--- title: "Searching Indicators | ThreatConnect" slug: "searching-indicators" description: "This article describes how to use the Search: Indicators screen to view, search, export, delete, and analyze Indicators in your ThreatConnect owners." updated: 2026-01-10T19:46:12Z published: 2026-01-10T19:46:12Z --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt > Use this file to discover all available pages before exploring further. # Searching Indicators ## Overview The [**Search** screen](https://knowledge.threatconnect.com/docs/searching-in-threatconnect) in ThreatConnect® provides a single location to search and browse your data. You can [search all object types](https://knowledge.threatconnect.com/docs/searching-all-object-types) in your ThreatConnect dataset using keywords or phrases, or you can browse threat intelligence data by object type and filter those data to a usable and relevant subset based on details like name/summary, object subtype, owner, and metadata such as Tags, Security Labels, and Attributes. On the **Search: Indicators**screen, you can search and filter all [Indicators](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model#indicators) in your [ThreatConnect owners](https://knowledge.threatconnect.com/docs/ownership-in-threatconnect) using basic search queries or using advanced search queries written in [ThreatConnect Query Language (TQL)](https://knowledge.threatconnect.com/docs/threatconnect-query-language-tql). You can also [create Indicators](https://knowledge.threatconnect.com/docs/creating-indicators); import Indicators with the [Document Parsing](https://knowledge.threatconnect.com/docs/document-parsing-import), [structured Indicator](https://knowledge.threatconnect.com/docs/structured-indicator-import), and [unstructured Indicator](https://knowledge.threatconnect.com/docs/unstructured-indicator-import) import features; export Indicator data to a CSV file; delete Indicators individually or in bulk; and further investigate Indicators that are of interest to you. ## Before You Start ### User Roles - To view, search, and export Indicators in an Organization, your user account can have any [Organization role](https://knowledge.threatconnect.com/docs/organization-roles). - To view, search, and export Indicators in a Community or Source, your user account must have a [Community role](https://knowledge.threatconnect.com/docs/community-roles) of User, Commenter, Contributor, Editor, or Director for that Community or Source. - To delete Indicators in an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer. - To delete Indicators in a Community or Source, your user account must have a Community role of Editor or Director for that Community or Source. ## Viewing All Indicators When you first open the **Search: Indicators**screen, it displays a table listing all Indicators in your ThreatConnect owners. You can access the **Search: Indicators**screen by selecting **Indicators**from the **Search & Create**dropdown on the top navigation bar or by selecting the **Indicators**filter in the left sidebar of the **Search**screen. To view more details about an Indicator, do one of the following: - Click the Indicator’s table row, or click the Indicator’s [**Options ⋯**menu](/docs/searching-indicators#indicator-options) and select **View Details**, to open the Indicator’s [**Details**drawer](https://knowledge.threatconnect.com/docs/the-details-drawer). - Click the Indicator’s name/summary to open the Indicator’s [**Details**screen](https://knowledge.threatconnect.com/docs/the-details-screen). HintYou can adjust the columns displayed in the table on the **Search: Indicators**screen by clicking **Select columns![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Select%20columns%20button.png)**in the upper right, selecting the columns to display, and clicking **Apply**. ## Searching and Filtering Indicators On the **Search: Indicators**screen, you can search and filter Indicators in your ThreatConnect owners by running the following types of searches: - [Basic search](/docs/searching-indicators#running-basic-searches) - [Advanced search](/docs/searching-indicators#running-advanced-searches) - [Search using a saved query](/docs/searching-indicators#running-searches-using-saved-queries) To remove all filters and search criteria applied on the **Search: Indicators**screen, click **Clear all filters & search![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Clear%20all%20filters%20&%20search%20button.png)**in the upper right. ### Running Basic Searches A basic search lets you search Indicators using the search bar and various filter options on the **Search: Indicators**screen. Follow these steps to run a basic search of Indicators on the **Search: Indicators**screen: 1. From the **Search & Create**dropdown on the top navigation bar, select **Indicators**. 2. Configure a basic search query by doing the following: - Enter text into the search bar to [search Indicators by name/summary](/docs/searching-indicators#searching-by-namesummary). To run a [contains search](/docs/searching-indicators#contains-search), leave the **Exact Match**checkbox cleared. To run an [exact match search](/docs/searching-indicators#exact-match-search), select the **Exact Match**checkbox. - Use the Indicator type dropdown, owner dropdown, and **Filters![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Filters%20button_Details%20screen.png)**menu to [filter Indicators](/docs/searching-indicators#filtering-indicators) by type, owner, and Indicator metadata, respectively. As you configure a basic search query, the results table updates automatically based on the current search criteria. #### Searching by Name/Summary When searching Indicators by name/summary on the **Search: Indicators**screen, you can run two types of searches: [contains](/docs/searching-indicators#contains-search) and [exact