Viewing detections

February 27, 2024

ID 193678

The Detections tab of Kaspersky CyberTrace Web displays information about the incoming events that have produced detections in Kaspersky CyberTrace, including source events and detection events. You can use this tab to search events and filter them by criteria. The Detections tab contains the following elements:

  • Search bar
  • Search also in detection events toggle button
  • Auto-update table toggle button
  • Table with information about detections

Searching in detections

You can use the search bar to perform a full-text search in detections. The text string in a search query is tokenized so that search results contain both exact and fuzzy matches. Wildcards are not supported.

Search results are displayed in the table below.

If the Search also in detection events toggle button is switched on, Kaspersky CyberTrace will search for a text string in incoming events and detection events. Otherwise, it will search only in incoming events. By default, the Search also in detection events toggle button is switched on.

The table with information about detections contains the following columns:

  • Detection date

    This column contains the system date and time of the detection (in the yyyy-mm-dd HH:MM:SS format).

  • Tenant

    This column contains the name of the tenant. It is displayed only in multitenancy mode when there are several tenants.

  • Source

    This column contains the name of the event source.

  • Category

    This column contains the category of the detected object.

    Once recorded, the category name does not change, even if the supplier name changes.

  • Tag

    This column contains the list of tags assigned to the indicator that triggered the detection.

  • Total tag weight

    This column contains the total weight of the tags listed in the Tags column.

  • Details

    This column contains the indicator from the database that was matched to the incoming event.

Each row of the table contains information about one detection. You can click a detection to view the following detailed information:

  • Source event

    This section contains the substrings extracted from the incoming event by regular expressions, as well as the whole source event.

  • Detection event

    This section contains the context fields of the matched indicator in the %FieldName%=%Value% format and the whole detection event.

    Where:

    • %FieldName% is the name of the regular expression that was used for parsing the incoming event or the field name of the feed record that matched the detected indicator.
    • %Value% is the value of the regular expression that was used for parsing the incoming event or the value of the feed record that matched the detected indicator.

Detections in the table are sorted by date and time, in descending order.

If the Auto-update table toggle button is switched on, Kaspersky CyberTrace updates the table with information about detections every 10 seconds.

Filtering detections

You can filter detections in the table by the following criteria:

  • Detection date

    You can specify a time period or a particular date.

  • Tenant

    If there is more than one tenant, you can specify one or several tenant names.

  • Source

    If there is more than one event source, you can specify one or several event sources.

  • Category

    If there is more than one category, you can specify one or several categories of the detected object.

To filter detections in the table by criteria:

  1. Click the column that you want to use as a filtering criterion.
  2. Specify the filtering condition, and then click Apply.

The content of the table is updated so that it contains only detections that meet the specified conditions.

You can specify several filtering criteria.

By default, filtering conditions are not applied.

Below is the list of available detection categories. These categories are applicable to Kaspersky feeds and OSINT feeds supported by Kaspersky CyberTrace.

Detection category

Description

KL_APT_Hash_MD5

Hash of a malicious file used in an APT campaign is detected by Kaspersky CyberTrace.

KL_APT_Hash_SHA1

Hash of a malicious file used in an APT campaign is detected by Kaspersky CyberTrace.

KL_APT_Hash_SHA256

Hash of a malicious file used in an APT campaign is detected by Kaspersky CyberTrace.

KL_APT_IP

IP address used in an APT campaign is detected by Kaspersky CyberTrace.

KL_APT_URL

URL used in an APT campaign is detected by Kaspersky CyberTrace.

KL_BotnetCnC_Hash_MD5

Botnet hash is detected by Kaspersky CyberTrace.

KL_BotnetCnC_Hash_SHA1

Botnet hash is detected by Kaspersky CyberTrace.

KL_BotnetCnC_Hash_SHA256

Botnet hash is detected by Kaspersky CyberTrace.

KL_BotnetCnC_URL

Botnet C&C URL is detected by Kaspersky CyberTrace.

KL_ICS_Hash_MD5

ICS hash is detected by Kaspersky CyberTrace.

KL_ICS_Hash_SHA1

ICS hash is detected by Kaspersky CyberTrace.

KL_ICS_Hash_SHA256

ICS hash is detected by Kaspersky CyberTrace.

KL_InternalTI_URL

URL of the InternalTI list of Kaspersky CyberTrace.

KL_InternalTI_IP

IP of the InternalTI list of Kaspersky CyberTrace.

KL_InternalTI_Hash_MD5

Hash of the InternalTI list of Kaspersky CyberTrace.

KL_InternalTI_Hash_SHA1

Hash of the InternalTI list of Kaspersky CyberTrace.

KL_InternalTI_Hash_SHA256

Hash of the InternalTI list of Kaspersky CyberTrace.

KL_IoT_Hash_MD5

Hash of an IoT is detected by Kaspersky CyberTrace.

