Bulk Searching Indicators

Overview

The ThreatConnect^® search engine includes a bulk Indicator search feature that enables you to efficiently process and analyze large volumes of Indicator data from an uploaded file. The ThreatConnect search engine parses the file for Indicators and then searches for those Indicators across all your ThreatConnect owners, returning a results set of identified Indicators categorized as follows:

• Known Indicators: Indicators that exist in one of your owners.
• Unknown Indicators: Indicators that do not currently exist in one of your owners.

You can sort and filter the results set for further analysis, as well as perform bulk actions such as adding Indicators your Organization, adding Tags to Indicators, and exporting Indicators to a comma-separated values (CSV) file.

Suggested Use Cases

The bulk Indicator search feature in ThreatConnect supports the following use cases, among others:

• SIEM Alert Enrichment: Analysts can search a set of Indicators surfaced by SIEM tools to cross-reference with their ThreatConnect data in a single step. This application of the feature supports faster enrichment of SIEM alerts and helps teams prioritize and act on potential threats more effectively.
• Incident Response: Security teams can upload a list of Indicators such as IP addresses, URLs, and file hashes from investigations into ThreatConnect and determine which ones are malicious. This application of the feature enables faster triage and a more efficient response to potential threats.

Before You Start

User Roles

• To run a bulk Indicator search, your user account can have any Organization role.
• To view and export known Indicators in an Organization, your user account can have any Organization role.
• To view and export known Indicators in a Community or Source, your user account can have any Community role except Banned for that Community or Source.
• To create copies of unknown Indicators in an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
• To delete known Indicators in an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
• To delete known Indicators in a Community or Source, your user account must have a Community role of Editor or Director for that Community or Source.
• To apply Tags to known Indicators in an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
• To apply Tags to known Indicators in a Community or Source, your user account must have a Community role of Contributor, Editor, or Director for that Community or Source.

Prerequisites

• To search your ThreatConnect data and view search results on the Search: All Object Types screen, turn on and configure OpenSearch^® and initialize the search index for your ThreatConnect instance on the System Settings screen (must be a System Administrator to perform this action).

Running a Bulk Indicator Search

Follow these steps to run a bulk Indicator search on the Search: All Object Types screen:

1. From the Search & Create dropdown on the top navigation bar, select All Object Types.
2. Turn on the Bulk Search Indicators toggle at the upper left of the Search: All Object Types screen.
3. In the area under the Bulk Search Indicatorstoggle, upload a file that contains Indicator data. Supported file types include .doc, .txt, .pdf, .xls, .xlsx, .json, and .csv.
   Important

   The file you upload should be under 5000 KB.

After the file is uploaded and processed, the Search: All Object Types screen displays the search results.

To run another bulk Indicator search with a different file, click Remove file and clear resultsnext to the uploaded file’s size, and then upload another file that contains Indicator data.

Viewing Search Results

After you run a bulk Indicator search, the Search: All Object Types screen displays the Indicators parsed from the file in a paginated table with the following columns (Figure 1):

• Type: The Indicator’s type.
• Name/Summary: The Indicator’s name/summary. If the Indicator is known, the name/summary is a link to the Indicator’s Details screen.
  Hint

  Search results will not persist if you navigate to a different screen in the browser tab. Click View details in new tabnext to a known result’s name/summary to retain your search results when viewing a known result’s Details screen.
• Owner: (Known Indicators only) The Indicator’s owner.
• ThreatAssess: The Indicator’s ThreatAssess score. Some unknown Indicators may not have a ThreatAssess score.
• Date Added: (Known Indicators only) The date and time the Indicator was created in its owner.
• Last Modified: (Known Indicators only) The date and time the Indicator was last modified in its owner.

Viewing Details for a Known Indicator

If a search result is a known Indicator, you can click the result’s table row, or click the result’s ⋯ menu and select View Details, to open the Indicator’s Details drawer.

Managing Search Results

Selection Actions

You can select one or more search results and then use the Selection Actions dropdown to perform the following actions:

• Add Tags…: Enter and apply Tags to all selected Indicators.
  Note

  Tags are applied only to known Indicators in owners for which your user account has permission to create data. Tags are not applied to unknown Indicators, and the Add Tags… option is not available if all selected Indicators are unknown.
• Export…: Export all selected Indicators to a CSV file.
  Note

  Only known Indicators can be exported to a CSV file. Unknown Indicators are not exported, and the Export… option is not available if all selected Indicators are unknown. You can export all known Indicators in the results table, including those on other table pages, to a CSV file by clicking the ⋯ menu at the upper right of the Search: All Object Types screen and selecting Export Returned Objects….
• Add to Your Organization: Create copies of all selected Indicators in your Organization.

Adding an Unknown Indicator to an Owner

If a search result is an unknown Indicator, you can click Add to your Organizationon the right side of its row to create a copy of the Indicator in your Organization.

Options for Known Indicators

If a search result is a known Indicator, you can click the ⋯ menu on the right side of its row to access a menu with the following options:

• Threat Graph: Open Threat Graph to visualize, explore, and analyze the Indicator's associations.
• View Details: Open the Indicator’s Details drawer.
  Hint

  You can also open the Indicator’s Details drawer by clicking on its table row.
• Delete…: Delete the Indicator from its owner. This option is available only if your user account has permission to delete Indicators in the Indicator’s owner.

Sorting Search Results

You can sort search results by any of the table columns. By default, search results are sorted by the Name/Summary column in ascending order.

Filtering Search Results

The Search: All Object Types screen provides the following for filtering results of a bulk Indicator search:

• The Indicator type dropdown next to the file upload area lets you filter results by one or more Indicator types. Results are filtered automatically as you select options in the dropdown.
• The result type dropdown next to the Filtersmenu lets you filter results based on whether they are known Indicators, unknown Indicators, or both. Results are filtered automatically as you select options in the dropdown.
• The Filtersmenu lets you filter results by Indicator metadata. After selecting and configuring filters, click Apply. Results may be filtered by the following metadata:
  • Owner
  • Date Added
  • Last Modified
  • ThreatAssess

Frequently Asked Questions (FAQ)

After uploading a file, I received a message stating “The file contained more Indicators than could be parsed.” Why am I seeing this message, and what does it mean?

When running a bulk Indicator search, the ThreatConnect search engine can parse up to 8000 Indicators from a single file. If a file contains more than 8000 Indicators, the ThreatConnect search engine will return search results for the first 8000 Indicators that it parsed from the file.

Note that, in some cases, the number of search results returned by the ThreatConnect search engine may exceed 8000. This is because the number of search results depends on the data available in the search cluster when you run the bulk Indicator search, as well as the data available in your owners for the searched items and whether a given Indicator exists in multiple owners.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
OpenSearch^® is a registered trademark of Amazon Web Services.

20075-07 v.02.A