Retrospective scan detections have certain differences from detections that are based on matching. The specifics of retrospective scan detections are described in this section.
During a retrospective scan, the incoming event saved for analysis in Kaspersky CyberTrace represents only the values obtained by means of the regular expressions specified on the Regular expressions tab of the retrospective scan settings. Due to this, in the Whole source event field on the Detections page, there will be a placeholder instead of an incoming event.
The Reception date field for retroscan detections contains the date of receiving the initial event, not the date of detection, which is specified in the Detection date column.
If the names of the regular expressions were changed in the settings from the moment the incoming event was saved until the retroscan detection was formed, the context of the detection alert, which uses the changed regular expressions, will not include the corresponding values because they are named differently in the saved event. See the example below:
Incoming event:
CEF:0|Kaspersky|CyberTrace Verification Kit|1.2|0|Verification_test|2| request=http://fakess123bn.nu suser=EvalTestUserName src=192.168.0.0 dvc=127.0.0.0 dst=192.0.2.0 act=VerificationTest eventId=110 |
Configured regular expressions at the moment of receiving an event:
RE_URL: (?:\:\/\/)((?:\S+(?::\S*)?+@)?(?:(?:(?:[a-z\x{00a1}-\x{ffff}0-9]+-*)*[a-z\x{00a1}-\x{ffff}0-9]*)(?:\.(?:[a-z\x{00a1}-\x{ffff}0-9]+-)*+[a-z\x{00a1}-\x{ffff}0-9]++)*(?:\.(?:[a-z\x{00a1}-\x{ffff}\-0-9]+)))(?:\.*:\d{2,5})?+(?:\.*\/[^\s\"\<\>]*+)?+)
SRC_IP: (?:\:\/\/)((?:\S+(?::\S*)?+@)?(?:(?:(?:[a-z\x{00a1}-\x{ffff}0-9]+-*)*[a-z\x{00a1}-\x{ffff}0-9]*)(?:\.(?:[a-z\x{00a1}-\x{ffff}0-9]+-)*+[a-z\x{00a1}-\x{ffff}0-9]++)*(?:\.(?:[a-z\x{00a1}-\x{ffff}\-0-9]+)))(?:\.*:\d{2,5})?+(?:\.*\/[^\s\"\<\>]*+)?+)
UserName: suser\=(.*?)(?:$|\s)
|
Configured regular expressions at the moment of forming a retroscan detection:
REGEX_URL: (?:\:\/\/)((?:\S+(?::\S*)?+@)?(?:(?:(?:[a-z\x{00a1}-\x{ffff}0-9]+-*)*[a-z\x{00a1}-\x{ffff}0-9]*)(?:\.(?:[a-z\x{00a1}-\x{ffff}0-9]+-)*+[a-z\x{00a1}-\x{ffff}0-9]++)*(?:\.(?:[a-z\x{00a1}-\x{ffff}\-0-9]+)))(?:\.*:\d{2,5})?+(?:\.*\/[^\s\"\<\>]*+)?+)
SRC_IP: (?:\:\/\/)((?:\S+(?::\S*)?+@)?(?:(?:(?:[a-z\x{00a1}-\x{ffff}0-9]+-*)*[a-z\x{00a1}-\x{ffff}0-9]*)(?:\.(?:[a-z\x{00a1}-\x{ffff}0-9]+-)*+[a-z\x{00a1}-\x{ffff}0-9]++)*(?:\.(?:[a-z\x{00a1}-\x{ffff}\-0-9]+)))(?:\.*:\d{2,5})?+(?:\.*\/[^\s\"\<\>]*+)?+)
USER_NAME: suser\=(.*?)(?:$|\s)
|
Detection format:
CEF:0|Kaspersky|Kaspersky CyberTrace for ArcSight|2.0|2|CyberTrace Detection Event|8| reason=%Category% src=%SRC_IP% request=%REGEX_URL% suser=%USER_NAME% msg=CyberTrace detected %Category% cs5Label=MatchedIndicator |
Formed retroscan detection alert:
CEF:0|Kaspersky|Kaspersky CyberTrace for ArcSight|2.0|2|CyberTrace Detection Event|8| reason=KL_BotnetCnC_URL src=192.168.0.0 request=- suser=- msg=CyberTrace detected KL_BotnetCnC_URL cs5Label=MatchedIndicator cs5=fakess123bn.nu |