Searching Groups
- 10 Sep 2025
- 9 Minutes to read
-
Print
-
DarkLight
-
PDF
Searching Groups
- Updated on 10 Sep 2025
- 9 Minutes to read
-
Print
-
DarkLight
-
PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
Overview
The Search screen in ThreatConnect® provides a single location to search and browse your data. You can search all object types in your ThreatConnect dataset using keywords or phrases, or you can browse threat intelligence data by object type and filter those data to a usable and relevant subset based on details like name/summary, object subtype, owner, and metadata such as Tags, Security Labels, and Attributes.
On the Search: Groups screen, you can search and filter all Groups in your ThreatConnect owners using basic search queries or using advanced search queries written in ThreatConnect Query Language (TQL). You can also create Groups; import Groups with the Doc Analysis, Email, and Signature import features; export Group data to a CSV file; delete Groups individually or in bulk; and further investigate Groups that are of interest to you.
Before You Start
User Roles
- To view, search, and export Groups in an Organization, your user account can have any Organization role.
- To view, search, and export Groups in a Community or Source, your user account can have any Community role except Banned for that Community or Source.
- To delete Groups in an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
- To delete Groups in a Community or Source, your user account must have a Community role of Editor or Director for that Community or Source.
Viewing All Groups
When you first open the Search: Groups screen, it displays a table listing all Groups in your ThreatConnect owners. You can access the Search: Groups screen by selecting Groups from the Search & Create dropdown on the top navigation bar or by selecting the Groups filter in the left sidebar of the Search screen.
To view more details about a Group, do one of the following:
- Click the Group’s table row, or click the Group’s ⋯ menu and select View Details, to open the Group’s Details drawer.
- Click the Group’s name/summary to open the Group’s Details screen.
Hint
You can adjust the columns displayed in the table on the Search: Groups screen by clicking Select columns
in the upper right, selecting the columns to display, and clicking Apply.
in the upper right, selecting the columns to display, and clicking Apply.Searching and Filtering Groups
On the Search: Groups screen, you can search and filter Groups in your ThreatConnect owners by running the following types of searches:
To remove all filters and search criteria applied on the Search: Groups screen, click Clear all filters & search
in the upper right.
Running Basic Searches
A basic search lets you search Groups using the search bar and various filter options on the Search: Groups screen. Follow these steps to run a basic search of Groups on the Search: Groups screen:
- From the Search & Create dropdown on the top navigation bar, select Groups.
- Configure a basic search query by doing the following:
- Enter text into the search bar to search Groups by name/summary. To run a contains search, leave the Exact Match checkbox cleared. To run an exact match search, select the Exact Match checkbox.
- Use the Group type dropdown, owner dropdown, and Filters
menu to filter Groups by type, owner, and Group metadata, respectively.
As you configure a basic search query, the results table updates automatically based on the current search criteria.
Searching by Name/Summary
When searching Groups by name/summary on the Search: Groups screen, you can run two types of searches: contains and exact match.
Note
Name/summary searches are case insensitive.
Contains Search
A contains search lets you filter Groups based on whether their name/summary contains the text entered into the search bar on the Search: Groups screen. Use a contains search when you want to filter your dataset to find Groups that relate to a common keyword or phrase. Table 1 describes the search result behavior of a contains search for volt typhoon.
| Group Name/Summary | Returned as Result? |
|---|---|
| VOLT TYPHOON | Yes, because the name/summary contains the entire phrase volt typhoon. |
| Volt Typhoon Ramps Up Malicious Activity Against Critical Infrastructure | Yes, because the name/summary contains the entire phrase volt typhoon. |
| Volt | No. Although the name/summary contains volt, it does not contain typhoon. |
| Typhoon Volt | No. Although the name/summary contains volt and typhoon, they are not in the same order as the phrase volt typhoon. |
To run a contains search on the Search: Groups screen, enter text into the search bar and leave the Exact Match checkbox cleared.
Exact Match Search
An exact match search lets you filter Groups based on whether their name/summary is an exact match to the text entered into the search bar on the Search: Groups screen. Use an exact match search when you want to search a large dataset for a specific object, as this type of search yields a more targeted set of search results. Table 2 describes the search result behavior of an exact match search for volt typhoon.
| Group Name/Summary | Returned as Result? |
|---|---|
| VOLT TYPHOON | Yes, because the name/summary is an exact match to the phrase volt typhoon. |
| Volt Typhoon Ramps Up Malicious Activity Against Critical Infrastructure | No, because the name/summary is not an exact match to the phrase volt typhoon. |
| Volt | No, because the name/summary is not an exact match to the phrase volt typhoon. |
| Typhoon Volt | No. Although the name/summary contains volt and typhoon, they are not in the same order as the phrase volt typhoon. |
To run an exact match search on the Search: Groups screen, enter text into the search bar and select the Exact Match checkbox to the right of the search bar or surround the phrase in straight quotes.
Important
The search engine does not recognize smart quotes (
“”). If you copied a search phrase from an application and pasted it into the search bar, replace all smart quotes with straight quotes (") before running your search.Filtering Groups
The Search: Groups screen provides the following options for filtering Groups when running basic searches:
- The Group type dropdown next to the Exact Match checkbox lets you filter Groups by one or more Group types. Groups are filtered automatically as you select options from the dropdown.
- The owner dropdown next to the Filtersmenu lets you filter Groups by one or more owners. Groups are filtered automatically as you select options in the dropdown.
