Viewing detections

The Detections tab of Kaspersky CyberTrace Web displays information about the incoming events that have produced detections in Kaspersky CyberTrace, including source events and detection events. You can use this tab to search events and filter them by criteria. The Detections tab contains the following elements:

Search bar
Search also in detection events toggle button
Auto-update table toggle button
Table with information about detections

Searching in detections

You can use the search bar to perform a full-text search in detections. The text string in a search query is tokenized so that search results contain both exact and fuzzy matches. Wildcards are not supported.

Search results are displayed in the table below.

If the Search also in detection events toggle button is switched on, Kaspersky CyberTrace will search for a text string in incoming events and detection events. Otherwise, it will search only in incoming events. By default, the Search also in detection events toggle button is switched on.

The table with information about detections contains the following columns:

Detection date
This column contains the system date and time of the detection (in the yyyy-mm-dd HH:MM:SS format).
Tenant
This column contains the name of the tenant. It is displayed only in multitenancy mode when there are several tenants.
Source
This column contains the name of the event source.
Category
This column contains the category of the detected object.

Once recorded, the category name does not change, even if the supplier name changes.
Tag
This column contains the list of tags assigned to the indicator that triggered the detection.
Total tag weight
This column contains the total weight of the tags listed in the Tags column.
Details
This column contains the indicator from the database that was matched to the incoming event.

Each row of the table contains information about one detection. You can click a detection to view the following detailed information:

Source event
This section contains the substrings extracted from the incoming event by regular expressions, as well as the whole source event.
Detection event
This section contains the context fields of the matched indicator in the %FieldName%=%Value% format and the whole detection event.

Where:
- %FieldName% is the name of the regular expression that was used for parsing the incoming event or the field name of the feed record that matched the detected indicator.
- %Value% is the value of the regular expression that was used for parsing the incoming event or the value of the feed record that matched the detected indicator.

Detections in the table are sorted by date and time, in descending order.

If the Auto-update table toggle button is switched on, Kaspersky CyberTrace updates the table with information about detections every 10 seconds.

Filtering detections

You can filter detections in the table by the following criteria:

Detection date
You can specify a time period or a particular date.
Tenant
If there is more than one tenant, you can specify one or several tenant names.
Source
If there is more than one event source, you can specify one or several event sources.
Category
If there is more than one category, you can specify one or several categories of the detected object.

To filter detections in the table by criteria:

Click the column that you want to use as a filtering criterion.
Specify the filtering condition, and then click Apply.

The content of the table is updated so that it contains only detections that meet the specified conditions.

You can specify several filtering criteria.

By default, filtering conditions are not applied.

Below is the list of available detection categories. These categories are applicable to Kaspersky feeds and OSINT feeds supported by Kaspersky CyberTrace.

