You can search for indicators from log files by selecting the Log file tab after selecting the Search tab.
All log files that you pass to Kaspersky CyberTrace for scanning must be in UTF-8 encoding. If your log files have a different encoding, make sure to convert them to UTF-8.
Search for objects
You can run the search process for one or more log files.
Do not use feeds as log files for search. The scan results will contain a large number of matches, which will render the results uninformative.
Terminating the search process
You can terminate the search process while it is being performed. In this case the search result form is cleared and the "Operation is canceled
" message is displayed. The information about the processed log file is added to the search requests history with a remark that the search process is not finished.
Search result
After a search is performed, Kaspersky CyberTrace Web displays the following data:
For every item among the top 100 matching indicators the following information is displayed:
Up to three lines are displayed. To view more lines that contain the detected indicator, click Show first 100 matches.
The detected indicator is hyperlinked to the information about it in Kaspersky Threat Intelligence Portal.
If no information is found for the objects in the log file, the message about it is displayed.
Notice that if you run a search and then switch to another tab, the search results will become available in the search request history.
Downloading search reports
You can download a report with the results of the search operation. The report is a .csv file.
To download a report,
Select the Download report link and specify the directory to which you want to save the report.
A full report about a search result has the following fields:
file_name
—Name of the log filefile_line
—Line in the log file that contains the detected indicatordetected_indicator
—The detected indicatorcategory
—Category of the detected indicatorThe files with search reports will be stored in the httpsrv
directory. Only the administrator (in Windows) or the root user (in Linux) has permission to open this directory.
Regular expressions for searching indicators from log files
To parse log files for indicators, CyberTrace Web uses regular expressions defined in the Feed Service configuration file (you can browse or edit them by using Kaspersky CyberTrace Web). The regular expressions are specified by a special event source called http_file_lookup
. For detailed information about regular expressions for searching indicators from log files, see section "About event sources".