Kaspersky CyberTrace

Contents

Searching indicators

On the Kaspersky CyberTrace web user interface you can select the Search tab to activate a form for searching threat indicators.

In the Kaspersky CyberTrace version 3.0 this tab was named Lookup.

The threat search can be disabled due to restrictions imposed by the licensing level.

From the Search tab you can access pages for individual indicator types:

Starting from Kaspersky CyberTrace version 3.1.0, each search request is added to the search request history.

Saving search results

You can save the result of a search operation to a text file.

The result will be saved in a file named kl_lookup_result_%TYPE%_hhmmss_ddMMyyyy.txt. Here %TYPE% is either indicator (for a single indicator search), logfiles (for a log files search), or files (for a file hashes search).

A full report about a search result is a CSV file. In the first line of this file, the field names are listed. The remaining lines of the report contain the field values, enclosed in quotation marks. If a field value has a quotation mark, a second quotation mark is added. All data is delimited by semicolons.

Different search types imply different sets of fields in a report file. The field sets for each search type are described in a section for that particular search type.

Canceling the search

You can cancel the search operation.

The Cancel button

The Cancel button

To cancel the search operation:

  1. Click the Cancel button in the middle of the screen.

    A confirmation window opens.

  2. Select Cancel the search, if you want to cancel the search operation.

    If the search operation is canceled, the search request is added to the search request history, and the search result is Canceled. The search result form is cleared and the "Operation is canceled" message is displayed. The information about the processed item is added to the search requests history with a remark that the search process was not finished.

In this section

About the indicator search syntax

About the search request history

Single indicator search

Log file indicators search

File hashes search
Page top

About the indicator search syntax

This section lists types of indicators that you can search for and the syntax for them.

URLs

You can search for domain names and specific URLs by using the following syntax:

  • Second-level domain names

    example.com

  • Domain names of third and lower levels

    www.example.com
  • URLs

    http://www.example.com/index.html

Hashes

You can search for hashes by using the following syntax:

  • MD5

    1A79A4D60DE6718E8E5B326E338AE533
  • SHA1

    C3499C2729730A7F807EFB8676A92DCB6F8A3F8F
  • SHA256

    50D858E0985ECC7F60418AAF0CC5AB587F42C2570A884095A9E8CCACD0F6545C

IP addresses

You can search for IPv4 addresses by using the following syntax:

198.51.100.0

Searching for IP addresses represented in Classless Inter-Domain Routing (CIDR) notation is not supported.

Page top

About the search request history

This section describes the search request history that is displayed on every threat search page.

Storing the search requests

When a search is performed using Kaspersky CyberTrace Web, information about it is stored in the history. The log file itself is not stored when a log file search is performed, only strings from the log file that contained detected indicators are stored; also, the file itself is not stored when a file hash search is performed.

For each authenticated user, the CyberTrace HTTP service stores the following amount of information:

  • Last 1000 indicator search requests made in the last three months.
  • Last 1000 log file search requests made in the last three months.
  • Last 1000 file hash search requests made in the last three months.

Displaying the search request history

Every search page contains a form with the request history. The request history form contains requests of the corresponding search request type:

  • Single indicator search request
  • Log file search request
  • File hash search request

If you have signed in as an administrator, the search request history of all users is available; otherwise, only the current user's search request history is available.

The search requests are displayed from the last to the first. The active page contains up to 20 search requests. If there are more than 20 search requests available, you can display others by using the navigation controls.

You can specify the period during which the search requests to display were made:

  • Last hour
  • Last day
  • Last week
  • Last month (30 days)
  • Last 3 months (91 days)
  • Arbitrary period

Single indicator search request history

Single indicator search request history

Single indicator search request history

The form with the history of single indicator search requests displays the following data:

  • The search result

    It is Detected if the indicator is detected one or more times, Not detected if the indicator is not detected, or Canceled if the search operation was canceled.

    This information is displayed in the Status column.

  • Date of request in the format yyyy-mm-dd HH:MM:SS

    For example, 2012-12-31 23:58:25.

    This information is displayed in the Date column.

  • Name of the user who performed the search request

    This information is displayed in the User column and can be seen only by administrators.

  • Indicator that was searched for

    This information is displayed in the Search string column.

For a search operation that was not canceled, if you select an indicator, the full search result and the button for exporting the search result are displayed.

Log file search request history

Log file search request history

Log file search request history

The form with the history of log file search requests displays the following data:

  • The search result

    It is Detected if indicators in the log file are detected one or more times, Not detected if no indicator is detected, or Canceled if the search operation was canceled.

    This information is displayed in the Status column.

  • Date of request in the format yyyy-mm-dd HH:MM:SS

    For example, 2012-12-31 23:58:25.

    This information is displayed in the Date column.

  • Name of the user who performed the search request

    This information is displayed in the User column and can be seen only by administrators.

  • Log file in which the indicators were searched for

    This information is displayed in the Log file column.

For a search operation that was not canceled, if you select a row in the table, the full search result and the button for exporting the search result are displayed.

File hash search request history

File hash search request history

File hash search request history

The form with the history of file hash search requests displays the following data:

  • The search result

    It is Detected if the file hash is detected one or more times, Not detected if the file hash is not detected, or Canceled if the search operation was canceled.

    This information is displayed in the Status column.

  • Date of request in the format yyyy-mm-dd HH:MM:SS

    For example, 2012-12-31 23:58:25.

    This information is displayed in the Date column.

  • Name of the user that performed the search request

    This information is displayed in the User column and can be seen only by administrators.

  • Name of the file whose hash was searched for

    This information is displayed in the File column.

  • File hash that was searched for

    This information is displayed in the Checksum column.

