Search result

After a search is performed, CyberTrace Web displays a table with the requested indicators. This table can be sorted by columns. For each of these indicators, you can view the following data:

• Type of the requested indicator

  The indicator can be of several types (for example, IP and URL).

• Tag indicating whether the requested indicator belongs to the FalsePositive supplier

  The table does not display indicators which are contained only in the false positives list (and were not added to CyberTrace from a feed or using the REST API or Kaspersky CyberTrace Web). To manage indicators which are contained only in the false positives list, select the Settings tab, and then the Feeds tab.

• Value of the requested indicator
• Date and time when the requested indicator was added
• Date and time of the latest indicator update
• Suppliers that contain the requested indicator

Below the table is the number of indicators returned after a search is performed. If you do not perform a search, the total number of unique indicators for all enabled suppliers is displayed. The table does not contain repeated indicator values and corresponding suppliers are listed in the Suppliers column. Thus, duplications of indicator values are discarded from the total number.

Adding new indicators to the database

To add a new indicator to the database:

1. Click the Add link.

   The Add new indicator window opens.

2. Select the indicator type.
3. Specify the indicator value.

   Kaspersky CyberTrace will apply URL normalization rules to any URL that you add on the URL tab and which are not yet contained in the indicator database, thus, the representation of these URLs may change. For example, if you add a URL that contains a port, this port value will be removed.

4. Add indicator attributes by specifying their names and values.

   The name can be up to 255 characters in length, must contain only lowercase Latin letters and cannot begin with a hyphen ("-") and an underscore ("_"). The space symbol (" ") and the tab symbol cannot be used. Also, the attribute name cannot be equal to summary.

5. In the text field, enter summary information about the indicator, if necessary.
6. Click Save.

After that, the indicator will be added to the database with the InternalTI value of the supplier_name attribute.

Adding existing indicators to the list of false positives

To add an existing indicator to the list of false positives:

1. Select the indicator (or several indicators) that you want to mark as false positive.
2. If some of selected indicators are of several types, perform one of the following:
   • Click the Mark as False Positive <Type> button, where <Type> is the indicator type that you want to mark as a false positive
   • Click the Mark all as False Positive button, if you want to mark all indicator types as false positive
3. If none of selected indicators has several types, click the Mark as false positive button.
4. Click Mark to confirm that you want to mark the selected indicator (or several indicators) as false positive.

Deleting indicators

To delete an indicator:

1. Select the indicator (or several indicators) that you want to delete.
2. Click the Delete button.

   The Delete indicator window opens.

3. Click Yes to confirm that you want to delete the selected indicator (or several indicators).

Page top