Searching Indicators

Overview

The Search screen in ThreatConnect® provides a single location to search and browse your data. You can search all object types in your ThreatConnect dataset using keywords or phrases, or you can browse threat intelligence data by object type and filter those data to a usable and relevant subset based on details like name/summary, object subtype, owner, and metadata such as Tags, Security Labels, and Attributes.

On the Search: Indicators screen, you can search and filter all Indicators in your ThreatConnect owners using basic search queries or using advanced search queries written in ThreatConnect Query Language (TQL). You can also create Indicators; import Indicators with the Doc Analysis, structured Indicator, and unstructured Indicator import features; export Indicator data to a CSV file; delete Indicators individually or in bulk; and further investigate Indicators that are of interest to you.

Before You Start

User Roles

• To view, search, and export Indicators in an Organization, your user account can have any Organization role.
• To view, search, and export Indicators in a Community or Source, your user account can have any Community role except Banned for that Community or Source.
• To delete Indicators in an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
• To delete Indicators in a Community or Source, your user account must have a Community role of Editor or Director for that Community or Source.

Viewing All Indicators

When you first open the Search: Indicators screen, it displays a table listing all Indicators in your ThreatConnect owners. You can access the Search: Indicators screen by selecting Indicators from the Search & Create dropdown on the top navigation bar or by selecting the Indicators filter in the left sidebar of the Search screen.

To view more details about an Indicator, do one of the following:

• Click the Indicator’s table row, or click the Indicator’s ⋯ menu and select View Details, to open the Indicator’s Details drawer.
• Click the Indicator’s name/summary to open the Indicator’s Details screen.

Hint

You can adjust the columns displayed in the table on the Search: Indicators screen by clicking Select columnsin the upper right, selecting the columns to display, and clicking Apply.

Searching and Filtering Indicators

On the Search: Indicators screen, you can search and filter Indicators in your ThreatConnect owners by running the following types of searches:

• Basic search
• Advanced search
• Search using a saved query

To remove all filters and search criteria applied on the Search: Indicators screen, click Clear all filters & searchin the upper right.

Running Basic Searches

A basic search lets you search Indicators using the search bar and various filter options on the Search: Indicators screen. Follow these steps to run a basic search of Indicators on the Search: Indicators screen:

1. From the Search & Create dropdown on the top navigation bar, select Indicators.
2. Configure a basic search query by doing the following:
   • Enter text into the search bar to search Indicators by name/summary. To run a contains search, leave the Exact Match checkbox cleared. To run an exact match search, select the Exact Match checkbox.
   • Use the Indicator type dropdown, owner dropdown, and Filtersmenu to filter Indicators by type, owner, and Indicator metadata, respectively.

As you configure a basic search query, the results table updates automatically based on the current search criteria.

Searching by Name/Summary

When searching Indicators by name/summary on the Search: Indicators screen, you can run two types of searches: contains and exact match.

Contains Search

A contains search lets you filter Indicators based on whether their name/summary contains the text entered into the search bar on the Search: Indicators screen. Use a contains search when you want to filter your dataset to find Indicators that relate to a common keyword or phrase. Table 1 describes the search result behavior of a contains search for badguy.com.

To run a contains search on the Search: Indicators screen, enter text into the search bar and leave the Exact Match checkbox cleared.

Exact Match Search

An exact match search lets you filter Indicators based on whether their name/summary is an exact match to the text entered into the search bar on the Search: Indicators screen. Use an exact match search when you want to search a large dataset for a specific object, as this type of search yields a more targeted set of search results. Table 2 describes the search result behavior of an exact match search for badguy.com.

To run an exact match search on the Search: Indicators screen, enter text into the search bar and select the Exact Match checkbox to the right of the search bar or surround the phrase in straight quotes.

Filtering Indicators

The Search: Indicators screen provides the following options for filtering Indicators when running basic searches:

• The Indicator type dropdown next to the Exact Match checkbox lets you filter Indicators by one or more Indicator types. Indicators are filtered automatically as you select options from the dropdown.
• The owner dropdown next to the Filtersmenu lets you filter Indicators by one or more owners. Indicators are filtered automatically as you select options in the dropdown.
• The Filtersmenu lets you filter Indicators by Indicator metadata. After selecting and configuring filters, click Apply. Indicators may be filtered by the following metadata:
  • Tags
  • Status
  • Security Labels
  • Threat Rating
  • Confidence Rating
  • ThreatAssess
  • Observed Since
  • Observations
  • False Positives
  • Date Added
  • Last Modified
  • Attributes (+ Add Filter option at the lower left of the Filtersmenu)
  • CIDR (when viewing only Address Indicators)
  • Country Code (when viewing only Address Indicators)
  • Organization (when viewing only Address Indicators)
  • ASN (when viewing only Address Indicators)
  • DNS Status (when viewing only Host Indicators)
  • Whois Status (when viewing only Host Indicators)

Running Advanced Searches

An advanced search lets you search and filter Indicators using a query written in ThreatConnect Query Language (TQL). Advanced searches enable you to perform highly targeted searches of Indicators using criteria that cannot be defined when running basic searches.

