- 18 Sep 2024
- 8 Minutes to read
-
Print
-
DarkLight
Viewing Search Results (Beta)
- Updated on 18 Sep 2024
- 8 Minutes to read
-
Print
-
DarkLight
Overview
The ThreatConnect® search engine lets you search your entire dataset to quickly find data relevant to the item you are investigating. After you run a search from the Search screen, the search engine returns a list of Indicators, Groups, Tags, Victims, and Workflow Cases that match the search query, which you can then review and analyze as part of your investigation.
When looking for matches to a search query, the search engine searches an object’s summary and metadata—including Attributes; Descriptions; Case Artifacts, Notes, and Tasks; file and signature contents; Tags; and Victim Assets and Victim details—to form a relevance-ordered result set based on how closely each result matches the query.
Before You Start
User Roles
- To view, sort, and filter search results that are Indicators, Groups, Tags, or Victims in an Organization, your user account can have any Organization role.
- To view, sort, and filter search results that are Indicators, Groups, Tags, or Victims in a Community or Source, your user account can have any Community role except Banned for that Community or Source.
- To view, sort, and filter search results that are Cases in an Organization, your user account can have any Organization role except App Developer.
- To delete search results that are Indicators, Groups, Tags, or Victims in an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
- To delete search results that are Indicators, Groups, Tags, or Victims in a Community or Source, your user account must have a Community role of Editor or Director for that Community or Source.
- To delete search results that are Cases in an Organization, your user account must have an Organization role of Organization Administrator.
Prerequisites
- To search your ThreatConnect data and view search results on the Search screen, turn on and configure OpenSearch® and initialize the search index for your ThreatConnect instance via the System Settings screen (must be a System Administrator to perform this action).
- To view and manage search results that are Cases, turn on Workflow for your Organization on the Account Settings screen (must be an Accounts Administrator, Operations Administrator, or System Administrator to perform this action).
Viewing Search Results
After you run a search from the Search screen, the screen will display the search results in a paginated table with the following columns (Figure 1):
- Matched On: The property of the result that matched the search query. To view details about each property of a result that matched the search query, click the value oricon in the Matched On column. Possible values for this column include the following:
- Artifact Name: The summary of one or more Artifacts added to the specified Case was a match.
- Assets Value: The summary of a Victim Asset added to the specified Victim was a match.
- Attribute: The value of one or more of the result’s Attributes was a match.
- Case Description: The description of the specified Case was a match.
- Description: The value of one or more of the result’s Description Attributes (default or non-default) was a match.
- File Contents: The contents of the file uploaded to the specified Document or Report Group were a match.
- Multiple Properties: Two or more of the result’s properties were a match.
- Name/Summary: The result’s name/summary was a match.
- Note: The contents of one or more Case Notes added to the specified Case were a match.
- Signature: The contents of the signature file uploaded to the specified Signature Group were a match.
- Tag: The name of one or more standard Tags or ATT&CK® Tags applied to the result was a match.
- Task: The name of one or more Tasks added to the specified Case was a match.
- Task Description: The description of one or more Tasks added to the specified Case was a match.
- Victim Assets: The summary of one or more Victim Assets added to the specified Victim was a match.
- Victim Nationality: The nationality of a Victim was a match.
- Victim Organization: The organization associated with a Victim was a match.
- Victim Sub-Organization: The sub-organization associated with a Victim was a match.
- Victim Work Location: The work location associated with a Victim was a match.
- Type: The result’s type. If the result is a Group or an Indicator, the Type column will also show the result's subtype (e.g., Address, Report).
- Name/Summary: The result’s name/summary.
- Owner: The result’s owner.
- ThreatAssess: If the result is an Indicator, the ThreatAssess column will show the Indicator’s ThreatAssess score. Otherwise, this column will show no value for the result.
- Date Added: The date and time when the result was created in its owner.
- Last Modified: The date and time when the result was last modified in its owner.
Viewing Match Details for Search Results
A search result’s Result Details drawer shows each of the result’s properties that matched the search query, with the specific part(s) of the property that matched the query highlighted in blue. For example, in Figure 2, the following properties of the result matched the search query from Figure 1 ("scattered spider" ransomware 140.82.29.65
): the result’s name/summary, the value of the result’s Source Attribute, the value of the result’s Description Attribute, and the name of one of the result’s standard Tags.
