Searching in ThreatConnect

Overview

The Search screen in ThreatConnect^® provides a single location to search and browse your data. You can search all object types in your ThreatConnect dataset using keywords or phrases, or you can browse threat intelligence data by object type and filter those data to a usable and relevant subset based on details like name/summary, object subtype, owner, and metadata such as Tags, Security Labels, and Attributes.

When searching all object types, the ThreatConnect search engine searches an object’s summary and metadata to form a relevance-ordered result set based on how closely each result matches the search query. As you review search results, you can use filters to fine-tune the result set and analyze the most relevant data. When browsing your data by object type, you can search and filter objects using basic search queries or using advanced search queries written in ThreatConnect Query Language (TQL). Depending on the object type, you can perform additional actions such as exporting data to a comma-separated values (CSV) file or deleting objects in bulk.

In addition to searching and browsing your data, you can run bulk Indicator searches by uploading files to the ThreatConnect search engine. Each time you upload a file, the ThreatConnect search engine parses the file for Indicators and returns a result set containing known and unknown Indicators. You can sort and filter the results set for further analysis, as well as perform bulk actions such as adding Indicators your Organization, adding Tags to Indicators, and exporting Indicators to a CSV file.

In This Series

• Searching All Object Types: Learn how to search all object types in your ThreatConnect dataset on the Search: All Object Types screen.
• Viewing Search Results for All Object Types: Learn how to view, sort, and filter search results on the Search: All Object Types screen.
• Bulk Searching Indicators: Learn how to run a bulk Indicator search on an uploaded file from the Search: All Object Types screen and view, sort, and filter the corresponding search results.
• Searching by Object Type: Learn how to use the object filters on the Search screen to search and browse threat intelligence data by object type.
  • Searching Groups: Learn how to use the Search: Groups screen to search, filter, export, delete, and analyze Groups.
  • Searching Indicators: Learn how to use the Search: Indicators screen to search, filter, export, delete, and analyze Indicators.
  • Searching Intelligence Requirements: Learn how to use the Search: Intelligence Requirements screen to search, filter, and analyze Intelligence Requirements.
  • Searching Tags: Learn how to use the Search: Tags screen to search, filter, and analyze standard Tags and ATT&CK^® Tags.
  • Searching Victim Assets: Learn how to use the Search: Victim Assets screen to search, filter, and analyze Victim Assets.
  • Searching Victims: Learn how to use the Search: Victims screen to search, filter, and analyze Victims.
  • Saved Search Queries: Learn how to save, view, edit, delete, and run saved queries when using the object filters on the Search screen.
• Searching in ThreatConnect (Legacy) : Learn how to use the legacy Search drawer to search your ThreatConnect data and view search results.
  • Searching Your Data (Legacy): Learn how to search your ThreatConnect data with the Search drawer.
  • Search Filters (Legacy): Learn how to filter search results on the Search drawer.
  • Search Results (Legacy): Learn about the types of search results returned on the Search drawer.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.

20075-01 v.10.A