The Browse Screen

15 Jan 2025
12 Minutes to read

Print
Dark

Light

The Browse Screen

Updated on 15 Jan 2025
12 Minutes to read

Print
Dark

Light

Article summary

Did you find this summary helpful?

Thank you for your feedback!

Overview

The Browse screen provides a central point where you can view and manage threat intelligence data in ThreatConnect^®. On this screen, you can perform the following actions:

View Intelligence Requirements, Indicators, Groups, Tags, Victims, and Victim Assets in your owners (i.e., your Organization and your Communities and Sources)
Search and filter threat intelligence data and save search queries for later viewing or use in Query cards in custom dashboards
Export and delete threat intelligence data

If your instance is opted in to the beta use of the TQL Generator, then you can also generate ThreatConnect Query Language (TQL) queries from plain-English prompts on the Browse screen.

Hint

You can use ThreatConnect Intelligence Anywhere to scan the Browse screen for potential Indicators and then batch import selected Indicators from one of your owners to another.

Before You Start

User Roles

To view, search, filter, and export threat intelligence data in an Organization on the Browse screen, your user account can have any Organization role.
To view, search, filter, and export threat intelligence data in a Community or Source on the Browse screen, your user account can have any Community role except Banned for that Community or Source.
To delete threat intelligence data in an Organization on the Browse screen, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
To delete threat intelligence data in a Community or Source on the Browse screen, your user account must have a Community role of Editor or Director for that Community or Source.

Viewing the Browse Screen

Click Browse on the top navigation bar in ThreatConnect to open the Browse screen. On the Browse screen (Figure 1), you can perform the following actions:

Select the owners whose threat intelligence data you want to view
Select the type(s) of threat intelligence data you want to view
Search and filter threat intelligence data
Export threat intelligence data
Delete threat intelligence data
View details about threat intelligence data
Use the TQL Generator to generate a TQL query from a plain-English prompt (requires opt-in via your Customer Success Manager)

Figure 1_The Browse Screen_7.8.0

Selecting Threat Intelligence Data Owners

Use the My Intel Sources selector at the top left of the Browse screen to select the owners whose threat intelligence data you want to view.

Selecting Threat Intelligence Data Types

Use the menu on the left side of the Browse screen to select the type of threat intelligence data you want to view: Intelligence Requirements, Indicators, Groups, Tags, Victims, and Victim Assets. Note that you can view only one type of threat intelligence data at a time on the Browse screen.

Intelligence Requirements

Select Intelligence Requirements from the menu on the left side of the Browse screen to view Intelligence Requirements (IRs). Because IRs can exist only in your Organization, ensure the View <Organization name> toggle is turned on in the My Intel Sources selector. Otherwise, the Browse screen will display no results.

The Browse screen displays IRs in a paginated table with the following columns:

ID: The IR's ID.
Requirement: The IR's summary.
Subtype: The IR's subtype.
Category: The IR's category.
Tags: If one or more Tags are applied to the IR, this column displays a count of those Tags; otherwise, this column displays no value. Click on the number in this column to view the standard Tags and ATT&CK^® Tags applied to the IR, as well as links to each Tag's Details screen.
Added: The date when the IR was created.
Modified: The date when the IR was last modified.

Indicators

Select Indicators from the menu in the left side of the Browse screen to view Indicators of all types in the owners selected in the My Intel Sources selector. Alternatively, select individual Indicator types under Indicators to view only Indicators of those types in the owners selected in the My Intel Sources selector.

The Browse screen displays Indicators in a paginated table with the following columns:

Type: The Indicator's type.
Summary: The Indicator's summary.
Tags: If one or more Tags are applied to the Indicator, this column displays a count of those Tags; otherwise, this column displays no value. Click on the number in this column to view the standard Tags and ATT&CK Tags applied to the Indicator, as well as links to each Tag's Details screen.
Owner: The Indicator's owner.
Threat Rating: The Indicator's Threat Rating, if one has been set for the Indicator.
ThreatAssess: The Indicator's ThreatAssess score.
Obs: The number of times, if any, the Indicator was observed.
F/P: The number of times, if any, the Indicator was reported as a false positive.
Added: The date when the Indicator was created in the owner listed in the Owner column.
Modified: The date when the Indicator was last modified in the owner listed in the Owner column.

If you are viewing only Address Indicators, the table on the Browse screen will display an additional column labeled Version that indicates whether the Address Indicator represents an IPv4 or IPv6 address.

