Log file indicators search

You can search for indicators from log files by selecting the Log file tab after selecting the Search tab.

All log files that you pass to Kaspersky CyberTrace for scanning must be in UTF-8 encoding. If your log files have a different encoding, make sure to convert them to UTF-8.

Search for objects

You can run the search process for one or more log files.

Do not use feeds as log files for search. The scan results will contain a large number of matches, which will render the results uninformative.

Terminating the search process

You can terminate the search process while it is being performed. In this case the search result form is cleared and the "Operation is canceled" message is displayed. The information about the processed log file is added to the search requests history with a remark that the search process is not finished.

Search result

After a search is performed, Kaspersky CyberTrace Web displays the following data:

• Summary information about the search result:
  • Number of processed log files
  • Number of detected indicators
  • Number of lines that were processed
  • Number of detections for each category
• Information about top 100 matching indicators
• Link to download the report about the search result

For every item among the top 100 matching indicators the following information is displayed:

• Number of occurrences in the checked log files
• Name of the log file and lines in it that contain the detected indicator

  Up to three lines are displayed. To view more lines that contain the detected indicator, click Show first 100 matches.

  The detected indicator is hyperlinked to the information about it in Kaspersky Threat Intelligence Portal.

• Fields of feed records that matched the indicator

If no information is found for the objects in the log file, the message about it is displayed.

Notice that if you run a search and then switch to another tab, the search results will become available in the search request history.

Downloading search reports

You can download a report with the results of the search operation. The report is a .csv file.

To download a report,

Select the Download report link and specify the directory to which you want to save the report.

A full report about a search result has the following fields:

• file_name—Name of the log file
• file_line—Line in the log file that contains the detected indicator
• detected_indicator—The detected indicator
• category—Category of the detected indicator
• Context fields from the feed

The files with search reports will be stored in the httpsrv directory. Only the administrator (in Windows) or the root user (in Linux) has permission to open this directory.

Regular expressions for searching indicators from log files

To parse log files for indicators, CyberTrace Web uses regular expressions defined in the Feed Service configuration file (you can browse or edit them by using Kaspersky CyberTrace Web). The regular expressions are specified by a special event source called http_file_lookup. For detailed information about regular expressions for searching indicators from log files, see section "About event sources".

Page top