match](/docs/searching-indicators#exact-match-search). NoteName/summary searches are case insensitive. ##### Contains Search A contains search lets you filter Indicators based on whether their name/summary contains the text entered into the search bar on the **Search: Indicators**screen. Use a contains search when you want to filter your dataset to find Indicators that relate to a common keyword or phrase. Table 1 describes the search result behavior of a contains search for **badguy.com**. | Indicator Name/Summary | Returned as Result? | | --- | --- | | badguy.com | Yes, because the name/summary contains the entire term **badguy.com**. | | spammer@badguy.com | Yes, because the name/summary contains the entire term **badguy.com**. | | http://www.badguy.com | Yes, because the name/summary contains the entire term **badguy.com**. | | badguys.com | No. Although the name/summary contains **badguy**and **.com**, it does not contain the entire term **badguy.com**. | To run a contains search on the **Search: Indicators**screen, enter text into the search bar and leave the **Exact Match**checkbox cleared. ##### Exact Match Search An exact match search lets you filter Indicators based on whether their name/summary is an exact match to the text entered into the search bar on the **Search: Indicators**screen. Use an exact match search when you want to search a large dataset for a specific object, as this type of search yields a more targeted set of search results. Table 2 describes the search result behavior of an exact match search for **badguy.com**. | Indicator Name/Summary | Returned as Result? | | --- | --- | | badguy.com | Yes, because the name/summary is an exact match to **badguy.com**. | | spammer@badguy.com | No, because the name/summary is not an exact match to **badguy.com**. | | http://www.badguy.com | No, because the name/summary is not an exact match to **badguy.com**. | | badguys.com | No, because the name/summary is not an exact match to **badguy.com**. | To run an exact match search on the **Search: Indicators**screen, enter text into the search bar and select the **Exact Match**checkbox to the right of the search bar or surround the phrase in straight quotes. ImportantThe search engine does not recognize smart quotes (`“”`). If you copied a search phrase from an application and pasted it into the search bar, replace all smart quotes with straight quotes (`"`) before running your search. #### Filtering Indicators The **Search: Indicators**screen provides the following options for filtering Indicators when running basic searches: - The Indicator type dropdown next to the **Exact Match**checkbox lets you filter Indicators by one or more Indicator types. Indicators are filtered automatically as you select options from the dropdown. - The owner dropdown next to the **Filters![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Filters%20button_Details%20screen.png)**menu lets you filter Indicators by one or more owners. Indicators are filtered automatically as you select options in the dropdown. - The **Filters**![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Filters%20button_Details%20screen.png)menu lets you filter Indicators by Indicator metadata. After selecting and configuring filters, click **Apply**. Indicators may be filtered by the following metadata: - Tags - Status - Security Labels - Threat Rating - Confidence Rating - ThreatAssess - Observed Since - Observations - False Positives - Date Added - Last Modified - Attributes (**+ Add Filter** option at the lower left of the **Filters**![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Filters%20button_Details%20screen.png)menu) - CIDR (when viewing only Address Indicators) - Country Code (when viewing only Address Indicators) - Organization (when viewing only Address Indicators) - ASN (when viewing only Address Indicators) - DNS Status (when viewing only Host Indicators) - Whois Status (when viewing only Host Indicators) ### Running Advanced Searches An advanced search lets you search and filter Indicators using a query written in [ThreatConnect Query Language (TQL)](https://knowledge.threatconnect.com/docs/threatconnect-query-language-tql). Advanced searches enable you to perform highly targeted searches of Indicators using criteria that cannot be defined when running basic searches. Follow these steps to run an advanced search of Indicators on the **Search: Indicators**screen: 1. From the **Search & Create**dropdown on the top navigation bar, select **Indicators**. 2. Turn on the **Advanced Search**toggle above the search bar. 3. Enter a [TQL query](https://knowledge.threatconnect.com/docs/constructing-query-expressions) into the search bar. If you configured a basic search query before turning on the **Advanced Search**toggle, the query will be converted into a TQL query and populated in the search bar automatically.NoteIf you configured Attribute filters in a basic search query, the converted advanced search query will use the Attribute Type’s name in the `attribute` parameter by default (e.g., `attributeTarget_Country`). However, if the Attribute Type’s name contains characters other than letters, numbers, and spaces, the advanced search query will use the Attribute Type’s ID number instead of its name in the `attribute` parameter (e.g., `attribute123`). For more information on the `attribute` parameter, see the [“Query for Attributes” section in *Constructing Query Expressions*](https://knowledge.threatconnect.com/docs/constructing-query-expressions#query-for-attributes).HintYou can use the [TQL Generator](https://knowledge.threatconnect.com/docs/tql-generator) to translate plain-English prompts into TQL queries. 