- The Filtersmenu lets you filter Groups by Group metadata. After selecting and configuring filters, click Apply. Groups may be filtered by the following metadata:
- Tags
- Security Labels
- Date Added
- Last Modified
- Attributes (+ Add Filter option at the lower left of the Filtersmenu)
- Document Type (when viewing only Document Groups)
- Email Score (when viewing only Email Groups)
- Event Status (when viewing only Event Groups or only Incident Groups)
- Incident Status (when viewing only Incident Groups)
- Event Date (when viewing only Event Groups)
- Report Type (when viewing only Report Groups)
- Publish Date (when viewing only Report Groups)
- Format Type (when viewing only Signature Groups)
- Only show My Tasks (when viewing only Task Groups)
- Task Status (when viewing only Task Groups)
- Task Due Date (when viewing only Task Groups)
Note
The Only show My Tasks, Task Status, and Task Due Date filters apply to the legacy Task Group, not Workflow Tasks.
Running Advanced Searches
An advanced search lets you search and filter Groups using a query written in ThreatConnect Query Language (TQL). Advanced searches enable you to perform highly targeted searches of Groups using criteria that cannot be defined when running basic searches.
Follow these steps to run an advanced search of Groups on the Search: Groups screen:
- From the Search & Create dropdown on the top navigation bar, select Groups.
- Turn on the Advanced Search toggle above the search bar.
- Enter a TQL query into the search bar. If you configured a basic search query before turning on the Advanced Search toggle, the query will be converted into a TQL query and populated in the search bar automatically.NoteIf you configured Attribute filters in a basic search query, the converted advanced search query will use the Attribute Type’s name in the
attributeparameter by default (e.g.,attributeAdversary_Type). However, if the Attribute Type’s name contains characters other than letters, numbers, and spaces, the advanced search query will use the Attribute Type’s ID number instead of its name in theattributeparameter (e.g.,attribute123). For more information on theattributeparameter, see the “Query for Attributes” section in Constructing Query Expressions.HintYou can use the TQL Generator to translate plain-English prompts into TQL queries. - Click Search
to the right of the search bar, or press Enter on your keyboard, to run your search.NoteIf a TQL query is invalid, you can hover over the validator on the left side of the search bar to view the corresponding error message.NoteIf you run an advanced search using a query that matches a saved query, the saved query will be selected in the Select Saved Query… dropdown automatically.
Running Searches Using Saved Queries
When using the basic or advanced search features on the Search: Groups screen, you can run a search using a saved query. Follow these steps to use a saved query to search Groups on the Search: Groups screen:
- From the Search & Create dropdown on the top navigation bar, select Groups.
- From the Select Saved Query… dropdown in the upper right, select a saved query to run.
After you select a saved query, the Advanced Search toggle turns on and a search using the selected query runs automatically.
Hint
To save basic or advanced search queries, click Save Query in the upper right of the Search: Groups screen. For more information, see Saved Search Queries.
Sorting Groups
You can sort Groups by any of the table columns except for the Tags column. By default, Groups are sorted by the Last Modified column in descending order.
Exporting Groups
The Search: Groups screen lets you export select data fields for a set of Groups to a comma-separated values (CSV) file. This is useful when you want to share information from ThreatConnect as part of a proactive cybersecurity defense strategy.
Follow these steps to export data for a set of Groups on the Search: Groups screen:
Important
All Groups in the results set will be exported, not just the Groups displayed on the current page of the results table.
- From the Search & Create dropdown on the top navigation bar, select Groups.
- (Optional) Run a basic or advanced search.
- From the Options ⋯ menu in the upper-right corner, select Export….
- On the Export Group Data window, select the data types to include in the CSV file, and then click Export.
After the export completes, a file named ThreatConnectExport.csv will download to your computer.
Note
Export processing times vary depending on the number of Groups and the amount of Group data being exported.
Deleting Groups in Bulk
Follow these steps to delete a set of Groups in bulk on the Search: Groups screen:
- From the Search & Create dropdown on the top navigation bar, select Groups.
- (Optional) Run a basic or advanced search.
- From the Options ⋯ menu in the upper-right corner, select Delete Returned Items….
- On the Delete Returned Items window, click Delete to delete all Groups in the results table. If you are deleting more than 50 Groups, you must enter “delete” (without quotation marks) into the Confirm Deletion field before you can click Delete.WarningAll Groups in the results set will be deleted, not just the Groups displayed on the current page of the results table.
Group Options
A Group’s ⋯ menu provides the following options for managing and analyzing the Group:
- Create Custom Report: Create a report for the Group from scratch or from a Group report template. This option is available only if your user account has permission to create reports.
- Follow or Unfollow: Follow or unfollow the Group.
- Pivot: Pivot from the Group to view its Indicator associations on the Search: Indicators screen.
- View Details: Open the Group’s Details drawer.HintYou can also open the Group’s Details drawer by clicking on its table row.
- Visual Analysis: Select from the following options:
- Threat Graph: Open Threat Graph to visualize, explore, and analyze the Group’s associations.
- Visualize ATT&CK: Open the ATT&CK Visualizer and create a standard ATT&CK view with the Group added as an analysis layer.
- Delete: Delete the Group from its owner. This option is available only if your user account has permission to delete Groups in the Group’s owner.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
20075-08 v.01.A
Was this article helpful?
