After a search is performed, CyberTrace Web displays a table with the requested indicators. This table can be sorted by columns. For each of these indicators, you can view the following data:
The indicator can be of several types (for example, IP and URL).
The table does not display indicators which are contained only in the false positives list (and were not added to CyberTrace from a feed or using the REST API or Kaspersky CyberTrace Web). To manage indicators which are contained only in the false positives list, select the Settings tab, and then the Feeds tab.
Below the table is the number of indicators returned after a search is performed. If you do not perform a search, the total number of unique indicators for all enabled suppliers is displayed. The table does not contain repeated indicator values and corresponding suppliers are listed in the Suppliers column. Thus, duplications of indicator values are discarded from the total number.
Adding new indicators to the database
To add a new indicator to the database:
The Add new indicator window opens.
Kaspersky CyberTrace will apply URL normalization rules to any URL that you add on the URL tab and which are not yet contained in the indicator database, thus, the representation of these URLs may change. For example, if you add a URL that contains a port, this port value will be removed.
The name can be up to 255 characters in length, must contain only lowercase Latin letters and cannot begin with a hyphen ("-") and an underscore ("_"). The space symbol (" ") and the tab symbol cannot be used. Also, the attribute name cannot be equal to summary
.
After that, the indicator will be added to the database with the InternalTI value of the supplier_name
attribute.
Adding existing indicators to the list of false positives
To add an existing indicator to the list of false positives:
Deleting indicators
To delete an indicator:
The Delete indicator window opens.