax
You can search for a URL in two ways:
- By specifying the full URL
- By specifying only the domain name
When searching for a hash or an IP address, specify the full indicator, as described in the section about indicator search syntax.
Search result
After a search is performed, CyberTrace Web displays the result in the Detections section.
The Detections section
The search result consists of the following data:
- Requested indicator
- Category of the requested indicator
This information is displayed in the Category column.
- Fields of feed records that matched the indicator
If the feeds do not contain information about the requested indicator, a message about this is displayed.
This information is displayed in the Context column.
- Link or links to detailed information about the requested indicator
The links are displayed as fields in the Context column.
If the indicator is not detected because it belongs to the FalsePositive supplier, the search result consists of the following data:
- Requested indicator
- Message that there is no detection
- Link or links to detailed information about the requested indicator
If no information is found for the requested indicator, the message about it appears. This message displays a link that redirects you to the search page of Kaspersky Threat Intelligence Portal.
Notice that if you run a search and then switch to another tab, the search results will become available in the search request history.
Downloading search reports
You can download a report with the results of the search operation. The report is a .csv file.
To download a report:
Click the Download report link and specify the directory to which you want to save the report.
Regular expressions for searching indicators
To search for indicators, CyberTrace Web uses the regular expressions defined in the Feed Service configuration file. The regular expressions are specified by a special event source called http_single_lookup.