Detection category	Description
KL_APT_Hash_MD5	Hash of a malicious file used in an APT campaign is detected by Kaspersky CyberTrace.
KL_APT_Hash_SHA1	Hash of a malicious file used in an APT campaign is detected by Kaspersky CyberTrace.
KL_APT_Hash_SHA256	Hash of a malicious file used in an APT campaign is detected by Kaspersky CyberTrace.
KL_APT_IP	IP address used in an APT campaign is detected by Kaspersky CyberTrace.
KL_APT_URL	URL used in an APT campaign is detected by Kaspersky CyberTrace.
KL_BotnetCnC_Hash_MD5	Botnet hash is detected by Kaspersky CyberTrace.
KL_BotnetCnC_Hash_SHA1	Botnet hash is detected by Kaspersky CyberTrace.
KL_BotnetCnC_Hash_SHA256	Botnet hash is detected by Kaspersky CyberTrace.
KL_BotnetCnC_URL	Botnet C&C URL is detected by Kaspersky CyberTrace.
KL_ICS_Hash_MD5	ICS hash is detected by Kaspersky CyberTrace.
KL_ICS_Hash_SHA1	ICS hash is detected by Kaspersky CyberTrace.
KL_ICS_Hash_SHA256	ICS hash is detected by Kaspersky CyberTrace.
KL_InternalTI_URL	URL of the InternalTI list of Kaspersky CyberTrace.
KL_InternalTI_IP	IP of the InternalTI list of Kaspersky CyberTrace.
KL_InternalTI_Hash_MD5	Hash of the InternalTI list of Kaspersky CyberTrace.
KL_InternalTI_Hash_SHA1	Hash of the InternalTI list of Kaspersky CyberTrace.
KL_InternalTI_Hash_SHA256	Hash of the InternalTI list of Kaspersky CyberTrace.
KL_IoT_Hash_MD5	Hash of an IoT is detected by Kaspersky CyberTrace.
KL_IoT_Hash_SHA1	Hash of an IoT is detected by Kaspersky CyberTrace.
KL_IoT_Hash_SHA256	Hash of an IoT is detected by Kaspersky CyberTrace.
KL_IoT_URL	URL that infects Internet of Things-enabled (IoT) devices is detected by Kaspersky CyberTrace.
KL_IP_Reputation	Malicious IP address is detected by Kaspersky CyberTrace.
KL_IP_Reputation_Hash_MD5	Hash of a file hosted on a malicious IP address is detected by Kaspersky CyberTrace.
KL_IP_Reputation_Hash_SHA1	Hash of a file hosted on a malicious IP address is detected by Kaspersky CyberTrace.
KL_IP_Reputation_Hash_SHA256	Hash of a file hosted on a malicious IP address is detected by Kaspersky CyberTrace.
KL_Malicious_URL	Malicious URL is detected by Kaspersky CyberTrace.
KL_Malicious_URL_Hash_MD5	Hash of a file hosted on a malicious URL is detected by Kaspersky CyberTrace.
KL_Malicious_URL_Hash_SHA1	Hash of a file hosted on a malicious URL is detected by Kaspersky CyberTrace.
KL_Malicious_URL_Hash_SHA256	Hash of a file hosted on a malicious URL is detected by Kaspersky CyberTrace.
KL_Malicious_Hash_MD5	Malicious hash is detected by Kaspersky CyberTrace.
KL_Malicious_Hash_SHA1	Malicious hash is detected by Kaspersky CyberTrace.
KL_Malicious_Hash_SHA256	Malicious hash is detected by Kaspersky CyberTrace.
KL_Mobile_Malicious_Hash_MD5	Mobile malicious hash is detected by Kaspersky CyberTrace.
KL_Mobile_Malicious_Hash_SHA1	Mobile malicious hash is detected by Kaspersky CyberTrace.
KL_Mobile_Malicious_Hash_SHA256	Mobile malicious hash is detected by Kaspersky CyberTrace.
KL_Mobile_BotnetCnC_Hash_MD5	Mobile botnet C&C hash is detected by Kaspersky CyberTrace.
KL_Mobile_BotnetCnC_Hash_SHA1	Mobile botnet C&C hash is detected by Kaspersky CyberTrace.
KL_Mobile_BotnetCnC_Hash_SHA256	Mobile botnet C&C hash is detected by Kaspersky CyberTrace.
KL_Mobile_BotnetCnC_URL	Mobile botnet C&C URL is detected by Kaspersky CyberTrace.
KL_Phishing_URL	Phishing URL is detected by Kaspersky CyberTrace.
KL_Ransomware_URL	URL that hosts ransomware is detected by Kaspersky CyberTrace.
KL_Ransomware_URL_Hash_MD5	Hash of ransomware is detected by Kaspersky CyberTrace.
KL_Ransomware_URL_Hash_SHA1	Hash of ransomware is detected by Kaspersky CyberTrace.
KL_Ransomware_URL_Hash_SHA256	Hash of ransomware is detected by Kaspersky CyberTrace.
AbuseCh_Feodo_Block_IP	IP address from the Abuse.Ch_Feodo_Block_IP feed is detected by Kaspersky CyberTrace.
AbuseCh_Ransomware_Block_URL	URL from the Abuse.Ch_Ransomware_Block_URL feed is detected by Kaspersky CyberTrace.
AbuseCh_Ransomware_Block_Domain	Domain from the Abuse.Ch_Ransomware_Block_Domain feed is detected by Kaspersky CyberTrace.
AbuseCh_Ransomware_Block_IP	IP address from the Abuse.Ch_Ransomware_Block_IP feed is detected by Kaspersky CyberTrace.
AbuseCh_Ransomware_Common_URL	URL from the Abuse.Ch_Ransomware_Common_URL feed is detected by Kaspersky CyberTrace.
AbuseCh_SSL_Certificate_Block_IP	IP address from the AbuseCh_SSL_Certificate_Block_IP feed is detected by Kaspersky CyberTrace.
AbuseCh_SSL_Certificate_Hash_SHA1	Hash from the AbuseCh_SSL_Certificate_Hash_SHA1 feed is detected by Kaspersky CyberTrace.
BlocklistDe_Block_IP	IP from the BlocklistDe_Block_IP feed is detected by Kaspersky CyberTrace.
CyberCrime_Tracker_Block_Url	URL from the CyberCrime_Tracker_Block_Url feed is detected by Kaspersky CyberTrace.
EmergingThreats_Block_IP	IP address from the EmergingThreats_Block_IP feed is detected by Kaspersky CyberTrace.
EmergingThreats_Compromised_IP	IP address from the EmergingThreats_Compromised_IP feed is detected by Kaspersky CyberTrace.

Page top