Contents x
The Browse Screen
  • 25 Jan 2023
  • 10 Minutes to read
  • Print
  • Dark
    Light
Contents

The Browse Screen

  • Updated on 25 Jan 2023
  • 10 Minutes to read
  • Print
  • Dark
    Light

To access the Browse screen, click Browse on the top navigation bar. There are five primary components on the Browse screen: the My Intel Sources selector, Object filters (Indicators, Groups, Tags, Tracks, Victims, and Victim Assets), the query features, the EXPORT button, and the DELETE button (Figure 1).

Graphical user interface, application Description automatically generated

 

My Intel Sources Selector

The My Intel Sources selector (Figure 2) at the upper-left corner of the Browse screen provides you with the ability to include your own Organization and any Communities or intelligence Sources to which you have access in your filtered queries. To include your Organization in filtered queries, toggle the View <Organization nameslider on; to include a Community or Source in your filtered queries, select the checkbox to the left of the Community or Source.

Note
To select all Communities and Sources, select the checkbox to the left of the Filter communities and Filter sources search bar, respectively. Similarly, clear the checkbox to the left of the Filter communities and Filter sources search bar to deselect all selected Communities and Sources, respectively.

The Filter communities and Filter sources search bars allow you to filter the displayed Communities and Sources, respectively, which can be helpful if you want to select or deselect a particular set of Communities or Sources.

In addition, you can select a single Community or Source by hovering over its name and clickingIcon Description automatically generatedonly. Doing so will deselect all other owners automatically.

Graphical user interface, text, application Description automatically generated

 

Note
A My Orgs list will be displayed in place of the View <Organization name> slider for Super Users, which allows them to select the Organizations whose data are to be displayed on the card.
Note
Super Users can select a single Organization by hovering over the Organization’s name and clickingIcon Description automatically generatedonly. Doing so will deselect all other owners automatically.

The number of selected owners (i.e., Organizations, Communities, and Sources) is displayed to the right of the My Intel Sources text. When all owners have been selected, the selector will look the same as Figure 2. If one or more owners are not selected, a color-coded circle will be displayed at the upper left corner of the selector.

  • Red circleIcon Description automatically generated: No owners have been selected.
  • Orange circleIcon Description automatically generated: Only one owner has been selected.
  • Blue circleIcon Description automatically generated: Two or more, but not all, owners have been selected.

This element helps alert you to the fact that you might be viewing an “incomplete” set of data.

The Feed Explorer

The Feed Explorer is similar in function to the Feeds tab of TC Exchange™. This feature, available to all ThreatConnect® users, is accessed by clicking Feed Explorer on the My Intel Sources selector. The Feed Explorer displays all active TC Exchange feeds, presenting them in a table with their associated metric data displayed in columns, which are populated by CAL™. Additional feed information is displayed by clicking the graph Diagram Description automatically generated with medium confidence icon found in the Report Card column of the Feed Explorer.

Object Filters

On the Browse screen, you can search for Indicators, Groups, Tags, Tracks, Victims, and Victim Assets using the filters on the left side of the screen (Figure 1). When searching for Indicators, Groups, and Victim Assets, you can filter results by one or more object types.

When you select an Indicator, Group, or Victim Asset type, a checkmark will be displayed to the right of the object type’s name, and the Browse screen will display only objects of that type in the owners selected in the My Intel Sources selector. Clicking on a selected object type will remove the checkmark to the right of its name, and the Browse screen will not display objects of that type.

Indicators Filter

The Indicators filter contains a multi-select list of Indicator types. Select one or more Indicator types, or click the Indicators heading to select all Indicator types. The Browse screen will display Indicators of the selected type(s) in the owners selected in the My Intel Sources selector.

When viewing Indicators, the Browse screen will display a table with the following columns:

  • Type: This column displays the Indicator’s type.
  • Summary: This column displays the Indicator’s summary.
  • Owner: This column displays the owner to which the Indicator belongs.
  • Threat Rating: This column displays the Indicator’s Threat Rating, if one has been set for the Indicator.
  • ThreatAssess: This column displays the Indicator’s ThreatAssess score.
  • Obs: This column displays the number of times, if any, the Indicator was observed.
  • F/P: This column displays the number of times, if any, the Indicator was reported as a false positive.
  • Added: This column displays the date when the Indicator was created.
  • Modified: This column displays the date when the Indicator was last modified.

