In addition to adding nodes and relationships to a graph manually, Kaspersky CyberTrace can enrich the graph by automatically adding information about objects related to a node. The source of this information can be both Kaspersky CyberTrace itself and external sources such as Kaspersky Threat Intelligence Portal or VirusTotal. Running the enrichment process is called transformation.
Most of the graph enrichment sources do not support processing URL indicators that contain the '*' character in the domain part. Performing transformation on the node with such a URL indicator will result in an error or empty output.
By default, Kaspersky CyberTrace provides you with the following transformations:
Getting indicators from the same feeds with the initial standard Kaspersky CyberTrace indicator:
All related indicators (hashes, URLs, IP addresses).
Getting the latest 100 detections related to a standard Kaspersky CyberTrace indicator.
Kaspersky CyberTrace requires an access token to connect to Kaspersky Threat Intelligence Portal.
The IP addresses from the DNS resolution for the given URL.
Kaspersky CyberTrace requires an access token to connect to VirusTotal.
Information about the given URL.
List of files that interact with the given URL.
List of files downloaded from the given URL.
List of files that contain the given URL.
List of domains from which the given URL downloads a resource.
List of URLs that reference the given URL.
List of URLS that the given URL redirects to.
List of URLs that redirect to the given URL.
List of subdomains for the given domain.
Regarding such transformations, before sending a request to VirusTotal API, Kaspersky CyberTrace defines if the target node is certainly a domain.
If the node is not a "pure" domain, but a URL, an empty result will be returned.
List of URLs for the given domain.
Before sending a request to VirusTotal API, Kaspersky CyberTrace defines if the target node is certainly a domain. If the node is not a "pure" domain, but a URL, an empty result will be returned.
List of IP addresses from which the given URL downloads a resource.
The last IP address resolution for the given URL.
Network location for the given URL.
List of IP addresses that the given domain resolves to.
Before sending a request to VirusTotal API, Kaspersky CyberTrace defines if the target node is certainly a domain. If the node is not a "pure" domain, but a URL, an empty result will be returned.
Information about the given hash.
List of files bundled in the same archive with the file with the given hash.
List of files that are children of the file with the given hash.
List of files that are parents of the file with the given hash.
List of files (archives) that contained the file with the given hash.
List of files that are removed by the file with the given hash.
List of files that executed the file with the given hash.
List of domains contacted by the file with the given hash.
List of URLs contacted by the file with the given hash.
List of IP addresses embedded in the file with the given hash.
List of URLs embedded in the file with the given hash.
List of domains from which the file with the given hash was downloaded.
List of URLs from which the file with the given hash was downloaded.
List of IP addresses contacted by the file with the given hash.
List of IP addresses from which the file with the given hash was downloaded.
Information about the given IP address.
List of files that interact with the given IP address.
List of files downloaded from the given IP address.
List of files that contain the given IP address.
List of domains that resolve to the given IP address.
List of URLs that direct to the given IP address.