Groups

Select Groups from the menu in the left side of the Browse screen to view Groups of all types in the owners selected in the My Intel Sources selector. Alternatively, select individual Group types under Groups to view only Groups of those types in the owners selected in the My Intel Sources selector.

The Browse screen displays Groups in a paginated table with the following columns:

Type: The Group's type.
Summary: The Group's summary.
Tags: If one or more Tags are applied to the Group, this column displays a count of those Tags; otherwise, this column displays no value. Click on the number in this column to view the standard Tags and ATT&CK Tags applied to the Group, as well as links to each Tag's Details screen.
Owner: The Group's owner.
Added: This column displays the date when the Group was created.
Modified: This column displays the date when the Group was last modified.

Table 1 outlines the additional table columns the Browse screen will display when only one of the following Group types is selected: Campaign, Document, E-mail, Event, Incident, Report, or Task.

Group Type	Column Name	Description
Campaign	First Seen	The date when the Campaign was first seen.
Document	Format	The type of file uploaded to the Document.
E-mail	Score	The E-mail's Threat Score.
Event	Event Date	The date when the Event took place.
Event	Status	The Event's status.
Incident	Event Date	The date when the Incident took place.
Incident	Status	The Incident's status.
Report	Format	The type of file uploaded to the Report.
Report	Publish Date	The date when the Report was published.
Signature	Format	The format of the signature file uploaded to the Signature.
Task	Status	The Task's status.
Task	Due Date	The date when the Task is due.

Victims

Select Victims from the menu on the left side of the Browse screen to view Victims in the owners selected in the My Intel Sources selector.

The Browse screen displays Victims in a paginated table with the following columns:

Type: This column displays “Victim” for all entries.
Summary: The Victim’s summary.
Tags: If one or more Tags are applied to the Victim, this column displays a count of those Tags; otherwise, this column displays no value. Click on the number in this column to view the standard Tags and ATT&CK Tags applied to the Victim, as well as links to each Tag’s Details screen.
Owner: The Victim’s owner.
Org: The Victim’s organization.
Sub-Organization: The Victim’s sub-organization.
Nationality: The Victim’s nationality.
Location: The Victim’s work location.

Victim Assets

Select Victim Assets from the menu in the left side of the Browse screen to view Victim Assets of all types in the owners selected in the My Intel Sources selector. Alternatively, select individual Victim Asset types under Victim Assets to view only Victim Assets of those types in the owners selected in the My Intel Sources selector.

The Browse screen displays Victim Assets in a paginated table with the following columns:

Type: The Victim Asset’s type.
Summary: The Victim Asset’s summary.
Victim: The Victim to which the Victim Asset belongs.
Asset: For E-mail Address, Network Account, and Social Network Victim Assets, this column displays the type of email address, network account, or social network, respectively, to which the Victim Asset corresponds.

Searching and Filtering Threat Intelligence Data

There are four elements you can use to search and filter threat intelligence data on the Browse screen, all of which are available at top of the screen:

A search bar for running a “contains” search
An Exact matches (for Indicators, Groups, Victims, and Victim Assets) or Exact Match (for IRs and Tags) checkbox for running an “exact match” search
A FILTERS menu (for Indicators, Groups, Victims, and Victim Assets) or Filtersmenu (for IRs and Tags) for filtering data
An Advanced (for Indicators, Groups, Victims, and Victim Assets) or Advanced Search toggle (for IRs and Tags) that lets you switch to the advanced search feature

When one or more filters are applied on the Browse screen, you can click Clear All Filters (for Indicators, Groups, Victims, and Victim Assets) or Clear all filters & search(for IRs and Tags) to the right of the search bar to clear the filters.

Running a “Contains” Search

A “contains” search lets you narrow down results based on whether they contain the text entered into the search bar at the top of the Browse screen. Use a “contains” search when you want to filter IRs, Indicators, Groups, Tags, Victims, or Victim Assets by summary, IRs by ID, or ATT&CK Tags by technique ID.

If you run a “contains” search on Indicators, Groups, Victims or Victim Assets, the Browse screen will display the entered text above the results table and a Clearbutton that lets you clear the filter. If you run a “contains” search on IRs or Tags, the Browse screen will display the entered text in the search bar.

Running an “Exact Match” Search

An “exact match” search lets you narrow down results to those whose summary is an exact match to the text entered into the search bar at the top of the Browse screen. This type of search is helpful when filtering large datasets for a specific object, as an “exact match” search takes less time to complete than a “contains” search and will yield a more targeted result set.

To run an “exact match” search, enter the text to filter results by into the search bar, and then select the Exact matches (for Indicators, Groups, Victims, and Victim Assets) or Exact Match (for IRs and Tags) checkbox to the right of the search bar.

