Search result

After a search is performed, Kaspersky CyberTrace Web displays a table with the requested indicators. This table can be sorted by columns. For each of these indicators, you can view the following data:

• Type of the requested indicator

  The indicator can be of several types (for example, IP and URL).

• Tag indicating whether the requested indicator belongs to the FalsePositive supplier

  The table does not display indicators that are contained only in the false positives list (and were not added to Kaspersky CyberTrace from a feed, by using the REST API, or Kaspersky CyberTrace Web). To manage indicators that are contained only in the false positives list, select the Settings tab, and then the Feeds tab.

• Value of the requested indicator
• Date and time when the requested indicator was added
• Date and time of the latest indicator update
• Suppliers that contain the requested indicator

Below the table is the number of indicators returned after a search is performed. If you do not perform a search, the total number of unique indicators for all enabled suppliers is displayed. The table does not contain repeated indicator values, and corresponding suppliers are listed in the Suppliers column. Thus, duplications of indicator values are discarded from the total number.

Adding new indicators to the database

To add a new indicator to the database:

1. Click the Add link.

   The Add new indicator window opens.

2. Select the indicator type.
3. Specify the indicator value.

   Kaspersky CyberTrace will apply URL normalization rules to any URL that you add on the URL tab and which is not yet contained in the indicator database, thus, the representation of a URL may change. For example, if you add a URL that contains a port, this port value will be removed.

4. Add indicator attributes by specifying their names and values.

   The name can be up to 255 characters in length, must contain only lowercase Latin letters, and cannot begin with a hyphen ("-") or an underscore ("_"). The space symbol (" ") and the tab symbol cannot be used. Also, the attribute name cannot be equal to summary.

5. In the text field, enter summary information about the indicator, if necessary.
6. Click Save.

After that, the indicator will be added to the database with the InternalTI value of the supplier_name attribute.

Adding existing indicators to the list of false positives

To add an existing indicator to the list of false positives:

1. Select one or more indicators that you want to mark as a false positive.
2. If some of selected indicators are of several types, perform one of the following:
   • Click the Mark as false positive <Type> button, where <Type> is the indicator type that you want to mark as a false positive.
   • Click the Mark all as false positives button, if you want to mark all indicator types as a false positive.
3. If none of selected indicators has several types, click the Mark as false positive button.
4. Click Mark to confirm that you want to mark the selected indicators as a false positive.

Deleting indicators

To delete an indicator:

1. Select one or more indicators that you want to delete.
2. Click the Delete button.

   The Delete indicator window opens.

3. Click Yes to confirm that you want to delete the selected indicators.

Page top