Search syntax

Kaspersky CyberTrace allows you to search the indicator database by the following attribute names:

Use the following syntax for search requests:

• If special symbols ([space], +, -, =, &&, ||, >, <, !, (, ), {, }, [, ], ^, ", ~, *, ?, :, \, /) are used in a search for a substring (see below), use an escape character to specify these symbols in the request body. Below you can find exceptions for using special symbols in search requests.

  Kaspersky CyberTrace uses the \ escape character.

• Use a space character. If the search substring should contain a space, the word without the escape character that follows the space will not be related to the search substring.

  Example #1: supplier_vendor_name: Vendor\ Test – Returns all indicators that belong to the sources with a vendor named "Vendor Test."

  Example #2: supplier_vendor_name: Vendor Test – Returns all indicators that belong to the sources with a vendor named "Vendor" or indicators that have the word "test" in the context.

• Use quotation marks to enclose particular substrings, parentheses to enclose logical blocks. For starting or ending values, use braces ({}) for intervals that exclude the boundaries, and brackets ([]) for intervals that include the boundaries. Braces and brackets can be combined if you need to specify an interval with an opening bracket of one type and a closing bracket of another type. Quotation marks and all these types of brackets have to be in pairs in the search request.

  You may not enclose the search substring in quotation marks if the substring does not contain the special characters indicated above. In this case, the search results will include only indicators and the specified substring of which fully matches one of the values of any field. Therefore, if you want to find the indicators, the search substring of which is only a part of the value, use wildcards (asterisk (*) or question mark (?) – see below).

  You can use quotation marks and all types of brackets unpaired in the following cases:

  • If an unpaired bracket or quotation mark is used together with an escape character.

    Example: ioc_value:asd\]

  • If an unpaired bracket is enclosed in quotation marks.

    Example: ioc_value:"1234]"

• Do not use a tab character.
• Specify a colon (:) only after the indicator attribute name or use it together with an escape character.
• Do not specify an empty value in parentheses, except when this value is specified with an escape character or is enclosed in quotation marks.

  Example of the incorrect request: ( )

  Example of the correct request: (" ")

• In braces ({}) and brackets ([]), use the %begin_value% TO %end_value% pattern, where %begin_value% and %end_value% are the values intended for open and closed intervals (except when brackets are enclosed in quotation marks).

  Example of an incorrect request: [* 100]

  Example of a correct request: [* TO 100]

• Do not specify an empty value when searching for a specific attribute.

  Example of an incorrect request: ioc_type:

  Example of a correct request: ioc_type:url

• Use logical operators (AND, OR, NOT) without quotation marks and all uppercase.
• Enclose logical AND, OR in spaces. You may not use a logical NOT with left space if NOT is specified just after the left parenthesis or colon.

  Example of an incorrect request: supplier_confidence:(89OR91)

  Example of a correct request: supplier_confidence:NOT(89 OR 91)

• Do not specify an empty value after a logical operator.

  Example of an incorrect request: supplier_confidence:(89 OR )

  Example of a correct request: supplier_confidence:(89 OR 91)

• For the ioc_supplier_context attribute, use a period when searching for a specific nested attribute.

  Example: ioc_supplier_context.files.threat:"HEUR:Exploit.SWF.Generic"

• For the ioc_supplier_context attribute, if your search string contains a space character, use the "\" (backslash) escape character before the space character.

  Example: ioc_supplier_context.details.SMS\ Number:1003

• For the ioc_supplier_context attribute, use the ioc_supplier_context.\\* pattern to search for all nested attributes.

  Example: ioc_supplier_context.\\*:HEUR

• Use the asterisk (*) for any other sequence of characters and question mark (?) for a single character as wildcards in substitutes.

  Example #1: supplier_vendor_name: Vendor – Search for indicators that belong to sources with a vendor named "Vendor".

  Example #2: supplier_vendor_name: Vendor* – Search for indicators that belong to sources with a vendor whose name begins with "Vendor".

  The use of an asterisk (*) at the beginning of the request can lead to checking all attribute values from the indicator database. This usually causes a long wait for a response from the database.

Examples

The following request will display all indicators that contain an at, ca, kr, ru, ir substring in any of the indicator attributes:

The following request will display all indicators that have a supplier_confidence attribute value that is equal to 89 or 91:

The following request will display all indicators that have an ioc_value attribute value containing the 123321 substring:

The following request will display all indicators that were added to the database between 2012-01-01 and 2012-12-31 (including the boundaries):

The following request will display all indicators that have a level of confidence in the range of 10 to 50 (excluding the boundaries):

The following request will display all indicators that have a threat_score context field value greater than 75:

The following request will display all indicators that have a files/threat context attribute containing the HEUR:Exploit.SWF.Generic substring:

The following request will display all indicators that have context attributes with any nesting level that contains the HEUR value: