Viewing detections

The Detections page of Kaspersky CyberTrace Web displays information about the incoming events that have produced detections in Kaspersky CyberTrace, including source events and detection alerts. You can use thispage to search events and filter them by criteria. To access this page, you need to switch to the Data management mode.

The Detections page contains the following elements:

• Search bar
• Table with information about detections
• Button for switching to the settings of the table:
  • Search also in detection alerts toggle switch
  • Auto-update table toggle switch
  • Table columns

Searching in detections

You can use the search bar to perform a full-text search in detections. The text string in a search query is tokenized so that search results contain both exact and fuzzy matches. Wildcards are not supported.

Search results are displayed in the table below.

If the Search also in detection alerts toggle switch is enabled, Kaspersky CyberTrace will search for a text string in incoming events and detection alerts. Otherwise, it will search only in incoming events. By default, the Search also in detection alerts toggle switch is disabled.

The table with information about detections contains the following columns:

• Detection date

  The system date and time of the detection.

• Source

  The name of the event source.

  This column may contain the source name, which is not present in Kaspersky CyberTrace already. This is possible for a retrospective scan detection if the source was deleted or renamed after saving the incoming event.

• Category

  The category of the detected object.

  Once recorded, the category name does not change, even if the supplier name changes.

• Type

  Type of the indicator that triggered the detection.

• Value

  Value of the indicator that triggered the detection.

• Tags

  The list of tags assigned to the indicator that triggered the detection.

• Total tag weight

  The total weight of the tags listed in the Tags column.

• Supplier confidence

  The level of confidence of the feed or supplier.

• Additional info
  • Source

    Select either All, TCP, or API to indicate that the detections are received via TCP, public API, or both.

    The icon indicates that the detections are received via public API.

  • Retroscan

    Select either All, Retroscan, or Not retroscan to indicate the presence or absence of detections as a result of retrospective scan, and all detections as well.

    The icon indicates the presence of detections as a result of retrospective scan.

  • FP

    Select either All, False positives, or Not false positives.

    The (gray flag) icon to indicate that the detection, together with the related indicator, has been marked as a false positive.

• Custom columns

  These columns are created according to the regular expressions of the tenant events sources and contain indicators from the sources received by means of regular expressions of Сontext type.

Each row of the table contains information about one detection.

Detections in the table are sorted by date and time, in descending order.

If the Auto-update table toggle switch is enabled, Kaspersky CyberTrace updates the table with information about detections every 10 seconds.

Customizing detections table

You can customize your detections table by enabling or disabling columns to be displayed or hidden in the detections table.

To customize the detections table:

1. Click the (Settings) icon.
2. In the Table columns section, select the check boxes against the columns that you want to be displayed in the detections table, or deselect the check boxes to hide the columns from the table.
3. Click Save.

The detections table is customized.

By default, the name of the custom column displayed in the table is the same as the name of the corresponding regular expression. You can change the name of the custom column by clicking the (Edit) icon and entering the name of the column.

If the event source or regular expression was deleted or renamed, and the corresponding custom column had been previously enabled for displaying in the table, this custom column is displayed with the icon meaning that the regular expression is deleted.

Viewing detection details

You can click a detection to view the following detailed information:

• Source event

  This section contains the substrings extracted from the incoming event by regular expressions, as well as the whole source event.

• Detection alert

  This section contains the context fields of the matched indicator in the %FieldName%=%Value% format and the whole detection alert.

  Where:

  • %FieldName% is the name of the regular expression that was used for parsing the incoming event or the field name of the feed record that matched the detected indicator.
  • %Value% is the value of the regular expression that was used for parsing the incoming event or the value of the feed record that matched the detected indicator.

Filtering detections

You can filter detections in the table by the following criteria:

• Detection date

  Specify a time period or a particular date.

• Category

  Select one or several categories of the detected objects.

• Supplier confidence

  Specify the interval of the levels of confidence of the feeds or suppliers.

• Additional info
  • Source

    Select either public API or TCP as a detections source to be displayed in the table. If the filter is not applied, all detections are displayed.

  • Retroscan

    Select either retroscan detections or non-retroscan detections to be displayed in the table. If the filter is not applied, all detections are displayed.

  • FP

    Select either detections marked or not marked as false positives to be displayed in the table. If the filter is not applied, all detections are displayed.

To filter the table by criteria:

1. Click the (funnel) icon in the column that you want to use as a filtering criterion.
2. Specify the filtering condition.
3. If present in the window for specifying the filtering condition, click the Apply button.

The content of the table is updated so that it contains only the values that meet the specified conditions.

You can specify several filtering criteria.

By default, filtering conditions are not applied.

To remove a filter:

1. Click the (funnel) icon in the column that you want to stop using as a filtering criterion.
2. Click the Reset button.

The content of the table is updated so that it is not filtered by the removed filtering criterion.

In this section About detection categories About retrospective scan detections

Page top