Kaspersky CyberTrace

About transformations

27 February 2024

ID 222398

In addition to manually adding nodes and relationships to a graph, Kaspersky CyberTrace can enrich the graph by automatically adding information about objects related to a node. The source of this information can be both Kaspersky CyberTrace itself and external sources such as Kaspersky Threat Intelligence Portal or VirusTotal. Running the enrichment process is called transformation.

Most of the graph enrichment sources do not support processing the URL indicators that contain the '*' character in the domain part. Performing transformation on the node with such an URL indicator will result in error or empty output.

By default, Kaspersky CyberTrace provides you with the following transformations:

  • Getting indicators from the same feeds with the initial standard CyberTrace indicator:
    • Related hashes.
    • Related URLs.
    • Related IP addresses.
    • All related indicators (hashes, URLs, IP addresses).
  • Getting the latest 100 detections related to a standard CyberTrace indicator.
  • Getting information from Kaspersky Threat Intelligence Portal.

    Kaspersky CyberTrace requires an access token to connect to Kaspersky Threat Intelligence Portal.

    • For indicators of the type URL (standard CyberTrace indicators, as well as external indicators (observables)), Kaspersky CyberTrace can get the following information:
      • List of files that accessed the given URL.
      • List of files downloaded from the given URL.
      • List of URLs that referenced the given URL.
      • List of URLs referenced by the given URL.
      • The IP addresses from the DNS resolution for the given URL.
      • List of reports for the given URL.
    • For indicators of types MD5, SHA1, and SHA256 (standard CyberTrace indicators, as well as external indicators (observables)), Kaspersky CyberTrace can get the following information:
      • List of URLs accessed by the given file.
      • List of files that run the given file.
      • List of files that were run by the given file.
      • List of files that downloaded the given file.
      • List of files downloaded by the given file.
      • List of URLs from which the given file was downloaded.
      • List of reports for the given file.
    • For indicators of the type IP (standard CyberTrace indicators, as well as external indicators (observables)), Kaspersky CyberTrace can get the following information:
      • List of files that were downloaded from the given IP address.
      • List of URLs related to the given IP address.
      • List of reports for the given IP address.
  • Getting information from VirusTotal.

    Kaspersky CyberTrace requires an access token to connect to VirusTotal.

    • For indicators of the type URL (standard CyberTrace indicators, as well as external indicators (observables)), Kaspersky CyberTrace can get the following information:
      • Information on the given URL.
      • List of files that interact with the given URL.
      • List of domains from which the given URL downloads a resource.
      • List of IP addresses from which the given URL downloads a resource.
      • List of files downloaded from the given URL.
      • The last IP address resolution for the given URL.
      • Network location for the given URL.
      • List of files that contain the given URL.
      • List of URLs that reference the given URL.
      • List of URLs that redirect to the given URL.
      • List of URLS which the given URL redirects to.
      • List of IP addresses which the given domain resolve to.

        Regarding such transformations, before sending a request to VirusTotal API, Kaspersky CyberTrace defines if the target node is certainly a domain.

        If the node is not a "pure" domain, but an URL, an empty result will be returned.

      • List of subdomains for the given domain.

        Regarding such transformations, before sending a request to VirusTotal API, Kaspersky CyberTrace defines if the target node is certainly a domain.

        If the node is not a "pure" domain, but an URL, an empty result will be returned.

      • List of URLs for the given domain.

        Regarding such transformations, before sending a request to VirusTotal API, Kaspersky CyberTrace defines if the target node is certainly a domain.

        If the node is not a "pure" domain, but an URL, an empty result will be returned.

    • For indicators of types MD5, SHA1, and SHA256 (standard CyberTrace indicators, as well as external indicators (observables)), Kaspersky CyberTrace can get the following information:
      • Information on the given hash.
      • List of files bundled in the same archive with the file with the given hash.
      • List of files that are children of the file with the given hash.
      • List of files that are parents of the file with the given hash.
      • List of files (archives) which contained the file with the given hash.
      • List of domains contacted by the file with the given hash.
      • List of IP addresses contacted by the file with the given hash.
      • List of URLs contacted by the file with the given hash.
      • List of files that are removed by the file with the given hash.
      • List of domains embedded in the file with the given hash.
      • List of IP addresses embedded in the file with the given hash.
      • List of URLs embedded in the file with the given hash.
      • List of files that execute the file with the given hash.
      • List of domains from which the file with the given hash was downloaded.
      • List of IP addresses from which the file with the given hash was downloaded.
      • List of URLs from which the file with the given hash was downloaded.
    • For indicators of the type IP (standard CyberTrace indicators, as well as external indicators (observables)), Kaspersky CyberTrace can get the following information:
      • Information on the given IP address.
      • List of files that interact with the given IP address.
      • List of files downloaded from the given IP address.
      • List of files that contain the given IP address.
      • List of domains which resolve to the given IP address.
      • List of URLs that direct to the given IP address.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.