Follow these steps to run an advanced search of Indicators on the Search: Indicators screen:

1. From the Search & Create dropdown on the top navigation bar, select Indicators.
2. Turn on the Advanced Search toggle above the search bar.
3. Enter a TQL query into the search bar. If you configured a basic search query before turning on the Advanced Search toggle, the query will be converted into a TQL query and populated in the search bar automatically.
   Note

   If you configured Attribute filters in a basic search query, the converted advanced search query will use the Attribute Type’s name in the attribute parameter by default (e.g., attributeTarget_Country). However, if the Attribute Type’s name contains characters other than letters, numbers, and spaces, the advanced search query will use the Attribute Type’s ID number instead of its name in the attribute parameter (e.g., attribute123). For more information on the attribute parameter, see the “Query for Attributes” section in Constructing Query Expressions.
   Hint

   You can use the TQL Generator to translate plain-English prompts into TQL queries.
4. Click Searchto the right of the search bar, or press Enter on your keyboard, to run your search.
   Note

   If a TQL query is invalid, you can hover over the validator on the left side of the search bar to view the corresponding error message.
   Note

   If you run an advanced search using a query that matches a saved query, the saved query will be selected in the Select Saved Query… dropdown automatically.

Running Searches Using Saved Queries

When using the basic or advanced search features on the Search: Indicators screen, you can run a search using a saved query. Follow these steps to use a saved query to search Indicators on the Search: Indicators screen:

1. From the Search & Create dropdown on the top navigation bar, select Indicators.
2. From the Select Saved Query… dropdown in the upper right, select a saved query to run.

After you select a saved query, the Advanced Search toggle turns on and a search using the selected query runs automatically.

Sorting Indicators

You can sort Indicators by any of the table columns except for the Tags column. By default, Indicators are sorted by the Last Modified column in descending order.

Exporting Indicators

The Search: Indicators screen lets you export select data fields for a set of Indicators to a comma-separated values (CSV) file. This is useful when you want to share information from ThreatConnect as part of a proactive cybersecurity defense strategy.

Follow these steps to export data for a set of Indicators on the Search: Indicators screen:

1. From the Search & Create dropdown on the top navigation bar, select Indicators.
2. (Optional) Run a basic or advanced search.
3. From the Options ⋯ menu in the upper-right corner, select Export….
4. On the Export Indicator Data window, select the data types to include in the CSV file, and then click Export.

After the export completes, a file named ThreatConnectExport.csv will download to your computer.

Deleting Indicators in Bulk

Follow these steps to delete a set of Indicators in bulk on the Search: Indicators screen:

1. From the Search & Create dropdown on the top navigation bar, select Indicators.
2. (Optional) Run a basic or advanced search.
3. From the Options ⋯ menu in the upper-right corner, select Delete Returned Items….
4. On the Delete Returned Items window, click Delete to delete all Indicators in the results table. If you are deleting more than 50 Indicators, you must enter “delete” (without quotation marks) into the Confirm Deletion field before you can click Delete.
   Warning

   All Indicators in the results set will be deleted, not just the Indicators displayed on the current page of the results table.

Indicator Options

An Indicator’s ⋯ menu provides the following options for managing and analyzing the Indicator:

• Add to Exclusion List: Add the Indicator to your Organization-level Exclusion List. This option is available only if your user account has an Organization role of Organization Administrator and if the excludeFromDetailsEnabledsystem setting is turned on for your ThreatConnect instance.
  Important

  You cannot remove an Indicator from your Organization’s Exclusion List from the Search: Indicators screen.
• Change Status to Inactive or Change Status to Active: Change the Indicator Status. This option is available only if your user account has permission to modify Indicator Status in the Indicator's owner.
• Enable CAL Status Lock or Disable CAL Status Lock: Enable or disable CAL™ Status Lock for the Indicator. This option is available only if your user account has permission to modify Indicator Status in the Indicator's owner.
• Threat Graph: Open Threat Graph to visualize, explore, and analyze the Indicator’s associations.
• Follow or Unfollow: Follow or unfollow the Indicator.
• Pivot: Pivot from the Indicator to view its Group associations on the Search: Groups screen.
• View Details: Open the Indicator’s Details drawer.
  Hint

  You can also open the Indicator’s Details drawer by clicking on its table row.
• Delete: Delete the Indicator from its owner. This option is available only if your user account has permission to delete Indicators in the Indicator’s owner.

ThreatConnect^® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.

20075-09 v.01.A