Contents x
Searching All Object Types
  • 10 Sep 2025
  • 4 Minutes to read
  • Print
  • Dark
    Light
  • PDF
Contents

Searching All Object Types

  • Updated on 10 Sep 2025
  • 4 Minutes to read
  • Print
  • Dark
    Light
  • PDF
Article summary

Overview

The ThreatConnect® search engine lets you search your entire dataset to quickly find data relevant to the item you are investigating. When you run a search from the Search: All Object Types screen or the top navigation bar, the search engine looks for Indicators, Groups, Tags, Victims, and Workflow Cases that match your search query. Search queries may include a single search term, multiple search terms, or an exact phrase.

Before You Start

User Roles

  • To search for Indicators, Groups, Tags, and Victims in an Organization, your user account can have any Organization role.
  • To search for Indicators, Groups, Tags, and Victims in a Community or Source, your user account can have any Community role except Banned for that Community or Source.
  • To search for Cases in an Organization, your user account can have any Organization role except App Developer.

Prerequisites

  • To search your ThreatConnect data and view search results on the Search: All Object Types screen, turn on and configure OpenSearch® and initialize the search index for your ThreatConnect instance on the System Settings screen (must be a System Administrator to perform this action).
  • To search for Cases, select the Enable Workflow checkbox on the Permissions tab of the Organization Information window when editing your Organization on the Organizations tab of the Account Settings screen (must be an Accounts Administrator, Operations Administrator, or System Administrator to perform this action).

Follow these steps to search all object types in your ThreatConnect owners on the Search: All Object Types screen:

  1. From the Search & Create dropdown on the top navigation bar, select All Object Types.
  2. Enter a search query into the search bar or select a recent or suggested search query.
  3. (Optional) To search for an exact phrase, select Exact Match to the right of the search bar or surround the search terms in straight quotes (").
    Important
    The search engine does not recognize smart quotes (“”). If you copied a search phrase from an application and pasted it into the search bar, replace all smart quotes with straight quotes (") before running your search.
  4. Press Enter on your keyboard or click Search to run the search.
Note
You can also use the search bar on the top navigation bar to search all object types in your ThreatConnect owners. After you enter a search query, lists of suggested searches and suggested objects based on the query will display. To run the search and view the results on the Search: All Object Types screen, press Enter on your keyboard or click “View all results for…” at the top of the list of suggested searches.

After the search runs, the Search: All Object Types screen displays the search results. When looking for matches to a search query, the search engine searches an object’s summary and metadata—including Attributes, Descriptions; Case Artifacts, Notes, and Tasks; file and signature contents; Tags; and Victim Assets and Victim details—to form a relevance-ordered result set based on how closely each result matches the query.

Constructing a Search Query

When searching all object types in your ThreatConnect owners, you can construct the following types of search queries:

  • Single term: The search engine will look for objects whose summary or metadata contain the specified search term.
  • Multiple terms: The search engine will look for objects whose summary or metadata contain some or all of the search terms. To search for multiple terms, separate each term with a space or line break.
  • Exact phrase: The search engine will look for objects whose summary or metadata contain the exact phrase in the specified order. To search for an exact phrase, select Exact Match to the right of the search bar on the Search: All Object Types screen or surround the search terms in straight quotes (").

Table 1 provides example search queries and describes the results that each query will return.

 

Search QueryResults
140.82.29.65Returns objects whose summary or metadata contain 140.82.29.65.
bad[.]comReturns objects whose summary or metadata contain bad.com. (See the “Searching for Defanged Indicators” section for more information on how the search engine fangs defanged Indicators.)
royal ransomware groupReturns objects whose summary or metadata contain royal, ransomware, group, or any combination of these terms.
scattered spiderReturns objects whose summary or metadata contain scattered, spider, or both terms.
"scattered spider"Returns objects whose summary or metadata contain the exact phrase scattered spider.
ransomware 140.82.29.65 "scattered spider"Returns objects whose summary or metadata contain the term ransomware, the term 140.82.29.65, or the exact phrase scattered spider.
ransomware
140.82.29.65
"scattered spider"		Returns objects whose summary or metadata contain the term ransomware, the term 140.82.29.65, or the exact phrase scattered spider.

Using a Recent or Suggested Search Query

When you click into the search bar on the Search: All Object Types screen or the top navigation bar, a list of your recent search queries will display. In addition, after you type at least three characters into the search bar, a list of suggested search queries based on the entered text will display.

To populate a recent or suggested search query into the search bar, select the query from the list. Alternatively, click Searchto the right of a recent or suggested query in the list to immediately run a search using the query.

Note
To clear your recent search history, click Clear Recent Searches below the list of recent searches.

Searching for Defanged Indicators

The ThreatConnect search engine refangs defanged Indicators automatically. The term “defang” refers to the process of altering an Indicator so that a user cannot click on it by accident and navigate to a malicious website. The term “refang” refers to the process of taking a defanged Indicator (e.g., bad[.]com) and returning it to its original state (bad.com). For example, if you run a search for bad[.]com, the search engine will return results for bad.com.

Table 2 lists the defanged character sequences recognized by the ThreatConnect search engine and their corresponding refanged character.

 

Defanged Character SequenceRefanged Character
[.].
[:]:
[@]@
[dot]
.
h..p://
http://
h..ps://
https://
f.p://
ftp://
Note
In the last three rows of Table 2, . can be any character (e.g., x or X). For example, the ThreatConnect search engine will refang hxxp:// as http://.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.
OpenSearch® is a registered trademark of Amazon Web Services.

20075-05 v.03.A

Was this article helpful?
What's Next
Company
Sales and Support
Follow Us
© 2012–2025 ThreatConnect, Inc. All Rights Reserved.