Working with indicators

Kaspersky CyberTrace uses the Elasticsearch database to store the indicators of compromise (IOC) from the threat intelligence feeds. This database contained in the Kaspersky CyberTrace distribution package.

On the Kaspersky CyberTrace web user interface you can select the Indicators tab. This section allows you to do the following:

• View the list of indicators from the indicator database (hereinafter, also called the database)
• Perform a search by indicator
• Add new indicators to the database

  When a new indicator is successfully added to the database, it can be used in the matching process. Such indicators are written to the database by using the InternalTI value of the supplier_name attribute.

• Delete indicators from the database
• Add existing indicators to the FalsePositive supplier (mark as false positive)
• Browse detailed information about indicators
• Filter indicators by suppliers. When this filter is applied and several suppliers are selected, Kaspersky CyberTrace shows only indicators, each of which is provided by all selected suppliers.
• Filter indicators by tags

FalsePositive and InternalTI suppliers

The FalsePositive and InternalTI suppliers are built-in Kaspersky CyberTrace suppliers that you can add indicators to:

• A FalsePositive supplier is designed for existing indicators that users mark as false positives in CyberTrace Web
• An InternalTI supplier is designed for new indicators that users add to the database in CyberTrace Web or via the REST API

The InternalTI supplier indicators will have detections even if an indicator is from the false positives list.

In this section Search syntax Search result Browsing detailed information about indicators Indicators exported to CSV URL normalization rules

Page top