For a search operation that was not canceled, selecting a file hash will display the full search result and the button for exporting the search result.

Page top

Single indicator search

You can search for a single indicator by selecting the Indicator tab after selecting the Search tab.

The Indicator tab

The Indicator tab

Search for objects

You can search for one of the following indicator types:

  • Hash
  • IP address
  • Domain
  • URL

To search for an indicator:

  1. Enter the indicator in the search field.
  2. Click the Search button.

The search result will appear in the Detections section.

Indicator search syntax

You can search for a URL in two ways:

  • By specifying the full URL
  • By specifying only the domain name

When searching for a hash or an IP address, specify the full indicator, as described in the section about indicator search syntax.

Search result

After a search is performed, CyberTrace Web displays the result in the Detections section.

The Detections section

The Detections section

The search result consists of the following data:

  • Requested indicator
  • Category of the requested indicator

    This information is displayed in the Category column.

  • Fields of feed records that matched the indicator

    If the feeds do not contain information about the requested indicator, a message about this is displayed.

    This information is displayed in the Context column.

  • Link or links to detailed information about the requested indicator

    The links are displayed as fields in the Context column.

If the indicator is not detected because it belongs to the FalsePositive supplier, the search result consists of the following data:

  • Requested indicator
  • Message that there is no detection
  • Link or links to detailed information about the requested indicator

If no information is found for the requested indicator, the message about it appears. This message displays a link that redirects you to the search page of Kaspersky Threat Intelligence Portal.

Notice that if you run a search and then switch to another tab, the search results will become available in the search request history.

Downloading search reports

You can download a report with the results of the search operation. The report is a .csv file.

To download a report:

Click the Download report link and specify the directory to which you want to save the report.

Regular expressions for searching indicators

To search for indicators, CyberTrace Web uses the regular expressions defined in the Feed Service configuration file. The regular expressions are specified by a special event source called http_single_lookup.

Page top

Log file indicators search

You can search for indicators from log files by selecting the Log file tab after selecting the Search tab.

All log files that you pass to Kaspersky CyberTrace for scanning must be in UTF-8 encoding. If your log files have a different encoding, make sure to convert them to UTF-8.

The Log file tab

The Log file tab

Search for objects

You can search for one or more log files.

To search for indicators in log files:

  1. Select the log files that you want to search. Do one of the following:
    • Click the Select files button, and then select the log files.
    • Drag the log files into the colored area.
  2. Click the Search button.

The search result will appear in the Summary section.

Do not use feeds as log files for search. The scan results will contain a large number of matches, which will render the results uninformative.

Search result

After a search is performed, CyberTrace Web displays the result in the Summary section.

The Summary section

The Summary section

The search result consists of the following data:

  • Summary information about the search result:
    • Number of processed log files
    • Number of detected indicators
    • Number of lines that were processed
    • Number of detections for each category
  • Information about the top 100 matching indicators
  • Link to download the report about the search result

For every item among the top 100 matching indicators, the following information is displayed:

  • Number of occurrences in the checked log files
  • Name of the log file and the lines that contain the detected indicator

    Up to three lines are displayed. To view more lines that contain the detected indicator, click Show first 100 matches.

    The detected indicator is hyperlinked to detailed information about it.

    This information is displayed in the table at the bottom of the indicator card.

  • Fields of feed records that matched the indicator

    This information is displayed at the top of the indicator card.

If no information is found for the indicators in the log file, a message about this is displayed.

Notice that if you run a search and then switch to another tab, the search results will become available in the search request history.

Downloading search reports

You can download a report with the results of the search operation. The report is a .csv file.

To download a report:

Select the Download report link and specify the directory to which you want to save the report.

A full report about a search result has the following fields:

  • file_name—Name of the log file
  • file_line—Line in the log file that contains the detected indicator
  • detected_indicator—The detected indicator
  • category—Category of the detected indicator
  • Context fields from the feed

The files with search reports will be stored in the httpsrv directory. Only the administrator (in Windows) or the root user (in Linux) has permission to open this directory.

Regular expressions for searching indicators from log files

To parse log files for indicators, CyberTrace Web uses the regular expressions defined in the Feed Service configuration file. The regular expressions are specified by a special event source called http_file_lookup.

Page top

File hashes search

You can search for file hashes by selecting the File tab after selecting the Search tab.

The File tab

The File tab

Search for objects

You can specify one or more files. The search will be done for the MD5 hashes of these files.

To search for file hashes:

  1. Select the files that you want to search for. Do one of the following:
    • Click the Select files button, and then select the log files.
    • Drag the log files into the colored area.
  2. Click the Search button.

The search result will appear below in the Summary section.

Search result

After a search is performed, CyberTrace Web displays the result in the Summary section.

File search result

The Summary section

The search result consists of the following data:

  • Number of processed hash files
  • Number of detected indicators
  • Number of detections for each category

For every checked file hash, the following information is displayed:

  • File name
  • MD5 file hash

    The file hash is linked to detailed information about the object.

  • Fields of feed records that matched the indicator
  • Message that there is no detection (if the file hash is not detected)

If no information is found for the requested indicator, the message about this appears. This message displays a link that redirects you to the search page of Kaspersky Threat Intelligence Portal.

If you run a search and then switch to another tab, the search results will become available in the search request history.

Downloading search reports

You can download a report with the results of the search operation. The report is a .csv file.

To download a report:

Click the Download report link and specify the directory to which you want to save the report.

A full report about a search result has the following fields:

  • file_name—Name of the file whose hash is detected
  • detected_indicator—The detected hash
  • category—Category of the detected hash
  • Context fields from the feed
Page top