Searching Your Data (Legacy)
  • 12 Jun 2024
  • 3 Minutes to read
  • Dark

Searching Your Data (Legacy)

  • Dark

Article summary

This article describes how to use the legacy search feature in ThreatConnect. For instructions on using the search feature introduced in ThreatConnect 7.6, see Searching in ThreatConnect (Beta).


The ThreatConnect® search engine lets you search your entire dataset to quickly find data that are relevant to the item you are investigating. When you run a search from the Search drawer, the legacy search engine looks for Indicators, Groups, Tags, Victims, Workflow Cases, and Artifacts that match your search query. Search queries may include a single search term, multiple search terms, an exact phrase, or the contents of an uploaded file.

Before You Start

User Roles

  • To search for Indicators, Groups, Tags, and Victims in an Organization, your user account can have any Organization role.
  • To search for Indicators, Groups, Tags, and Victims in a Community or Source, your user account can have any Community role except Banned for that Community or Source.
  • To search for Cases and Artifacts in an Organization, your user account can have any Organization role except App Developer.


  • To search for potential matches in ThreatConnect when using the Search drawer, turn on and configure OpenSearch® and initialize the search index for your ThreatConnect instance via the System Settings screen (must be a System Administrator to perform this action).

Follow these steps to search your ThreatConnect data from the Search drawer:

  1. Click SearchSearch drawer iconon the top navigation bar to open the Search drawer (Figure 1).
    Figure 1_Searching in ThreatConnect_Legacy_7.6.0


    To use the search feature introduced in ThreatConnect 7.6, click Try Search Beta at the top right of the Search drawer.
  2. Run a search using any of the following methods:
    • Enter a search query into the search bar, and then press Enter on your keyboard or click SearchSearch icon in Search drawerto the right of the search bar. Search queries can include one or more terms, such as a keyword (e.g., spearphishing); the name of an Indicator, Group, Tag, Victim, Case, or Artifact; or the ID number of a Case. You can also search for an exact phrase by surrounding the phrase in straight quotes (e.g., "royal ransomware group").
      The search engine does not recognize smart quotes (“”). If you copied a search phrase from a word processing program and pasted it into the search bar, replace all smart quotes with straight quotes (") before running your search.
    • Drag and drop a file into the Drag and drop, or click. box, or click the box to browse for and select a file. After you upload a file, its contents will populate into the search bar, and a search based on the file contents will run automatically.
      The Drag and drop, or click. box displays the maximum file size that you can upload to ThreatConnect, as configured by your System Administrator. The default size is 500 kilobytes (KB).
    • Select a previously used search query from the Search History section. After you select a query, a search that uses the query will run automatically.
      To clear your search history, click clear history at the top right of the Search History section.

After a search runs, the Search drawer will display the search results. When looking for matches to a search query, the legacy search engine employs the following search methodologies:

  • “Exact”-matching algorithms that search for Indicators, Groups, Tags, Victims, Cases, and Artifacts based on a “direct hit” to a known item summary or, for Indicators only, a pattern for a ThreatConnect Indicator type
  • “Potential”-matching algorithms that search for intelligence data by leveraging the OpenSearch engine. When looking for potential matches, the search engine searches all data, including object summaries and descriptions, Attributes and Case Attributes, Notes, Tasks, and the contents of document uploads, to form a relevance-ordered result set based on a scoring system that filters out common words and phrases while prioritizing applicable matches.

Searching for Defanged Indicators

The ThreatConnect search engine refangs defanged Indicators automatically. The term “defang” refers to the process of altering an Indicator so that a user cannot click on it by accident and navigate to a malicious website. The term “refang” refers to the process of taking a defanged Indicator (e.g., bad[.]com) and returning it to its original state ( For example, if you run a search for bad[.]com, the search engine will return results for

Table 1 lists all of the defanged character sequences recognized by the legacy search engine and their corresponding refanged character.


Defanged Character SequenceRefanged Character
In the last three rows of Table 1, . can be any character (e.g., x or X). For example, hxxp:// would be refanged as http://.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.
OpenSearch® is a registered trademark of Amazon Web Services.

20075-02 v.07.A

Was this article helpful?