4. Click **Search![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Search%20drawer%20icon.png)**to the right of the search bar, or press **Enter**on your keyboard, to run your search.NoteIf a TQL query is invalid, you can hover over the validator on the left side of the search bar to view the corresponding error message.NoteIf you run an advanced search using a query that matches a [saved query](https://knowledge.threatconnect.com/docs/saved-search-queries), the saved query will be selected in the **Select Saved Query…**dropdown automatically. ### Running Searches Using Saved Queries When using the basic or advanced search features on the **Search: Indicators**screen, you can run a search using a saved query. Follow these steps to use a saved query to search Indicators on the **Search: Indicators**screen: 1. From the **Search & Create**dropdown on the top navigation bar, select **Indicators**. 2. From the **Select Saved Query…**dropdown in the upper right, select a saved query to run. After you select a saved query, the **Advanced Search**toggle turns on and a search using the selected query runs automatically. HintTo save basic or advanced search queries, click **Save Query**in the upper right of the **Search: Indicators**screen. For more information, see [*Saved Search Queries*](https://knowledge.threatconnect.com/docs/saved-search-queries). ## Sorting Indicators You can sort Indicators by any of the table columns except for the **Tags**column. By default, Indicators are sorted by the **Last Modified**column in descending order. ## Exporting Indicators The **Search: Indicators**screen lets you export select data fields for a set of Indicators to a comma-separated values (CSV) file. This is useful when you want to share information from ThreatConnect as part of a proactive cybersecurity defense strategy. Follow these steps to export data for a set of Indicators on the **Search: Indicators**screen: ImportantAll Indicators in the results set will be exported, not just the Indicators displayed on the current page of the results table. 1. From the **Search & Create**dropdown on the top navigation bar, select **Indicators**. 2. (Optional) Run a [basic](/docs/searching-indicators#running-basic-searches) or [advanced](/docs/searching-indicators#running-advanced-searches) search. 3. From the **Options** **⋯**menu in the upper-right corner, select **Export…**. 4. On the **Export Indicator Data**window, select the data types to include in the CSV file, and then click **Export**. After the export completes, a file named **ThreatConnectExport.csv** will download to your computer. NoteExport processing times vary depending on the number of Indicators and the amount of Indicator data being exported. ## Deleting Indicators in Bulk Follow these steps to delete a set of Indicators in bulk on the **Search: Indicators**screen: 1. From the **Search & Create**dropdown on the top navigation bar, select **Indicators**. 2. (Optional) Run a [basic](/docs/searching-indicators#running-basic-searches) or [advanced](/docs/searching-indicators#running-advanced-searches) search. 3. From the **Options** **⋯**menu in the upper-right corner, select **Delete Returned Objects…**. 4. On the **Delete Returned Objects**window, click **Delete** to delete all Indicators in the results table. If you are deleting more than 50 Indicators, you must enter “delete” (without quotation marks) into the **Confirm Deletion**field before you can click **Delete**.WarningAll Indicators in the results set will be deleted, not just the Indicators displayed on the current page of the results table. ## Indicator Options An Indicator’s **Options ⋯**menu provides the following options for managing and analyzing the Indicator: - **Add to Exclusion List**: Add the Indicator to your [Organization-level Exclusion List](https://knowledge.threatconnect.com/docs/creating-indicator-exclusion-lists). This option is available only if your user account has an Organization role of Organization Administrator and if the **excludeFromDetailsEnabled**system setting is turned on for your ThreatConnect instance.ImportantYou cannot [remove an Indicator from your Organization’s Exclusion List](https://knowledge.threatconnect.com/docs/creating-indicator-exclusion-lists#removing-an-indicator-from-an-exclusion-list) from the **Search: Indicators** screen. - **Change Status to Inactive** or **Change Status to Active**: Change the [Indicator Status](https://knowledge.threatconnect.com/docs/indicator-status). This option is available only if your user account has [permission to modify Indicator Status in the Indicator's owner](https://knowledge.threatconnect.com/docs/indicator-status#user-roles). - **Enable CAL Status Lock**or **Disable CAL Status Lock**: Enable or disable [CAL™ Status Lock](https://knowledge.threatconnect.com/docs/indicator-status#cal-and-indicator-status) for the Indicator. This option is available only if your user account has [permission to modify Indicator Status in the Indicator's owner](https://knowledge.threatconnect.com/docs/indicator-status#user-roles). - **Threat Graph**: Open [Threat Graph](https://knowledge.threatconnect.com/docs/threat-graph) to visualize, explore, and analyze the Indicator’s associations. - **Follow**or **Unfollow**: [Follow](https://knowledge.threatconnect.com/docs/notifications-and-following#following-items) or unfollow the Indicator. - **Pivot**: [Pivot](https://knowledge.threatconnect.com/docs/pivoting-on-data) from the Indicator to view its Group associations on the [**Search: Groups** screen](https://knowledge.threatconnect.com/docs/searching-groups). - **View Details**: Open the Indicator’s [**Details**drawer](https://knowledge.threatconnect.com/docs/the-details-drawer).HintYou can also open the Indicator’s **Details**drawer by clicking on its table row. - **Delete**: Delete the Indicator from its owner. This option is available only if your user account has permission to delete Indicators in the Indicator’s owner. --- *ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.* 20075-09 v.01.B