Search syntax

Kaspersky CyberTrace allows you to search the indicator database by the following attribute names:

Attribute name

Description

ioc_type

Indicator type.

ioc_value

Indicator value.

ioc_created_date

Date and time when the requested indicator was added to the database.

ioc_updated_date

Date and time of the last indicator update.

ioc_comment

Comment about the indicator.

ioc_summary

Summary information about the indicator from the InternalTI supplier.

ioc_first_detected_date

Date and time when the detection event was first received.

ioc_last_detected_date

Date and time when the detection event was last received.

username

Name of the user who added the indicator to the InternalTI supplier / FalsePositive supplier.

ioc_supplier_can_match

Flag for showing that the indicator can be used in the matching process.

This flag is used for indicators that have to be deleted during an update of a supplier or on expiration of retention period, but were not, as they belong to the InternalTI supplier or such indicators were involved in the detection process.

Use true or false as the value for this parameter.

ioc_supplier_last_updated_date

Date and time when the information related to the indicator from the supplier was last updated.

ioc_supplier_send_match_event

Flag for sending detection events to the SIEM solution.

supplier_name

Name of the indicator supplier.

In Kaspersky CyberTrace, the following types of suppliers are supported:

  • Downloaded feed file

    For this type of supplier, the value of the supplier_name attribute is the name of a feed file specified in kl_feed_util.conf.

  • REST API request

    For this type of supplier, the value of the supplier_name attribute is the name of a supplier added through REST API.

  • Web user interface (InternalTI or FalsePositive suppliers)

    For this type of supplier, the value of the supplier_name attribute depends on the list to which you are adding an indicator (InternalTI or FalsePositive).

    If you add a new indicator through the Indicators tab of Kaspersky CyberTrace Web, the value is InternalTI.

    If you add an indicator to the false positives list through the False positives window of the Feeds tab or if you mark an indicator as false positive, the value is FalsePositive.

supplier_confidence

Level of confidence of the supplier.

supplier_vendor_name

Name of the supplier vendor.

ioc_supplier_context

Context information related to the indicator.

This attribute can contain nested attributes. The rule to search for all nested attributes is described below.

Use the following syntax for search requests:

Examples

The following request will display all indicators that contain an at, ca, kr, ru, ir substring in any of the indicator attributes:

"at, ca, kr, ru, ir"

The following request will display all indicators that have a supplier_confidence attribute value that is equal to 89 or 91:

supplier_confidence:(89 OR 91)

The following request will display all indicators that have an ioc_value attribute value containing the 123321 substring:

ioc_value:"123321"

The following request will display all indicators that were added to the database between 2012-01-01 and 2012-12-31 (including the boundaries):

ioc_created_date:[2012-01-01 TO 2012-12-31]

The following request will display all indicators that have a level of confidence in the range of 10 to 50 (excluding the boundaries):

supplier_confidence:{10 TO 50}

The following request will display all indicators that have a threat_score context field value greater than 75:

ioc_supplier_context.threat_score:[75 TO *]

The following request will display all indicators that have a files/threat context attribute containing the HEUR:Exploit.SWF.Generic substring:

ioc_supplier_context.files.threat:"HEUR:Exploit.SWF.Generic"

The following request will display all indicators that have context attributes with any nesting level that contains the HEUR value:

ioc_supplier_context.\\*:HEUR

Page top