- 01 Oct 2024
- 3 Minutes to read
-
Print
-
DarkLight
Running Advanced Searches With TQL
- Updated on 01 Oct 2024
- 3 Minutes to read
-
Print
-
DarkLight
Overview
In ThreatConnect®, you can use the advanced search feature on the Browse screen to perform highly targeted searches of your threat intelligence data with structured queries written in ThreatConnect Query Language (TQL). This feature lets you search and filter your data based on criteria that cannot be defined using the Browse screen’s basic search and filter capabilities.
After you construct a TQL query on the Browse screen, you can save the query and use it in several ways, including viewing the results of the query at a later time, using the query in Query cards added to custom dashboards, and adding the query to an Intelligence Requirement (IR) or a Group to create associations to objects returned via the query.
Before You Start
User Roles
- To access the advanced search feature, run TQL queries, save TQL queries, and manage saved TQL queries on the Browse screen, your user account can have any Organization role.
- To search for threat intelligence data objects in an Organization with the advanced search feature on the Browse screen, your user account can have any Organization role.
- To search for threat intelligence data objects in a Community or Source with the advanced search feature on the Browse screen, your user account can have any Community role except Banned for that Community or Source.
Running TQL Queries
Follow these steps to run a TQL query with the advanced search feature on the Browse screen:
- Click Browse on the top navigation bar. Then click Advanced at the upper-right corner of the Browse screen (if viewing Indicators, Groups, Tracks, Victims, or Victim Assets) or turn on the Advanced Search toggle (if viewing IRs or Tags) to access the advanced search feature. Figure 1 shows the advanced search feature for Indicators, Groups, Tracks, Victims, and Victim Assets, and Figure 2 shows the advanced search feature for IRs and Tags.HintA list of commonly used TQL queries and a link to a complete list of TQL operators and parameters are available in the ThreatConnect Query Language (TQL) sidebar on the Browse screen.NoteIf you are viewing Indicators, Groups, Tracks, Victims, or Victim Assets on the Browse screen and create a “contains” or “exact match” search with the basic search features, clicking Advanced at the upper-right corner of the screen will convert the search query into a TQL query.
- Select the type of object to search for in the dropdown at the top of the Browse screen. Available options include Intelligence Requirements, Indicators, Groups, Tags, Tracks, Victims, and Victim Assets.
- Enter a TQL query into the search bar at the top of the Browse screen. Then click Search, or press the Enter key on your keyboard, to run the query.NoteIf searching for IRs or Tags, the validator on the left side of the search bar indicates whether you have entered a valid TQL query.
- (Optional) Use the My Intel Sources selector at the top left of the Browse screen to select which owners to display data from on the Browse screen.
Saving TQL Queries
Follow these steps to save a TQL query on the Browse screen:
- Navigate to the Browse screen, switch to the advanced search feature, and construct a TQL query.
- Click the ⋮ menu at the upper-right corner of the Browse screen and select Save Current Query….
- On the Save Current Query… drawer, enter a name for the query, and then click SAVE.
Managing Saved TQL Queries
Follow these steps to manage your saved TQL queries on the Browse screen:
- Click Browse on the top navigation bar.
- Click the ⋮ menu at the upper-right corner of the Browse screen and select View Queries.
- On the View Queries drawer, you can perform the following actions:
- Select a saved TQL query to run it with the advanced search feature on the Browse screen immediately.
- Click Deletefor a saved TQL query to delete it.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
20052-02 v.19.A