If you are viewing only Address Indicators, the table on the Browse screen will display an additional column labeled Version that indicates whether the Address Indicator represents an IPv4 or IPv6 address.

Groups Filter

The Groups filter contains a multi-select list of Group types. Select one or more Group types, or click the Groups heading to select all Group types. The Browse screen will display Groups of the selected type(s) in the owners selected in the My Intel Sources selector.

When viewing Groups, the Browse screen will display a table with the following columns:

  • Type: This column displays the Group’s type.
  • Summary: This column displays the Group’s summary.
  • Owner: This column displays the owner to which the Group belongs.
  • Upvote CountThumbs Up icon: This column displays the number of upvotes, if any, the Group has received.
  • Downvote CountThumbs Down icon: This column displays the number of downvotes, if any, the Group has received.
  • Added: This column displays the date when the Group was created.
  • Modified: This column displays the date when the Group was last modified.

Table 1 outlines additional columns the table on the Browse screen will display when only one of the following Group types is selected: Campaign, Document, E-mail, Event, Incident, Report, or Task.

 

Group TypeColumn NameDescription

Campaign

First Seen

This column displays the date when the Campaign was first seen.

Document

Format

This column displays the Document’s file type.

E-mail

Score

This column displays the E-mail’s Threat Score.

Event

Event Date

This column displays the date when the Event took place.

Status

This column displays the Event’s status.

Incident

Event Date

This column displays the date when the Incident took place.

Status

This column displays the Incident’s status.

Report

Format

This column displays the Report’s file type.

Publish Date

This column displays the date when the Report was published.

Signature

Format

This column displays the Signature’s type.

Task

Status

This column displays the Task’s status.

Due Date

This column displays the date when the Task is due.

Tags Filter

The Tags filter allows you to search for Tags. Select the Tags heading to display Tags in the owners selected in the My Intel Sources selector.

When viewing Tags, the Browse screen will display a table with the following columns:

  • Type: This column will display “Tag” for all entries.
  • Summary: This column displays the Tag’s summary.
  • Owner: This column displays the owner to which the Tag belongs.
  • Last Used: This column displays the date when the Tag was last used. For Tags that have not been used since the Last Used date for Tags was introduced in ThreatConnect, a value of Unknown will be displayed in his column.

Tracks Filter

The Tracks filter allows you to search for Tracks. Select the Tracks heading to display Tracks in the owners selected in the My Intel Sources selector.

When viewing Tracks, the Browse screen will display a table with the following columns:

  • Type: This column will display “Track” for all entries.
  • Summary: This column displays the Track’s summary.
  • Owner: This column displays the owner to which the Track belongs.
  • Results: This column displays the number of new results, if any, for the Track.
  • Status: This column indicates whether the Track is active.
  • Added: This column displays the date when the Track was created.

Victims Filter

The Victims filter allows you to search for Victims. Select the Victims heading to display Victims in the owners selected in the My Intel Sources selector.

When viewing Victims, the Browse screen will display a table with the following columns:

  • Type: This column will display “Victim” for all entries.
  • Summary: This column displays the Victim’s summary.
  • Owner: This column displays the owner to which the Victim belongs.
  • Org: This column displays the Victim’s organization.
  • Sub-Organization: This column displays the Victim’s sub-organization.
  • Nationality: This column displays the Victim’s nationality.
  • Location: This column displays the Victim’s work location.

Victim Assets Filter

The Victim Assets filter contains a multi-select list of Victim Asset types (E-Mail Address, Network Account, Phone, Social Network, and WebSite). Select one or more Victim Asset types, or click the Victim Assets heading to select all Victim Asset types. The Browse screen will display Victim Assets of the selected type(s) in the owners selected in the My Intel Sources selector.

When viewing Victim Assets, the Browse screen will display a table with the following columns:

  • Type: This column displays the Victim Asset’s type.
  • Summary: This column displays the Victim Asset’s summary.
  • Victim: This column displays the Victim to which the Victim Asset belongs.
  • Asset: For E-mail Address, Network Account, or Social Network Victim Assets, this column displays the type of email address, network account, or social network, respectively, to which the Victim Asset corresponds.

