Searching Your Data (Beta)
  • 12 Jun 2024
  • 4 Minutes to read
  • Dark
    Light

Searching Your Data (Beta)

  • Dark
    Light

Article summary

Important
This article describes how to use the search feature introduced in ThreatConnect 7.6, which is currently a beta feature. For instructions on using the legacy search feature, see Searching in ThreatConnect (Legacy).

Overview

The ThreatConnect® search engine lets you search your entire dataset to quickly find data relevant to the item you are investigating. When you run a search from the Search screen, the search engine looks for Indicators, Groups, Tags, Victims, and Workflow Cases that match your search query. Search queries may include a single search term, multiple search terms, or an exact phrase.

Before You Start

User Roles

  • To search for Indicators, Groups, Tags, and Victims in an Organization, your user account can have any Organization role.
  • To search for Indicators, Groups, Tags, and Victims in a Community or Source, your user account can have any Community role except Banned for that Community or Source.
  • To search for Cases in an Organization, your user account can have any Organization role except App Developer.

Prerequisites

  • To search your ThreatConnect data and view search results on the Search screen, turn on and configure OpenSearch® and initialize the search index for your ThreatConnect instance via the System Settings screen (must be a System Administrator to perform this action).

Follow these steps to search your ThreatConnect data from the Search screen:

  1. Click SearchSearch drawer iconon the top navigation bar. Then click Try Search Beta at the top right of the Search drawer to open the Search screen (Figure 1).
    Figure 1_Searching Your Data_7.6.0

     

  2. Enter your search query into the search bar or select a recent or suggested search query.
  3. (Optional) To search for an exact phrase, select Exact Match to the right of the search bar or surround the term in straight quotes (").
    Important
    Do not select Exact Match and surround the term in straight quotes ("). Use only one of these options to search for an exact phrase.
  4. (Optional) To limit the types of objects the search engine will look for, select the desired object types from the dropdown to the right of the Exact Match checkbox. Otherwise, the search will look for results of any supported object type.
  5. Press Enter on your keyboard or click Search to search for data that match the query.

After the search runs, the Search screen will display the search results. When looking for matches to a search query, the search engine searches an object’s summary and metadata, including Artifacts, Attributes, file and signature contents, Notes, Tags, Tasks, and Victim Assets, to form a relevance-ordered result set based on how closely each result matches the query.

Constructing a Search Query

When searching your ThreatConnect data from the Search screen, you can construct the following types of search queries:

  • Single term: The search engine will look for objects whose summary or metadata contain the specified search term.
  • Multiple terms: The search engine will look for objects whose summary or metadata contain some or all of the search terms. To search for multiple terms, separate each term with a space or line break.
  • Exact phrase: The search engine will look for objects whose summary or metadata contain the exact phrase in the specified order. To search for an exact phrase, select Exact Match to the right of the search bar or surround the term in straight quotes (").
    Important
    Do not select Exact Match and surround the term in straight quotes ("). Use only one of these options to search for an exact phrase.

Table 1 provides example search queries and describes the results that each query will return.

 

Search QueryResults
140.82.29.65Returns objects whose summary or metadata contain 140.82.29.65.
bad[.]comReturns objects whose summary or metadata contain bad.com. (See the “Searching for Defanged Indicators” section for more information on how the search engine fangs defanged Indicators.)
royal ransomware groupReturns objects whose summary or metadata contain royal, ransomware, group, or any combination of these terms.
scattered spiderReturns objects whose summary or metadata contain scattered, spider, or both terms.
"scattered spider"Returns objects whose summary or metadata contain the exact phrase scattered spider.
ransomware 140.82.29.65 "scattered spider"Returns objects whose summary or metadata contain the term ransomware, the term 140.82.29.65, or the exact phrase scattered spider.
ransomware
140.82.29.65
"scattered spider"
Returns objects whose summary or metadata contain the term ransomware, the term 140.82.29.65, or the exact phrase scattered spider.

Using a Recent or Suggested Search Query

When you click into the search bar on the Search screen, a list of your recent search queries will be shown. In addition, after you type at least three characters into the search bar, a list of suggested search queries based on the entered text will be shown.

To populate a recent or suggested search query into the search bar, select the query from the list. Alternatively, click Searchto the right of a recent or suggested query in the list to run a search using the query automatically.

Important
If you use a recent search query that includes an exact phrase (i.e., a search term surrounded by straight quotes ["] in your recent search history), ensure that the Exact Match checkbox is cleared before running your search. Otherwise, the exact phrase will be surrounded by an extra set of straight quotes.
Note
To clear your recent search history, click Clear Recent Searches below the list of recent searches.

Searching for Defanged Indicators

The ThreatConnect search engine refangs defanged Indicators automatically. The term “defang” refers to the process of altering an Indicator so that a user cannot click on it by accident and navigate to a malicious website. The term “refang” refers to the process of taking a defanged Indicator (e.g., bad[.]com) and returning it to its original state (bad.com). For example, if you run a search for bad[.]com, the search engine will return results for bad.com.

Table 2 lists all of the defanged character sequences recognized by the ThreatConnect search engine and their corresponding refanged character.

 

Defanged Character SequenceRefanged Character
[.].
[:]:
[@]@

ThreatConnect® is a registered trademark of ThreatConnect, Inc.
OpenSearch® is a registered trademark of Amazon Web Services.

20075-05 v.01.A


Was this article helpful?