Kaspersky CyberTrace allows you to search the indicator database by the following attribute names:
Attribute name |
Description |
|
Indicator type. |
|
Indicator value. |
|
Date and time when the requested indicator was added to the database. |
|
Date and time of the last indicator update. |
|
Comment about the indicator. |
|
Summary information about the indicator from the InternalTI supplier. |
|
Date and time when the detection event was first received. |
|
Date and time when the detection event was last received. |
|
Name of the user who added the indicator to the InternalTI supplier / FalsePositive supplier. |
|
Flag for showing that the indicator can be used in the matching process. This flag is used for indicators that have to be deleted during an update of a supplier or on expiration of retention period, but were not, as they belong to the InternalTI supplier or such indicators were involved in the detection process. Use |
|
Date and time when the information related to the indicator from the supplier was last updated. |
|
Flag for sending detection events to the SIEM solution. |
|
Name of the indicator supplier. In Kaspersky CyberTrace, the following types of suppliers are supported:
|
|
Level of confidence of the supplier. |
|
Name of the supplier vendor. |
|
Context information related to the indicator. This attribute can contain nested attributes. The rule to search for all nested attributes is described below. |
Use the following syntax for search requests:
Kaspersky CyberTrace uses the \
escape character.
Example #1: supplier_vendor_name: Vendor\ Test
returns all indicators that belong to the sources with a vendor named "Vendor Test."
Example #2: supplier_vendor_name: Vendor Test
returns all indicators that belong to the sources with a vendor named "Vendor" or indicators that have the word "test" in the context.
{}
) for intervals that exclude the boundaries, and brackets ([]
) for intervals that include the boundaries. Braces and brackets can be combined if you need to specify an interval with an opening bracket of one type and a closing bracket of another type. Quotation marks and all these types of brackets have to be in pairs in the search request.You may not enclose the search substring in quotation marks if the substring does not contain the special characters indicated above. In this case, the search results will include only indicators, the specified substring of which fully matches one of the values of any field. Therefore, if you want to find the indicators, the search substring of which is only a part of the value, use wildcards (asterisk (*) or question mark (?) – see below).
You can use quotation marks and all types of brackets unpaired in the following cases:
Example: ioc_value:asd\]
Example: ioc_value:"1234]"
:
) only after the indicator attribute name or use it together with an escape character.Example of the incorrect request: ( )
Example of the correct request: (" ")
{}
) and brackets ([]
), use the %begin_value% TO %end_value%
pattern, where %begin_value%
and %end_value%
are the values intended for open and closed intervals (except when brackets are enclosed in quotation marks).Example of an incorrect request: [* 100]
Example of a correct request: [* TO 100]
Example of an incorrect request: ioc_type:
Example of a correct request: ioc_type:url
AND
, OR
, NOT
) without quotation marks and all uppercase.AND
, OR
in spaces. You may not use a logical NOT
with left space if NOT
is specified just after the left parenthesis or colon.Example of an incorrect request: supplier_confidence:(89OR91)
Example of a correct request: supplier_confidence:NOT(89 OR 91)
Example of an incorrect request: supplier_confidence:(89 OR )
Example of a correct request: supplier_confidence:(89 OR 91)
ioc_supplier_context
attribute, use a period when searching for a specific nested attribute.Example: ioc_supplier_context.files.threat:"HEUR:Exploit.SWF.Generic"
ioc_supplier_context
attribute, if your search string contains a space character, use the "\" (backslash) escape character before the space character.Example: ioc_supplier_context.details.SMS\ Number:1003
ioc_supplier_context
attribute, use the ioc_supplier_context.\\*
pattern to search for all nested attributes.Example: ioc_supplier_context.\\*:HEUR
*)
for any other sequence of characters and question mark (?)
for a single character as wildcards in substitutes.Example #1: supplier_vendor_name: Vendor
– Search for indicators that belong to the sources with a vendor named "Vendor".
Example #2: supplier_vendor_name: Vendor*
– Search for indicators that belong to the sources with a vendor, the name of which begins with "Vendor".
The use of an asterisk (*
) at the beginning of the request can lead to checking all attribute values from the indicator database. This usually causes a long wait for a response from the database.
Examples
The following request will display all indicators that contain an at, ca, kr, ru, ir
substring in any of the indicator attributes:
"at, ca, kr, ru, ir" |
The following request will display all indicators that have a supplier_confidence
attribute value that is equal to 89 or 91:
|
The following request will display all indicators that have an ioc_value
attribute value containing the 123321
substring:
ioc_value:"123321" |
The following request will display all indicators that were added to the database between 2012-01-01 and 2012-12-31 (including the boundaries):
ioc_created_date:[2012-01-01 TO 2012-12-31] |
The following request will display all indicators that have a level of confidence in the range of 10 to 50 (excluding the boundaries):
supplier_confidence:{10 TO 50} |
The following request will display all indicators that have a threat_score
context field value greater than 75
:
ioc_supplier_context.threat_score:[75 TO *] |
The following request will display all indicators that have a files/threat context attribute containing the HEUR:Exploit.SWF.Generic
substring:
ioc_supplier_context.files.threat:"HEUR:Exploit.SWF.Generic" |
The following request will display all indicators that have context attributes with any nesting level that contains the HEUR
value:
ioc_supplier_context.\\*:HEUR |