Bulk Searching Indicators
  • 15 Jan 2025
  • 6 Minutes to read
  • Dark
    Light

Bulk Searching Indicators

  • Dark
    Light

Article summary

Important
This article describes how to run a bulk Indicator search with the search feature introduced in ThreatConnect 7.6. For instructions on using the legacy search feature, see Searching in ThreatConnect (Legacy).

Overview

The ThreatConnect® search engine includes a bulk Indicator search feature that enables you to efficiently process and analyze large volumes of Indicator data. The first step in running a bulk Indicator search is to upload a file containing Indicator data to the ThreatConnect search engine. After the file is uploaded, the ThreatConnect search engine will parse the file for Indicators and then search for those Indicators across all of your owners. When running a bulk Indicator search, the ThreatConnect search engine categorizes Indicators parsed from an uploaded file as follows:

  • Known Indicators: Indicators that exist in one of your owners.
  • Unknown Indicators: Indicators that do not yet exist in one of your owners.

Before You Start

User Roles

  • To run a bulk Indicator search and view known Indicator results in an Organization, your user account can have any Organization role.
  • To run a bulk Indicator search and view known Indicator results in a Community or Source, your user account can have any Community role except Banned for that Community or Source.
  • To add an unknown Indicator to an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
  • To delete a known Indicator in an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
  • To delete a known Indicator in a Community or Source, your user account must have a Community role of Editor or Director for that Community or Source.

Prerequisites

  • To search your ThreatConnect data and view search results on the Search screen, turn on and configure OpenSearch® and initialize the search index for your ThreatConnect instance via the System Settings screen (must be a System Administrator to perform this action).

Follow these steps to run a bulk Indicator search on the Search screen:

  1. Click Searchon the top navigation bar.
  2. Turn on the Bulk Search Indicators toggle at the top left of the Search screen.
  3. Upload a .txt, .xls, or .csv file that contains Indicator data. After the file is uploaded and processed, the Search screen will display the Indicators parsed from the file in a paginated table.
    Important
    The file you upload should be under 5000 KB.
  4. (Optional) To run another bulk Indicator search with a different file, click Remove file and clear resultsfor the uploaded file at the top of the Search screen. Then upload another .txt, .xls, or .csv file that contains Indicator data.

Viewing Search Results

After you run a bulk Indicator search on the Search screen, the screen will display the Indicators parsed from the file in a paginated table with the following columns (Figure 1):

Figure 1_Bulk Searching Indicators_7.8.0

 

  • Type: The Indicator’s type.
  • Name/Summary: The Indicator’s name/summary. If the Indicator is known, the name/summary will be a link to the Indicator’s Details screen.
    Note
    Clicking a known Indicator’s name/summary will open the Indicator’s Details screen in the current browser tab. However, if you want to return to the Search screen and view the results of the bulk Indicator search, you will need to re-run the search. To prevent this from happening, click View details in new tabto the right of a known Indicator’s name/summary to open the Indicator’s Details screen in a new browser tab.
  • Owner: If the result is a known Indicator, the Owner column will show the Indicator’s owner. If the result is an unknown Indicator, the Owner column will show no value for the result.
  • ThreatAssess: The Indicator’s ThreatAssess score. If the result is an unknown Indicator and no ThreatAssess score is available for the Indicator, the ThreatAssess column will show no value for the result.
  • Date Added: If the result is a known Indicator, the Date Added column will show the date and time when the Indicator was created in its owner. If the result is an unknown Indicator, the Date Added column will show no value for the result.
  • Last Modified: If the result is a known Indicator, the Last Modified column will show the date and time when the Indicator was last modified in its owner. If the result is an unknown Indicator, the Last Modified column will show no value for the result.
Important
Parsed Indicators that are included on a System- or Organization-level Exclusion List will be excluded from the search results.


Viewing Details for a Known Indicator

If a search result is a known Indicator, you can click the result’s table row or select View Details in the result’s menu to open the Details drawer for the Indicator and view detailed information about the Indicator.

Adding an Unknown Indicator to an Owner

If a search result is an unknown Indicator, an Add to Ownerbutton will be displayed in the rightmost table column for the result. To add an unknown Indicator to one of your owners, click Add to Ownerfor the Indicator, and then select the desired owner in the Add to Owner menu.

Note
At this time, you can add unknown Indicators to an Organization only.


Options for Known Indicators

If a search result is a known Indicator, a ⋯ menu will be displayed in the rightmost table column for the result. Click the ⋯ menu for a known Indicator to access the following options:

  • Threat Graph: Visualize, explore, and analyze the Indicator's associations in Threat Graph.
  • View Details: Open the Indicator’s Details drawer.
  • Delete…: If your user account has the requisite permissions in the Indicator’s owner, you can delete the Indicator from the owner.

Sorting Search Results

You can sort search results by any of the table columns. By default, search results are sorted by the Name/Summary column in ascending order.

Filtering Search Results

There are three ways you can filter search results after running a bulk Indicator search on the Search screen:

  • Use the leftmost dropdown at the top right of the screen to filter results by Indicator type.
  • Use the rightmost dropdown at the top right of the screen to filter results based on whether they are known Indicators, unknown Indicators, or both.
  • Use the Filtersmenu at the top right of the screen to filter results by owner, creation date, last modified date, and ThreatAssess score. After making your selections, click Apply in the Filtersmenu to apply the filters to the results.
    Note
    When filtering results by ThreatAssess score, you can filter by any score, a custom score range, or one of the following pre-configured score ranges: Low (0–200), Medium (201–500), High (501–800), and Critical (801–1000).

Frequently Asked Questions (FAQ)

After uploading a file, I received a message stating “The file contained more Indicators than could be parsed.” Why am I seeing this message, and what does it mean?

When running a bulk Indicator search, the maximum number of Indicators that the ThreatConnect search engine can parse from a file is 1024. If an uploaded file contains more than the maximum 1024 that can be parsed, the ThreatConnect search engine will return search results for the first 1024 Indicators that were parsed from the file.

Note that, in some cases, the number of search results returned by the ThreatConnect search engine may exceed 1024. This is because the number of search results depends on the data available in the search cluster when you run the bulk Indicator search, as well as the data available in your owners for the searched items and whether a given Indicator exists in multiple owners.


I receive a message stating “Adding to owner failed due to an error” when I try to add an unknown Indicator to my Organization. Why am I receiving this error?

You cannot add unknown Indicators included on a System- or Organization-level Exclusion List to an Organization. If you attempt to do so, the Search screen will display an error message stating “Adding to owner failed due to an error.” after you click Add to Ownerfor the unknown Indicator.


ThreatConnect® is a registered trademark of ThreatConnect, Inc.
OpenSearch® is a registered trademark of Amazon Web Services.

20075-07 v.01.A


Was this article helpful?