KL_IoT_Hash_SHA1

Hash of an IoT is detected by Kaspersky CyberTrace.

KL_IoT_Hash_SHA256

Hash of an IoT is detected by Kaspersky CyberTrace.

KL_IoT_URL

URL that infects Internet of Things-enabled (IoT) devices is detected by Kaspersky CyberTrace.

KL_IP_Reputation

Malicious IP address is detected by Kaspersky CyberTrace.

KL_IP_Reputation_Hash_MD5

Hash of a file hosted on a malicious IP address is detected by Kaspersky CyberTrace.

KL_IP_Reputation_Hash_SHA1

Hash of a file hosted on a malicious IP address is detected by Kaspersky CyberTrace.

KL_IP_Reputation_Hash_SHA256

Hash of a file hosted on a malicious IP address is detected by Kaspersky CyberTrace.

KL_Malicious_URL

Malicious URL is detected by Kaspersky CyberTrace.

KL_Malicious_URL_Hash_MD5

Hash of a file hosted on a malicious URL is detected by Kaspersky CyberTrace.

KL_Malicious_URL_Hash_SHA1

Hash of a file hosted on a malicious URL is detected by Kaspersky CyberTrace.

KL_Malicious_URL_Hash_SHA256

Hash of a file hosted on a malicious URL is detected by Kaspersky CyberTrace.

KL_Malicious_Hash_MD5

Malicious hash is detected by Kaspersky CyberTrace.

KL_Malicious_Hash_SHA1

Malicious hash is detected by Kaspersky CyberTrace.

KL_Malicious_Hash_SHA256

Malicious hash is detected by Kaspersky CyberTrace.

KL_Mobile_Malicious_Hash_MD5

Mobile malicious hash is detected by Kaspersky CyberTrace.

KL_Mobile_Malicious_Hash_SHA1

Mobile malicious hash is detected by Kaspersky CyberTrace.

KL_Mobile_Malicious_Hash_SHA256

Mobile malicious hash is detected by Kaspersky CyberTrace.

KL_Mobile_BotnetCnC_Hash_MD5

Mobile botnet C&C hash is detected by Kaspersky CyberTrace.

KL_Mobile_BotnetCnC_Hash_SHA1

Mobile botnet C&C hash is detected by Kaspersky CyberTrace.

KL_Mobile_BotnetCnC_Hash_SHA256

Mobile botnet C&C hash is detected by Kaspersky CyberTrace.

KL_Mobile_BotnetCnC_URL

Mobile botnet C&C URL is detected by Kaspersky CyberTrace.

KL_Phishing_URL

Phishing URL is detected by Kaspersky CyberTrace.

KL_Ransomware_URL

URL that hosts ransomware is detected by Kaspersky CyberTrace.

KL_Ransomware_URL_Hash_MD5

Hash of ransomware is detected by Kaspersky CyberTrace.

KL_Ransomware_URL_Hash_SHA1

Hash of ransomware is detected by Kaspersky CyberTrace.

KL_Ransomware_URL_Hash_SHA256

Hash of ransomware is detected by Kaspersky CyberTrace.

AbuseCh_Feodo_Block_IP

IP address from the Abuse.Ch_Feodo_Block_IP feed is detected by Kaspersky CyberTrace.

AbuseCh_Ransomware_Block_URL

URL from the Abuse.Ch_Ransomware_Block_URL feed is detected by Kaspersky CyberTrace.

AbuseCh_Ransomware_Block_Domain

Domain from the Abuse.Ch_Ransomware_Block_Domain feed is detected by Kaspersky CyberTrace.

AbuseCh_Ransomware_Block_IP

IP address from the Abuse.Ch_Ransomware_Block_IP feed is detected by Kaspersky CyberTrace.

AbuseCh_Ransomware_Common_URL

URL from the Abuse.Ch_Ransomware_Common_URL feed is detected by Kaspersky CyberTrace.

AbuseCh_SSL_Certificate_Block_IP

IP address from the AbuseCh_SSL_Certificate_Block_IP feed is detected by Kaspersky CyberTrace.

AbuseCh_SSL_Certificate_Hash_SHA1

Hash from the AbuseCh_SSL_Certificate_Hash_SHA1 feed is detected by Kaspersky CyberTrace.

BlocklistDe_Block_IP

IP from the BlocklistDe_Block_IP feed is detected by Kaspersky CyberTrace.

CyberCrime_Tracker_Block_Url

URL from the CyberCrime_Tracker_Block_Url feed is detected by Kaspersky CyberTrace.

EmergingThreats_Block_IP

IP address from the EmergingThreats_Block_IP feed is detected by Kaspersky CyberTrace.

EmergingThreats_Compromised_IP

IP address from the EmergingThreats_Compromised_IP feed is detected by Kaspersky CyberTrace.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.