Filtering rules for feeds
The Filtering rules for feeds section on the Feeds tab (under Settings) allows you to specify filtering rules for feeds. Note that the filtering rules that you specify are applied to the feeds after they are updated, not to the current feeds.
In the Filtering rules for feeds section, you can do the following:
- For each feed that you click, in the Maximum records in feed field you can specify the maximum number of records to store.
You can also make the number of records in the feed unlimited. To do this, clear the Truncate feed check box under the feed:
Managing the number of records in a feed
- For every feed, you can enable or disable its use by means of the Feed is off or Feed is on toggle button.
Enabling or disabling a feed
Note that you can use only those Kaspersky Threat Data Feeds that are available with your certificate. For more information, see section "Feeds update period".
- For every feed, you can add, edit, or remove filtering rules, in the lower part of the screen.
Managing filtering rules
Filtering rules are criteria that Kaspersky CyberTrace uses to filter the original feed files.
Each filtering rule is set in the Filtering rules subsection: the field name is specified in the Field name text box, and the filtering criteria are specified in the Value text box. A field can have only one filtering rule associated with it; you cannot have two Field name settings for one field.
Only those records that match all the specified criteria are included in the output file. If a filtering criterion is specified for a field, and the field is missing from a record, this record will not be included in the output file.
For more information on how to define specific filtering criteria, see subsections "Defining filtering criteria for numeric values", "Defining filtering criteria for strings", and "Defining filtering criteria for dates" below.
- For every feed, you can specify the fields that must be used by Kaspersky CyberTrace:
Selecting available feed fields
In the original feed files, some records can have extra fields or can lack some fields. For records with extra fields, only those fields are included in the output that are selected in the Available fields subsection of the corresponding feed. If records lack some fields, such records are included in the output if they contain at least one of the fields selected in the Available fields subsection. If some fields selected in the Available fields subsection are missing from a record in the original feed, the record in the processed feed will not contain them.
If you want to exclude records with missing fields from the output, you must create filtering rules for all required fields. For more information about filtering rules, see subsections "Defining filtering criteria for numeric values", "Defining filtering criteria for strings", and "Defining filtering criteria for dates" below.
- For every feed, you can specify actionable fields.
Managing actionable fields
The Filtering rules for feeds section has three tabs:
- Kaspersky Feeds—Contains only Kaspersky Threat Data Feeds.
- OSINT Feeds—Contains supported OSINT Feeds.
- Custom Feeds—Contains any custom or third-party feeds, except OSINT feeds.
The Request access to all feeds link near each Kaspersky demo feed indicates that you can use custom feeds in addition to the Kaspersky demo feeds. The link redirects you to the Request Kaspersky Threat Intelligence form, where you can subscribe to Kaspersky Threat Intelligence Portal and get commercial feeds, which have a higher level of protection.
Defining filtering criteria for numeric values
Numeric values are integers. Decimal values are not supported.
In the Filtering rules subsection, in the Value text box, you can define filtering criteria for numeric fields in the following ways:
*The specified field can contain any value.
%value%Exact numeric value.
The value in the specified field must be equal to
%value%.For example, if
%value%is1, then the value in the specified field must be equal to1.%value1%;%value2%One of several numeric values.
The specified field can contain one of the specified numeric values (
%value1%or%value2%).You can specify additional values by using a semicolon (
;) as a delimiter.[%value1%;%value2%]Range of numeric values.
The specified field can contain one of the values in the specified range between
%value1%and%value2%.Note that
%value2%is included in the range.[%value1%;*]or[*;%value1%]Open range of numeric values. Same as range of numeric values, but an asterisk (
*) specifies infinity.For example, if the value is
[2;*], then the specified field must contain a value greater than or equal to2.
Defining filtering criteria for strings
In the Filtering rules subsection, in the Value text box, you can define filtering criteria for string fields in the following ways:
*The specified field can have any value.
%string%The value in the specified field must contain the specified string.
For example, if
%string%isru, then the value in the specified field must containru.%string1%;%string2%The value in the specified field must contain one or more of the specified strings.
Defining filtering criteria for dates
Date values in feeds are formatted either in the pattern "dd.MM.yyyy HH:mm" (for example, "26.04.2014 18:00") or in the pattern "M/d/y h:mm:ss tt" (for example, "4/26/2014 6:00:00 PM"). The "M/d/y h:mm:ss tt" pattern is used in P-SMS Trojan Data Feed.
Only the date part of the value is used in filtering; hours and minutes are ignored.
In the Filtering rules subsection, in the Value text box, you can define filtering criteria for date fields in the following ways:
*The specified field can contain any value.
%date%The specified field must contain the specified date.
For example, if
%date%is14.10.2015, then the value in the specified field must be 14 October 2015.[%date1%;%date2%]The specified field must contain the date in the specified range.
[%date1%;*]or[*;%date1%]Open range of dates. Same as range of dates, but an asterisk (
*) specifies infinity.For example, if the value is
[*;10.12.2015], then the date in the specified field must be on or before 10 December 2015.