There are two ways you can open a search result’s Result Details drawer on the Search screen:
- Click the value oricon in the Matched On column for the result.
- Click the ⋯ menu for the result and select View Match Details.
Viewing Search Result Details
Select a search result in the table on the Search screen, or click a result’s ⋯ menu and select View Details, to open the Details drawer for the corresponding Case, Group, Indicator, Tag, or Victim and view detailed information about the result.
Managing Search Results
A search result’s ⋯ menu provides options for managing and further analyzing the result. The options available in this menu vary based on the search result’s object type.
Options for Indicators
- Add to Exclusion List: If you are an Organization Administrator or System Administrator, you can add the Indicator to your Organization-level Exclusion List.ImportantThe Add to Exclusion List option will be available for Organization and System Administrators only on ThreatConnect instances where this functionality is turned on in the system settings. If you add an Indicator to your Organization’s Exclusion List using this option, the only way to remove the Indicator from the Exclusion List is via the Organization Config screen for your Organization.
- Change Status to Inactive or Change Status to Active: If your user account has the requisite permissions in the Indicator’s owner, you can change the status of the Indicator.
- Explore in Graph: Visualize, explore, and analyze the Indicator's associations in Threat Graph.
- View Details: Open the Indicator’s Details drawer.
- View Match Details: Open the Result Details drawer and view details about each of the Indicator’s properties that matched the search query.
- Delete…: If your user account has the requisite permissions in the Indicator’s owner, you can delete the Indicator from the owner.
Options for Groups
- Create Custom Report: Create a report for the Group from scratch or from a Group report template.
- View Details: Open the Group’s Details drawer.
- View Match Details: Open the Result Details drawer and view details about each of the Group’s properties that matched the search query.
- Visual Analysis: Select from the following options:
- Explore in Graph: Visualize, explore, and analyze the Group's associations in Threat Graph.
- Visualize ATT&CK: Open the ATT&CK Visualizer with the Group added as an analysis layer within a new ATT&CK view.
- Delete…: If your user account has the requisite permissions in the Group’s owner, you can delete the Group from the owner.
Options for Cases
- Create Custom Report: Create a report for the Case from scratch or from a Case report template.
- Explore in Graph: Visualize, explore, and analyze the Case's associations in Threat Graph.
- View Details: Open the Case’s Details drawer.
- View Match Details: Open the Result Details drawer and view details about each of the Case’s properties that matched the search query.
- Delete…: If your user account has the requisite permissions in your Organization, you can delete the Case from the Organization.
Options for Tags
- Explore in Graph: Visualize, explore, and analyze the Tag's associations in Threat Graph.
- View Details: Open the Tag’s Details drawer.
- View Match Details: Open the Result Details drawer and view details about each of the Tag’s properties that matched the search query.
- Delete…: If your user account has the requisite permissions in the Tag’s owner, you can delete the Tag from the owner.
Options for Victims
- View Details: Open the Victim’s Details drawer.
- View Match Details: Open the Result Details drawer and view details about each of the Victim’s properties that matched the search query.
- Delete…: If your user account has the requisite permissions in the Victim’s owner, you can delete the Victim from the owner.
Sorting Search Results
You can sort search results by any of the table columns except for the Matched On column. By default, search results are sorted based on how closely they match the search query, where objects whose name/summary matches the query are listed at the top, followed by objects with a piece of metadata (e.g., an Attribute, a Tag) that matches the query.
Filtering Search Results
There are two ways you can filter search results on the Search screen:
- Use the dropdown to the right of the Exact Match checkbox to filter results by the following ThreatConnect object types: Cases, Indicators, Groups, Tags, and Victims. After making your selections in the dropdown, run your search again to apply the filters to the results.
- Use the Filtersmenu to filter results by owner; object subtype (for Indicators and Groups only); creation date; last modified date; and property that matched the search query. After making your selections, click Apply in the Filtersmenu to apply the filters to the results.NoteThe Group Type and Indicator Type filters in the Filtersmenu apply only to results that are Groups and Indicators, respectively. These filters will not affect results that are Cases, Tags, or Victims. Also, if you configured the dropdown to the right of the Exact Match checkbox to exclude Groups or Indicators from the search results, the Group Type or Indicator Type filter, respectively, will be grayed out.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
OpenSearch® is a registered trademark of Amazon Web Services.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.
20075-06 v.02.A