- 01 Sep 2022
- 6 Minutes to read
- Updated on 01 Sep 2022
- 6 Minutes to read
Results that are an identical match to a term you entered in the search bar will be displayed in the Exact Matches section, which displays two types of results:
- Objects that exist in an Organization, a Community, or a Source to which you have access on your ThreatConnect instance.
- Objects that do not yet exist in an Organization, a Community, or a Source to which you have access on your ThreatConnect instance, but match a pattern for one of the Indicator types in ThreatConnect.
Figure 1 shows the results of a search for badguy.com.
This search resulted in an exact match to an Artifact in two Cases (File Backup Scam Phishing Alert and Hacker Investigation) and an exact match to a Host Indicator that exists in the user’s Organization, as well as in two Communities and one Source. Information on observations/false positives and analytical information (in this case, from ThreatAssess, or from ThreatConnect’s Collective Analytics Layer (CAL™) if information from ThreatAssess does not exist for the Indicator) are also provided.
Figure 2 shows the results of a search for evill.com.
This search resulted in an exact match as well, but of the second type. The search term does not exist in any of the user’s owners, but it did meet the pattern criteria for a Host Indicator.
Figure 3 shows the results of a search for bad guy.
This search resulted in an exact match for an Adversary Group called Bad Guy. All exact matches that are Groups will be of the first type, which means that all exactly matched Groups exist in an owner to which the user has access.
Figure 4 show the results for a search of the exact phrase "21-0043847: Threat Actor Capabilities".
This search results in a single match for a Threat Group called 21-0043847: Threat Actor Capabilities in the user’s Organization.
Exact matches can be sorted by Summary (name of the object—e.g., badguy.com), Type (e.g., Host, Tag), or Analytics (e.g., ascending or descending order by ThreatAssess score) by using the Sort Exact Matches By dropdown menu at the top right of the search results.
Potentially Related Matches
The Potentially Related Matches section shows objects in your Organization, Communities, and Sources that may be related to the search term. For example, Figure 1 shows one Email Address Indicator in the user’s Organization that may be related to the search term badguy.com. Figure 2 shows no matches that may be related to the search term evill.com. Figure 3 shows one Adversary Group, one Email Address Indicator, one Email Subject Indicator, and two Host Indicators in the user’s Organization and one Community that may be related to the search term bad guy.
Analyzing Search Results
Any objects listed in the search results can be explored further by clicking on the link(s) in the object’s Details by Owner section.
For objects that exist in your owners, the Details by Owner section of a results entry will list one or more owners of the object. Each owner is a link that, when clicked, opens the Details drawer for the object on the left side of the screen.
For example, in Figure 1, clicking on the Demo Organization link for the badguy.com object in the Exact Matches section will open the Details drawer for the badguy.com Host Indicator that exists in the user’s Organization (Demo Organization) (Figure 5).
To view the Details screen for this object, click the Details icon at the upper-right corner of the Details drawer.
To add this Indicator to a different owner, click the plus icon at the upper-right corner of the Details drawer. A dropdown menu listing the owners to which you have access, but in which the object does not already exist, will be displayed (Figure 6).
Select an owner. The Details drawer will change to show the Indicator in the new owner, and the new owner will be listed in the Details by Owner section on the Search drawer.
For Indicators that do not exist in one of your owners, the Details by Owner section of a results entry will provide a Learn more about it link that, when clicked, opens a Details drawer for the Indicator on the left-hand side of the screen (Figure 7).
This drawer can be used to view information that CAL has on the Indicator, if any, or to follow the Investigation Links for further exploration of the Indicator. To add this Indicator to an owner, click the plus icon at the upper-right corner of the Details drawer, or to the right of its results entry in the Search drawer, and select an owner from the dropdown menu that is displayed. Alternatively, clicking the Details icon at the upper-right corner of the Details drawer will open the Indicator’s Details screen (Figure 8).
Use the Indicator Analytics section to view any information CAL has on the Indicator, or follow the Investigation Links to explore the Indicator further. To add the Indicator to an owner to which you have access on your ThreatConnect instance, select an Owner from the Owner dropdown menu at the top left of the screen and click the SAVE button. A new Details screen for the Indicator will open from which the Indicator can be configured further.
To search for multiple items at one time, enter the items one after another, with a space in between each item. For example, Figure 9 shows the results of a search for the following terms: bad.com terrible.com bad guy.
The search bar also supports line breaks. When search terms are entered with line breaks, no Potentially Related Matches will be returned. Only Indicators that are in your owners or that satisfy a pattern for one of the Indicator types will be shown as Exact Matches. No matches to Groups in your owners will be shown, even if one of the search terms is an exact match for the name of a Group in one of your owners.
For example, Figure 10 shows the results of a search for four separate terms: bad.com, terrible.com, bad guy, and dfdfdf.
The results returned show four exact matches: two Cases (File Backup Scam Phishing Alert and Hacker Investigation); a Host Indicator for the term badguy.com that is already in the one Organization, two Communities, and one Source on the user’s ThreatConnect instance; and a Host Indicator for the term terrible.com that is not in any of the user’s owners. Even though an Adversary Group called Bad Guy exists in one of the user’s owners, results for bad guy were omitted because they did not meet any Indicator patterns. Results for dfdfdf were also omitted because they did not meet any Indicator patterns.
Searching for Defanged Indicators
The ThreatConnect search engine automatically refangs Indicators. The term “defang” refers to the process of altering an Indicator so that a user cannot click on it by accident and navigate to a malicious website. The term “refang” refers to the process of taking a defanged Indicator (e.g., bad[.]com) and returning it to its original state (bad.com). For example, if bad[.]com is entered into the search engine, results for bad.com will be provided.
Table 1 lists all of the defanged character sequences recognized by the ThreatConnect search engine and their corresponding refanged versions.
|Defanged Character Sequence||Refanged Version|
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
CAL™ is a trademark of ThreatConnect, Inc.