Viewing detections

The Detections tab of Kaspersky CyberTrace Web displays information about the incoming events that have produced detections in Kaspersky CyberTrace, including source events and detection events. You can use this tab to search events and filter them by criteria. The Detections tab contains the following elements:

• Search bar
• Search also in detection events toggle button
• Auto-update table toggle button
• Table with information about detections

Searching in detections

You can use the search bar to perform a full-text search in detections. The text string in a search query is tokenized so that search results contain both exact and fuzzy matches. Wildcards are not supported. Search results are displayed in the table below.

If the Search also in detection events toggle button is switched on, Kaspersky CyberTrace will search for a text string in incoming events and detection events. Otherwise, it will search only in incoming events. By default, the Search also in detection events toggle button is switched on.

The table with information about detections contains the following columns:

• Detection date

  This column contains the system date and time of the detection (in the yyyy-mm-dd HH:MM:SS format).

• Tenant

  This column contains the name of the tenant. It is displayed only in multitenancy mode when there are several tenants.

• Source

  This column contains the name of the event source.

• Category

  This column contains the category of the detected object.

  Once recorded, the category name does not change, even if the supplier name changes.

• Tag

  This column contains the list of tags assigned to the indicator that triggered the detection.

• Total tag weight

  This column contains the total weight of the tags listed in the Tags column.

• Details

  This column contains the indicator from the database that was matched to the incoming event.

Each row of the table contains information about one detection. You can click a detection to view the following detailed information:

• Source event

  This section contains the substrings extracted from the incoming event by regular expressions, as well as the whole source event.

• Detection event

  This section contains the context fields of the matched indicator in the %FieldName%=%Value% format and the whole detection event.

  Where:

  • %FieldName% is the name of the regular expression that was used for parsing the incoming event or the field name of the feed record that matched the detected indicator.
  • %Value% is the value of the regular expression that was used for parsing the incoming event or the value of the feed record that matched the detected indicator.

Detections in the table are sorted by date and time, in descending order.

If the Auto-update table toggle button is switched on, Kaspersky CyberTrace updates the table with information about detections every 10 seconds.

Filtering detections

You can filter detections in the table by the following criteria:

• Detection date

  You can specify a time period or a particular date.

• Tenant

  You can specify one or several tenant names.

• Source

  You can specify one or several event sources.

• Category

  You can specify one or several categories of the detected object.

• Tag, Total tag weight

  You can filter detections by tags and total tag weight.

To filter detections in the table by criteria:

1. Click the column that you want to use as a filtering criterion.
2. Specify the filtering condition, and then click Apply.

The content of the table is updated so that it contains only detections that meet the specified conditions.

You can specify several filtering criteria.

By default, filtering conditions are not applied.

Page top