Working with indicators

Kaspersky CyberTrace uses the Elasticsearch database to store the indicators of compromise (IOC) from the threat intelligence feeds. This database contained in the Kaspersky CyberTrace distribution package.

On the Kaspersky CyberTrace web user interface you can select the Indicators tab. This section allows you to do the following:

• View the list of indicators from the indicator database (hereinafter, also called the database).
• Perform a search by indicator.
• Add new indicators to the database.

  When a new indicator is successfully added to the database, it can be used in the matching process. Such indicators are written to the database by using the InternalTI value of the supplier_name attribute.

• Delete indicators from the database.
• Add existing indicators to the FalsePositive supplier (mark as false positive).
• Browse detailed information about indicators.
• Filter indicators by suppliers.

  When this filter is applied and several suppliers are selected, Kaspersky CyberTrace shows only indicators, each of which is provided by all selected suppliers.

• Filter indicators by tags.
• Filter indicators by type.

  To use this filter, click the Type column heading, and in the filter form that opens, select the indicator types that you want to be displayed in the list.

FalsePositive and InternalTI suppliers

The FalsePositive and InternalTI suppliers are built-in Kaspersky CyberTrace suppliers that you can add indicators to:

• A FalsePositive supplier is designed for existing indicators that users mark as false positives in CyberTrace Web.
• An InternalTI supplier is designed for new indicators that users add to the database in CyberTrace Web or via the REST API.

The InternalTI supplier indicators will have detections even if an indicator is from the false positives list.