Searching Your Data (Beta)

Overview

The ThreatConnect^® search engine lets you search your entire dataset to quickly find data relevant to the item you are investigating. When you run a search from the Search screen, the search engine looks for Indicators, Groups, Tags, Victims, and Workflow Cases that match your search query. Search queries may include a single search term, multiple search terms, or an exact phrase.

Before You Start

User Roles

• To search for Indicators, Groups, Tags, and Victims in an Organization, your user account can have any Organization role.
• To search for Indicators, Groups, Tags, and Victims in a Community or Source, your user account can have any Community role except Banned for that Community or Source.
• To search for Cases in an Organization, your user account can have any Organization role except App Developer.

Prerequisites

• To search your ThreatConnect data and view search results on the Search screen, turn on and configure OpenSearch^® and initialize the search index for your ThreatConnect instance via the System Settings screen (must be a System Administrator to perform this action).
• To search for Cases, turn on Workflow for your Organization on the Account Settings screen (must be an Accounts Administrator, Operations Administrator, or System Administrator to perform this action).

Running a Search

Follow these steps to search your ThreatConnect data from the Search screen:

1. Click Searchon the top navigation bar. If the Search screen (Figure 1) is your default search view, the screen will open after you click Search. If the legacy Search drawer is your default search view, click Try Search Beta at the top right of the drawer to open the Search screen (Figure 1).
   

    

   Note

   Clicking Try Search Beta at the top right of the legacy Search drawer will open the Search screen and set it as your default search view. Similarly, clicking Revert to Legacy Search at the top right of the Search screen will open the legacy Search drawer and set it as your default search view.
2. Enter your search query into the search bar or select a recent or suggested search query.
3. (Optional) To search for an exact phrase, select Exact Match to the right of the search bar or surround the term in straight quotes (").
4. (Optional) To limit the types of objects the search engine will look for, select the desired object types from the dropdown to the right of the Exact Match checkbox. Otherwise, the search will look for results of any supported object type.
5. Press Enter on your keyboard or click Search to search for data that match the query.

After the search runs, the Search screen will display the search results. When looking for matches to a search query, the search engine searches an object’s summary and metadata—including Attributes, Descriptions; Case Artifacts, Notes, and Tasks; file and signature contents; Tags; and Victim Assets and Victim details—to form a relevance-ordered result set based on how closely each result matches the query.

Constructing a Search Query

When searching your ThreatConnect data from the Search screen, you can construct the following types of search queries:

• Single term: The search engine will look for objects whose summary or metadata contain the specified search term.
• Multiple terms: The search engine will look for objects whose summary or metadata contain some or all of the search terms. To search for multiple terms, separate each term with a space or line break.
• Exact phrase: The search engine will look for objects whose summary or metadata contain the exact phrase in the specified order. To search for an exact phrase, select Exact Match to the right of the search bar or surround the term in straight quotes (").

Table 1 provides example search queries and describes the results that each query will return.

Using a Recent or Suggested Search Query

When you click into the search bar on the Search screen, a list of your recent search queries will be shown. In addition, after you type at least three characters into the search bar, a list of suggested search queries based on the entered text will be shown.

To populate a recent or suggested search query into the search bar, select the query from the list. Alternatively, click Searchto the right of a recent or suggested query in the list to run a search using the query automatically.

Searching for Defanged Indicators

The ThreatConnect search engine refangs defanged Indicators automatically. The term “defang” refers to the process of altering an Indicator so that a user cannot click on it by accident and navigate to a malicious website. The term “refang” refers to the process of taking a defanged Indicator (e.g., bad[.]com) and returning it to its original state (bad.com). For example, if you run a search for bad[.]com, the search engine will return results for bad.com.

Table 2 lists all of the defanged character sequences recognized by the ThreatConnect search engine and their corresponding refanged character.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
OpenSearch^® is a registered trademark of Amazon Web Services.

20075-05 v.02.A