Search syntax

Kaspersky CyberTrace allows you to search the indicator database by the following attribute names:

Attribute name	Description
`ioc_type`	Indicator type.
`ioc_value`	Indicator value.
`ioc_created_date`	Date and time when the requested indicator was added to the database.
`ioc_updated_date`	Date and time of the last indicator update.
`ioc_comment`	Comment about the indicator.
`ioc_summary`	Summary information about the indicator from the InternalTI supplier.
`ioc_first_detected_date`	Date and time when the detection event was first received.
`ioc_last_detected_date`	Date and time when the detection event was last received.
`username`	Name of the user who added the indicator to the InternalTI supplier / FalsePositive supplier.
`ioc_supplier_can_match`	Flag for showing that the indicator can be used in the matching process. This flag is used for indicators that have to be deleted during an update of a supplier or on expiration of retention period, but were not, as they belong to the InternalTI supplier or such indicators were involved in the detection process. Use `true` or `false` as the value for this parameter.
`ioc_supplier_last_updated_date`	Date and time when the information related to the indicator from the supplier was last updated.
`ioc_supplier_send_match_event`	Flag for sending detection events to the SIEM solution.
`supplier_name`	Name of the indicator supplier. In Kaspersky CyberTrace, the following types of suppliers are supported: Downloaded feed file For this type of supplier, the value of the `supplier_name` attribute is the name of a feed file specified in kl_feed_util.conf. REST API request For this type of supplier, the value of the `supplier_name` attribute is the name of a supplier added through REST API. Web user interface (InternalTI or FalsePositive suppliers) For this type of supplier, the value of the `supplier_name` attribute depends on the list to which you are adding an indicator (InternalTI or FalsePositive). If you add a new indicator through the Indicators tab of Kaspersky CyberTrace Web, the value is InternalTI. If you add an indicator to the false positives list through the False positives window of the Feeds tab or if you mark an indicator as false positive, the value is FalsePositive.
`supplier_confidence`	Level of confidence of the supplier.
`supplier_vendor_name`	Name of the supplier vendor.
`ioc_supplier_context`	Context information related to the indicator. This attribute can contain nested attributes. The rule to search for all nested attributes is described below.

Use the following syntax for search requests:

If special symbols ([space], +, -, =, &&, ||, >, <, !, (, ), {, }, [, ], ^, ", ~, *, ?, :, \, /) are used in a search for a substring (see below), use an escape character to specify these symbols in the request body. Below you can find exceptions for using special symbols in search requests.
Kaspersky CyberTrace uses the \ escape character.
Use a space character. If the search substring should contain a space, the word without the escape character that follows the space will not be related to the search substring.
Example #1: supplier_vendor_name: Vendor\ Test returns all indicators that belong to the sources with a vendor named "Vendor Test."

Example #2: supplier_vendor_name: Vendor Test returns all indicators that belong to the sources with a vendor named "Vendor" or indicators that have the word "test" in the context.
Use quotation marks to enclose particular substrings, parentheses to enclose logical blocks. For starting or ending values, use braces ({}) for intervals that exclude the boundaries, and brackets ([]) for intervals that include the boundaries. Braces and brackets can be combined if you need to specify an interval with an opening bracket of one type and a closing bracket of another type. Quotation marks and all these types of brackets have to be in pairs in the search request.
You may not enclose the search substring in quotation marks if the substring does not contain the special characters indicated above. In this case, the search results will include only indicators, the specified substring of which fully matches one of the values of any field. Therefore, if you want to find the indicators, the search substring of which is only a part of the value, use wildcards (asterisk (*) or question mark (?) – see below).

You can use quotation marks and all types of brackets unpaired in the following cases:
- If an unpaired bracket or quotation mark is used together with an escape character.
  Example: ioc_value:asd\]
- If an unpaired bracket is enclosed in quotation marks.
  Example: ioc_value:"1234]"
Do not use a tab character.
Specify a colon (:) only after the indicator attribute name or use it together with an escape character.
Do not specify an empty value in parentheses, except when this value is specified with an escape character or is enclosed in quotation marks.
Example of the incorrect request: ( )

Example of the correct request: (" ")
In braces ({}) and brackets ([]), use the %begin_value% TO %end_value% pattern, where %begin_value% and %end_value% are the values intended for open and closed intervals (except when brackets are enclosed in quotation marks).
Example of an incorrect request: [* 100]

Example of a correct request: [* TO 100]
Do not specify an empty value when searching for a specific attribute.
Example of an incorrect request: ioc_type:

Example of a correct request: ioc_type:url
Use logical operators (AND, OR, NOT) without quotation marks and all uppercase.
Enclose logical AND, OR in spaces. You may not use a logical NOT with left space if NOT is specified just after the left parenthesis or colon.
Example of an incorrect request: supplier_confidence:(89OR91)

Example of a correct request: supplier_confidence:NOT(89 OR 91)
Do not specify an empty value after a logical operator.
Example of an incorrect request: supplier_confidence:(89 OR )

Example of a correct request: supplier_confidence:(89 OR 91)
For the ioc_supplier_context attribute, use a period when searching for a specific nested attribute.
Example: ioc_supplier_context.files.threat:"HEUR:Exploit.SWF.Generic"
For the ioc_supplier_context attribute, if your search string contains a space character, use the "\" (backslash) escape character before the space character.
Example: ioc_supplier_context.details.SMS\ Number:1003
For the ioc_supplier_context attribute, use the ioc_supplier_context.\\* pattern to search for all nested attributes.
Example: ioc_supplier_context.\\*:HEUR
Use the asterisk (*) for any other sequence of characters and question mark (?) for a single character as wildcards in substitutes.
Example #1: supplier_vendor_name: Vendor – Search for indicators that belong to the sources with a vendor named "Vendor".

Example #2: supplier_vendor_name: Vendor* – Search for indicators that belong to the sources with a vendor, the name of which begins with "Vendor".

The use of an asterisk (*) at the beginning of the request can lead to checking all attribute values from the indicator database. This usually causes a long wait for a response from the database.

Examples

The following request will display all indicators that contain an at, ca, kr, ru, ir substring in any of the indicator attributes:

"at, ca, kr, ru, ir"

The following request will display all indicators that have a supplier_confidence attribute value that is equal to 89 or 91:

supplier_confidence:(89 OR 91)

The following request will display all indicators that have an ioc_value attribute value containing the 123321 substring:

ioc_value:"123321"

The following request will display all indicators that were added to the database between 2012-01-01 and 2012-12-31 (including the boundaries):

ioc_created_date:[2012-01-01 TO 2012-12-31]

The following request will display all indicators that have a level of confidence in the range of 10 to 50 (excluding the boundaries):

supplier_confidence:{10 TO 50}

The following request will display all indicators that have a threat_score context field value greater than 75:

ioc_supplier_context.threat_score:[75 TO *]

The following request will display all indicators that have a files/threat context attribute containing the HEUR:Exploit.SWF.Generic substring:

ioc_supplier_context.files.threat:"HEUR:Exploit.SWF.Generic"

The following request will display all indicators that have context attributes with any nesting level that contains the HEUR value:

ioc_supplier_context.\\*:HEUR

Page top