Query Features

There are four query features, found along the top of the Browse screen:

  • a text box for a contains query
  • an Exact matches checkbox for enabling an exact matches query
  • a FILTERS selector for filtering the results of the contains or exact matches query
  • a toggle (the Advanced text at the upper-right corner of Figure 1) for accessing the advanced-query functionality

Contains Query

A contains query allows you to narrow down results based on a string of text entered into the search bar to the right of the FILTERS selector. ThreatConnect will then filter the results and return those with a summary that contains the entered text (Figure 3).

Graphical user interface, application, Teams Description automatically generated

 

In this example, submitting a query for bad returned 35 Indicators with a summary that contains the text bad. The filtering also displays the entered text next to the Summary contains: text so that it may be easily cleared.

Exact Matches Query

An exact matches query, which is enabled by selecting the Exact matches checkbox to the right of the search bar, allows you to narrow down results to those with a summary that is an exact match to the string of text entered into the search bar. This type of query is helpful when filtering large datasets for a specific object, as an exact matches query takes less time to complete than a contains query.

In the following example, submitting a query for bad with the Exact matches checkbox selected returned no results, meaning there are no Indicators with a summary that matches bad (Figure 4).

A picture containing graphical user interface Description automatically generated

 

However, submitting a query for bad.com with the Exact Matches checkbox selected returned two results for the bad.com Host Indicator that exists in Demo Organization and Demo Community (Figure 5).

Graphical user interface, application Description automatically generated

 

Filtering Results

You can filter results from a contains or exact matches query using the following parameters:

Use the FILTERS selector to the left of the search bar to define the filtered parameters, and then click the APPLY button to obtain results (Figure 6). To clear the query parameters, click Clear All Filters to the right of the Exact matches checkbox.

Graphical user interface, application Description automatically generated

 

Important
The date entered in the Created Before and Created After fields will not be included in the query range. For example, if 2022-04-05 is entered in the Created After field, then the query will display results beginning on the day after (i.e., beginning on 2022-04-06).

Advanced Query

An advanced query is initiated by clicking Advanced at the upper-right corner of the Browse screen (Figure 7). The advanced-query filter allows you to build structured queries using an SQL-like query language called ThreatConnect Query Language (TQL). With this feature, an analyst can specify criteria that cannot be defined using the basic query and filter capabilities.

Graphical user interface, application Description automatically generated

 

Click Basic at the upper-right corner of the Browse screen (Figure 7) to toggle back to the basic search features (i.e., contains query, exact matches query, and FILTERS selector).

Saving Queries

Follow these steps to save a query for later viewing or for use in Query cards in custom dashboards:

  1. Click the vertical ellipsis at the upper-right corner of the Browse screen and select Save Current Query.... The Save Current Query... drawer will be displayed.
  2. Enter a name for the query.
  3. Click the SAVE button.

Viewing and Managing Saved Queries

To view all saved queries, click the vertical ellipsis at the upper-right corner of the Browse screen select View Queries. The View Queries drawer will be displayed. Click on a query's name to view it in the Browse screen. Note that you can use the Find by name box to filter saved queries by name.

To delete a saved query, click Delete in the Actions column of the View Queries drawer. The Confirm Delete window will be displayed. Click the YES button to delete the query.

EXPORT Button

Click the EXPORT button at the bottom of the Browse screen to display the Export Data window for Indicator export (Figure 8) or for Group export (Figure 9). Here, you can select the data points from the items in the filtered results list that you want to export to a comma-separated values (CSV) file.

Graphical user interface, application Description automatically generated

 

the-browse-screen-Figure-09

 

Important
If no results are displayed on the Browse screen, the EXPORT button will be disabled.

DELETE Button

Click the DELETE button at the bottom of the Browse screen to display the Delete window. Click the YES button to delete all items listed in the filtered results. If you attempt to delete more than 50 items, you will be prompted to enter the text “OK” in the box, and then click the YES button (Figure 10).

Graphical user interface, text, application, email Description automatically generated

 

Important
If no results are displayed on the Browse screen, the DELETE button will not be displayed.

ThreatConnect® is a registered trademark, and TC Exchange™ and CAL™ are trademarks, of ThreatConnect, Inc.

20051-02 v.15.B

Was this article helpful?
What's Next
Company
Sales and Support
Follow Us
© 2012–2023 ThreatConnect, Inc. All Rights Reserved.