Searching Victim Assets

Overview

The Search screen in ThreatConnect® provides a single location to search and browse your data. You can search all object types in your ThreatConnect dataset using keywords or phrases, or you can browse threat intelligence data by object type and filter those data to a usable and relevant subset based on details like name/summary, object subtype, owner, and metadata such as Tags, Security Labels, and Attributes.

On the Search: Victim Assets screen, you can search and filter all Victim Assets in your ThreatConnect owners using basic search queries or using advanced search queries written in ThreatConnect Query Language (TQL), delete Victim Assets individually, and further investigate Victim Assets that are of interest to you.

Before You Start

User Roles

• To view and search Victim Assets in an Organization, your user account can have any Organization role.
• To view and search Victim Assets in a Community or Source, your user account can have any Community role except Banned for that Community or Source.
• To delete Victim Assets in an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
• To delete Victim Assets in a Community or Source, your user account must have a Community role of Editor or Director for that Community or Source.

Viewing All Victim Assets

When you first open the Search: Victim Assets screen, it displays a table listing all Victim Assets in your ThreatConnect owners. You can access the Search: Victim Assets screen by selecting Victim Assets from the Search & Create dropdown on the top navigation bar or by selecting the Victim Assets filter in the left sidebar of the Search screen.

To view more details about a Victim Asset, do one of the following:

• Click the Victim Asset’s table row, or click the Victim Asset’s ⋯ menu and select View Details, to open the Victim Asset’s Details drawer.
• Click the name of the Victim to which the Victim Asset belongs to open the Victim’s Details screen, and then click the Assets tab on the Victim’s Details screen.

Hint

You can adjust the columns displayed in the table on the Search: Victim Assets screen by clicking Select columnsin the upper right, selecting the columns to display, and clicking Apply.

Searching and Filtering Victim Assets

On the Search: Victim Assets screen, you can search and filter Victim Assets in your ThreatConnect owners by running the following types of searches:

• Basic search
• Advanced search
• Search using a saved query

To remove all filters and search criteria applied on the Search: Victim Assets screen, click Clear all filters & searchin the upper right.

Running Basic Searches

A basic search lets you search Victim Assets using the search bar and various filter options on the Search: Victim Assets screen. Follow these steps to run a basic search of Victim Assets on the Search: Victim Assets screen:

1. From the Search & Create dropdown on the top navigation bar, select Victim Assets.
2. Configure a basic search query by doing the following:
   • Enter text into the search bar to search Victim Assets by name/summary. To run a contains search, leave the Exact Match checkbox cleared. To run an exact match search, select the Exact Match checkbox.
   • Use the Victim Asset type dropdown and Filtersmenu to filter Victim Assets by type and Victim Asset metadata, respectively.

As you configure a basic search query, the results table updates automatically based on the current search criteria.

Searching by Name/Summary

When searching Victim Assets by name/summary on the Search: Victim Assets screen, you can run two types of searches: contains and exact match.

Contains Search

A contains search lets you filter Victim Assets based on whether their name/summary contains the text entered into the search bar on the Search: Victim Assets screen. Use a contains search when you want to filter your dataset to find Victim Assets that relate to a common keyword or phrase. Table 1 describes the search result behavior of a contains search for jane.doe.

To run a contains search on the Search: Victim Assets screen, enter text into the search bar and leave the Exact Match checkbox cleared.

Exact Match Search

An exact match search lets you filter Victim Assets based on whether their name/summary is an exact match to the text entered into the search bar on the Search: Victim Assets screen. Use an exact match search when you want to search a large dataset for a specific object, as this type of search yields a more targeted set of search results. Table 2 describes the search result behavior of an exact match search for jane.doe.

To run an exact match search on the Search: Victim Assets screen, enter text into the search bar and select the Exact Match checkbox to the right of the search bar or surround the phrase in straight quotes.

Filtering Victim Assets

The Search: Victim Assets screen provides the following options for filtering Victim Assets when running basic searches:

• The Victim Asset type dropdown next to the Exact Match checkbox lets you filter Victim Assets by one or more Victim Asset types. Victim Assets are filtered automatically as you select options from the dropdown.
• The Filtersmenu lets you filter Victim Assets by Victim Asset metadata. After selecting and configuring filters, click Apply. Victim Assets may be filtered by the following metadata:
  • Victim
  • Asset (e.g., email address type, network account type, social network type)

Running Advanced Searches

An advanced search lets you search and filter Victim Assets using a query written in ThreatConnect Query Language (TQL). Advanced searches enable you to perform highly targeted searches of Victim Assets using criteria that cannot be defined when running basic searches.

Follow these steps to run an advanced search of Victim Assets on the Search: Victim Assets screen:

1. From the Search & Create dropdown on the top navigation bar, select Victim Assets.
2. Turn on the Advanced Search toggle above the search bar.
3. Enter a TQL query into the search bar. If you configured a basic search query before turning on the Advanced Search toggle, the query will be converted into a TQL query and populated in the search bar automatically.
   Hint

   You can use the TQL Generator to translate plain-English prompts into TQL queries.
4. Click Searchto the right of the search bar, or press Enter on your keyboard, to run your search.
   Note

   If a TQL query is invalid, you can hover over the validator on the left side of the search bar to view the corresponding error message.
   Note

   If you run an advanced search using a query that matches a saved query, the saved query will be selected in the Select Saved Query… dropdown automatically.

Running Searches Using Saved Queries

When using the basic or advanced search features on the Search: Victim Assets screen, you can run a search using a saved query. Follow these steps to use a saved query to search Victim Assets on the Search: Victim Assets screen:

1. From the Search & Create dropdown on the top navigation bar, select Victim Assets.
2. From the Select Saved Query… dropdown in the upper right, select a saved query to run.

After you select a saved query, the Advanced Search toggle turns on and a search using the selected query runs automatically.

Sorting Victim Assets

You can sort Victim Assets by any of the table columns. By default, Victim Assets are sorted by the Name/Summary column in alphabetical order.

Victim Asset Options

A Victim Asset’s ⋯ menu provides the following options for managing and analyzing the Victim Asset:

• View Details: Open the Victim Asset’s Details drawer.
  Hint

  You can also open the Victim Asset’s Details drawer by clicking on its table row.
• Delete: Delete the Victim Asset from its owner. This option is available only if your user account has permission to delete Victim Assets in the Victim Asset’s owner.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.

20075-12 v.01.A