Search syntax

February 27, 2024

ID 203344

Kaspersky CyberTrace allows you to search the indicator database by the following attribute names:

Attribute name

Description

ioc_type

Indicator type.

ioc_value

Indicator value.

ioc_created_date

Date and time when the requested indicator was added to the database.

ioc_updated_date

Date and time of the last indicator update.

ioc_comment

Comment about the indicator.

ioc_summary

Summary information about the indicator from the InternalTI supplier.

ioc_first_detected_date

Date and time when the detection event was first received.

ioc_last_detected_date

Date and time when the detection event was last received.

username

Name of the user who added the indicator to the InternalTI supplier / FalsePositive supplier.

ioc_supplier_can_match

Flag for showing that the indicator can be used in the matching process.

This flag is used for indicators that have to be deleted during an update of a supplier or on expiration of retention period, but were not, as they belong to the InternalTI supplier or such indicators were involved in the detection process.

Use true or false as the value for this parameter.

ioc_supplier_last_updated_date

Date and time when the information related to the indicator from the supplier was last updated.

ioc_supplier_send_match_event

Flag for sending detection events to the SIEM solution.

supplier_name

Name of the indicator supplier.

In Kaspersky CyberTrace, the following types of suppliers are supported:

  • Downloaded feed file

    For this type of supplier, the value of the supplier_name attribute is the name of a feed file specified in kl_feed_util.conf.

  • REST API request

    For this type of supplier, the value of the supplier_name attribute is the name of a supplier added through REST API.

  • Web user interface (InternalTI or FalsePositive suppliers)

    For this type of supplier, the value of the supplier_name attribute depends on the list to which you are adding an indicator (InternalTI or FalsePositive).

    If you add a new indicator through the Indicators tab of Kaspersky CyberTrace Web, the value is InternalTI.

If you add an indicator to the false positives list through the False positives window of the Feeds tab or if you mark an indicator as false positive, the value is FalsePositive.

supplier_confidence

Level of confidence of the supplier.

supplier_vendor_name

Name of the supplier vendor.

ioc_supplier_context

Context information related to the indicator.

This attribute can contain nested attributes. The rule to search for all nested attributes is described below.

Use the following syntax for search requests:

  • If special symbols ([space], +, -, =, &&, ||, >, <, !, (, ), {, }, [, ], ^, ", ~, *, ?, :, \, /) are used in a search for a substring (see below), use an escape character to specify these symbols in the request body. Below you can find exceptions for using special symbols in search requests.

    Kaspersky CyberTrace uses the \ escape character.

  • Use a space character. If the search substring should contain a space, the word without the escape character that follows the space will not be related to the search substring.

    Example #1: supplier_vendor_name: Vendor\ Test – Returns all indicators that belong to the sources with a vendor named "Vendor Test."

    Example #2: supplier_vendor_name: Vendor Test – Returns all indicators that belong to the sources with a vendor named "Vendor" or indicators that have the word "test" in the context.

  • Use quotation marks to enclose particular substrings, parentheses to enclose logical blocks. For starting or ending values, use braces ({}) for intervals that exclude the boundaries, and brackets ([]) for intervals that include the boundaries. Braces and brackets can be combined if you need to specify an interval with an opening bracket of one type and a closing bracket of another type. Quotation marks and all these types of brackets have to be in pairs in the search request.

    You may not enclose the search substring in quotation marks if the substring does not contain the special characters indicated above. In this case, the search results will include only indicators and the specified substring of which fully matches one of the values of any field. Therefore, if you want to find the indicators, the search substring of which is only a part of the value, use wildcards (asterisk (*) or question mark (?) – see below).

    You can use quotation marks and all types of brackets unpaired in the following cases:

    • If an unpaired bracket or quotation mark is used together with an escape character.

      Example: ioc_value:asd\]

    • If an unpaired bracket is enclosed in quotation marks.

      Example: ioc_value:"1234]"

  • Do not use a tab character.
  • Specify a colon (:) only after the indicator attribute name or use it together with an escape character.
  • Do not specify an empty value in parentheses, except when this value is specified with an escape character or is enclosed in quotation marks.

    Example of the incorrect request: ( )

    Example of the correct request: (" ")

  • In braces ({}) and brackets ([]), use the %begin_value% TO %end_value% pattern, where %begin_value% and %end_value% are the values intended for open and closed intervals (except when brackets are enclosed in quotation marks).

    Example of an incorrect request: [* 100]

    Example of a correct request: [* TO 100]

  • Do not specify an empty value when searching for a specific attribute.

    Example of an incorrect request: ioc_type:

    Example of a correct request: ioc_type:url

  • Use logical operators (AND, OR, NOT) without quotation marks and all uppercase.
  • Enclose logical AND, OR in spaces. You may not use a logical NOT with left space if NOT is specified just after the left parenthesis or colon.

    Example of an incorrect request: supplier_confidence:(89OR91)

    Example of a correct request: supplier_confidence:NOT(89 OR 91)

  • Do not specify an empty value after a logical operator.

    Example of an incorrect request: supplier_confidence:(89 OR )

    Example of a correct request: supplier_confidence:(89 OR 91)

  • For the ioc_supplier_context attribute, use a period when searching for a specific nested attribute.

    Example: ioc_supplier_context.files.threat:"HEUR:Exploit.SWF.Generic"

  • For the ioc_supplier_context attribute, if your search string contains a space character, use the "\" (backslash) escape character before the space character.

    Example: ioc_supplier_context.details.SMS\ Number:1003

  • For the ioc_supplier_context attribute, use the ioc_supplier_context.\\* pattern to search for all nested attributes.

    Example: ioc_supplier_context.\\*:HEUR

  • Use the asterisk (*) for any other sequence of characters and question mark (?) for a single character as wildcards in substitutes.

    Example #1: supplier_vendor_name: Vendor – Search for indicators that belong to sources with a vendor named "Vendor".

    Example #2: supplier_vendor_name: Vendor* – Search for indicators that belong to sources with a vendor whose name begins with "Vendor".

    The use of an asterisk (*) at the beginning of the request can lead to checking all attribute values from the indicator database. This usually causes a long wait for a response from the database.

Examples

The following request will display all indicators that contain an at, ca, kr, ru, ir substring in any of the indicator attributes:

"at, ca, kr, ru, ir"

The following request will display all indicators that have a supplier_confidence attribute value that is equal to 89 or 91:

supplier_confidence:(89 OR 91)

The following request will display all indicators that have an ioc_value attribute value containing the 123321 substring:

ioc_value:"123321"

The following request will display all indicators that were added to the database between 2012-01-01 and 2012-12-31 (including the boundaries):

ioc_created_date:[2012-01-01 TO 2012-12-31]

The following request will display all indicators that have a level of confidence in the range of 10 to 50 (excluding the boundaries):

supplier_confidence:{10 TO 50}

The following request will display all indicators that have a threat_score context field value greater than 75:

ioc_supplier_context.threat_score:[75 TO *]

The following request will display all indicators that have a files/threat context attribute containing the HEUR:Exploit.SWF.Generic substring:

ioc_supplier_context.files.threat:"HEUR:Exploit.SWF.Generic"

The following request will display all indicators that have context attributes with any nesting level that contains the HEUR value:

ioc_supplier_context.\\*:HEUR

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.