Filtering Results

Depending on the type of threat intelligence data you are viewing on the Browse screen, one of the following filter elements will be displayed at the top of the screen:

A FILTERS menu to the left of the search bar (for Indicators, Groups, Victims and Victim Assets)
A Filtersmenu to the right of the search bar (for IRs and Tags)

Use the filters menu to define one or more filters to apply to the results on the Browse screen. After you define the desired filters, click Apply to apply them to the results. Table 2 outlines the filters available for each type of threat intelligence data.

Object Type	Filter Parameters
IR	Subtype, Category, Date Added, Last Modified
Indicator	Tags, Created After, Created Before, Modified After, Modified Before, Indicator Status, Observed Since, Threat and Confidence Ratings, ThreatAssess Score, Observations, False Positives, Attributes that exist within ThreatConnect
Group	Tags, Created After, Created Before, Modified After, Modified Before, Attributes that exist within ThreatConnect
Tag	Last Used
Victim	Tags, Organization, Sub-Organization, Nationality, Work Location, Attributes that exist within ThreatConnect
Victim Asset	Victim, Asset

Important

The date entered in the Created Before or Created After options will be excluded when filtering results. For example, if you enter 2022-04-05 for the Created After option, the Browse screen will display results created on 2022-04-06 or later; results created on 2022-04-05 will be excluded from the results.

Running an Advanced Search

Click Advanced at the top right of the Browse screen (for Indicators, Groups, Victims, and Victim Assets) or turn on the Advanced Search toggle above the search bar (for IRs and Tags) to switch to the advanced search feature (Figure 2). The advanced search feature lets you build structured queries using an SQL-like query language called ThreatConnect Query Language (TQL). With this feature, you can specify criteria that cannot be defined using the basic search and filter capabilities.

Figure 2_The Browse Screen_7.8.0

To switch back to the basic search features (i.e., the search bar for running a “contains” search, the checkbox for running an “exact match” search, and the filters menu), click Basic at the top right of the Browse screen (for Indicators, Groups, Victims, and Victim Assets) or turn off the Advanced Search toggle above the search bar (for IRs and Tags).

Note

If you are viewing Indicators, Groups, Victims, or Victim Assets and create a search query using the basic search features, you can click Advanced at the top right of the Browse screen to convert the search query into a TQL query.

Saving Search Queries

You can save search queries created on the Browse screen. This is helpful when you want to view the results of the saved query at a later time, use the saved query in Query cards in custom dashboards, or add the saved query to an IR or Group to create associations to objects returned via the query.

To save a search query, click the ⋮ menu at the top right of the Browse screen and select Save Current Query….

Viewing and Managing Saved Search Queries

Click the ⋮ menu at the top right of the Browse screen and select View Queries to view and manage your saved search queries.

Exporting Threat Intelligence Data

When viewing Indicators or Groups, the Browse screen will display an EXPORT button at the bottom of the screen. Click EXPORT to export the Indicators or Groups in the results table to a comma-separated values (CSV) file with select data points.

Important

If there are no results on the Browse screen when viewing Indicators or Groups, the EXPORT button will be grayed out.

Deleting Threat Intelligence Data

Click DELETE at the bottom of the Browse screen to delete all objects in the results table. If you attempt to delete more than 50 objects, you will be prompted to type “OK” in the Delete window to confirm the deletion.

Important

If there are no results on the Browse screen, or if you are viewing IRs, the DELETE button will not be displayed.

Viewing Threat Intelligence Data Details

You can open the Details drawer or screen for a threat intelligence data object in the results table on the Browse screen and view more details about the object using the following methods:

Details drawer: Click on an object's row in the table on the Browse screen to open the object's Details drawer.
Details screen: Hover over the object's row in the table on the Browse screen and select one of the following icons in the Summary cell:
- View full details: Open the Details screen in the current browser tab.
- View details in new tab: Open the Details screen in a new browser tab.

ThreatConnect® is a registered trademark, and TC Exchange™ and CAL™ are trademarks, of ThreatConnect, Inc.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.

20051-02 v.19.A

Was this article helpful?

What's Next

The Details Drawer

Table of contents

Overview
Before You Start
Viewing the Browse Screen
Selecting Threat Intelligence Data Owners
Selecting Threat Intelligence Data Types
Searching and Filtering Threat Intelligence Data
Exporting Threat Intelligence Data
Deleting Threat Intelligence Data
Viewing Threat Intelligence Data Details