Support

Support for business applications

Kaspersky CyberTrace

User guides

Using Kaspersky CyberTrace Web

Searching indicators

Log file indicators search
Kaspersky CyberTrace
Нет результатов
Online Help
FAQ System requirements Download Contact support Recovery tools Product videos

Log file indicators search

April 11, 2024

ID 172900

You can search for indicators from log files by selecting the Log file tab after selecting the Search tab.

All log files that you pass to Kaspersky CyberTrace for scanning must be in UTF-8 encoding. If your log files have a different encoding, make sure to convert them to UTF-8.

Search → Log file tab in CyberTrace.

The Log file tab

Search for objects

You can search for one or more log files.

To search for indicators in log files:

  1. Select the log files that you want to search. Do one of the following:
    • Click the Select files button, and then select the log files.
    • Drag the log files into the colored area.
  2. Click the Search button.

The search result will appear in the Summary section.

Do not use feeds as log files for search. The scan results will contain a large number of matches, which will render the results uninformative.

Search result

After a search is performed, CyberTrace Web displays the result in the Summary section.

Summary section in CyberTrace.

The Summary section

The search result consists of the following data:

  • Summary information about the search result:
    • Number of processed log files
    • Number of detected indicators
    • Number of lines that were processed
    • Number of detections for each category
  • Information about the top 100 matching indicators
  • Link to download the report about the search result

For every item among the top 100 matching indicators, the following information is displayed:

  • Number of occurrences in the checked log files
  • Name of the log file and the lines that contain the detected indicator

    Up to three lines are displayed. To view more lines that contain the detected indicator, click Show first 100 matches.

    The detected indicator is hyperlinked to detailed information about it.

    This information is displayed in the table at the bottom of the indicator card.

  • Fields of feed records that matched the indicator

    This information is displayed at the top of the indicator card.

If no information is found for the indicators in the log file, a message about this is displayed.

Notice that if you run a search and then switch to another tab, the search results will become available in the search request history.

Downloading search reports

You can download a report with the results of the search operation. The report is a .csv file.

To download a report,

Select the Download report link, and then specify the directory to which you want to save the report.

A full report about a search result has the following fields:

  • file_name—Name of the log file
  • file_line—Line in the log file that contains the detected indicator
  • detected_indicator—The detected indicator
  • category—Category of the detected indicator
  • Context fields from the feed

Files with search reports will be stored in the httpsrv directory. Only the administrator (in Windows) or the root user (in Linux) has permission to open this directory.

Regular expressions for searching indicators from log files

To parse log files for indicators, CyberTrace Web uses the regular expressions defined in the Kaspersky CyberTrace Service configuration file. The regular expressions are specified by a special event source called http_file_lookup.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.