The Browse Screen

To access the Browse screen in ThreatConnect^®, click Browse on the top navigation bar. There are five primary components on the Browse screen: the My Intel Sources selector, Object filters (Indicators, Groups, Tags, Tracks, Victims, and Victim Assets), the query features, the EXPORT button, and the DELETE button (Figure 1).

My Intel Sources Selector

The My Intel Sources selector (Figure 2) at the upper-left corner of the Browse screen provides you with the ability to include your Organization and any of your Communities and intelligence Sourcesin your filtered queries. To include your Organization in filtered queries, toggle the View <Organization name> slider on; to include a Community or Source in your filtered queries, select the checkbox to the left of the Community or Source.

The Filter communities and Filter sources search bars allow you to filter the displayed Communities and Sources, respectively, which can be helpful if you want to select or deselect a particular set of Communities or Sources.

In addition, you can select a single Community or Source by hovering over its name and clickingonly. Doing so will deselect all other owners automatically.

Note

Super Users can select a single Organization by hovering over the Organization’s name and clickingonly. Doing so will deselect all other owners automatically.

The number of selected owners (i.e., Organizations, Communities, and Sources) is displayed to the right of the My Intel Sources text. When all owners have been selected, the selector will look the same as Figure 2. If one or more owners are not selected, a color-coded circle will be displayed at the upper left corner of the selector.

• Red circle: No owners have been selected.
• Orange circle: Only one owner has been selected.
• Blue circle: Two or more, but not all, owners have been selected.

This element helps alert you to the fact that you might be viewing an “incomplete” set of data.

The Feed Explorer

The Feed Explorer is similar in function to the Feeds tab of TC Exchange™. This feature, available to all ThreatConnect users, is accessed by clicking Feed Explorer on the My Intel Sources selector. The Feed Explorer displays all active TC Exchange feeds, presenting them in a table with their associated metric data displayed in columns, which are populated by CAL™. Additional feed information is displayed by clicking theicon found in the Report Card column of the Feed Explorer.

Object Filters

On the Browse screen, you can search for Indicators, Groups, Tags, Tracks, Victims, and Victim Assets using the filters on the left side of the screen (Figure 1). When searching for Indicators, Groups, and Victim Assets, you can filter results by one or more object types.

When you select an Indicator, Group, or Victim Asset type, a checkmark will be displayed to the right of the object type’s name, and the Browse screen will display only objects of that type in the owners selected in the My Intel Sources selector. Clicking on a selected object type will remove the checkmark to the right of its name, and the Browse screen will not display objects of that type.

Indicators Filter

The Indicators filter contains a multi-select list of Indicator types. Select one or more Indicator types, or click the Indicators heading to select all Indicator types. The Browse screen will display Indicators of the selected type(s) in the owners selected in the My Intel Sources selector.

When viewing Indicators, the Browse screen will display a table with the following columns:

• Type: This column displays the Indicator’s type.
• Summary: This column displays the Indicator’s summary.
• Tags: If one or more Tags are applied to the Indicator, this column will display a count of those Tags; otherwise, no value will be displayed in this column. Click on the number displayed in this column to view the standard Tags and ATT&CK^® Tags applied to the Indicator, as well as links to each Tag’s Details screen.
• Owner: This column displays the owner to which the Indicator belongs.
• Threat Rating: This column displays the Indicator’s Threat Rating, if one has been set for the Indicator.
• ThreatAssess: This column displays the Indicator’s ThreatAssess score.
• Obs: This column displays the number of times, if any, the Indicator was observed.
• F/P: This column displays the number of times, if any, the Indicator was reported as a false positive.
• Added: This column displays the date when the Indicator was created.
• Modified: This column displays the date when the Indicator was last modified.

If you are viewing only Address Indicators, the table on the Browse screen will display an additional column labeled Version that indicates whether the Address Indicator represents an IPv4 or IPv6 address.

Groups Filter

The Groups filter contains a multi-select list of Group types. Select one or more Group types, or click the Groups heading to select all Group types. The Browse screen will display Groups of the selected type(s) in the owners selected in the My Intel Sources selector.

When viewing Groups, the Browse screen will display a table with the following columns:

• Type: This column displays the Group’s type.
• Summary: This column displays the Group’s summary.
• Tags: If one or more Tags are applied to the Group, this column will display a count of those Tags; otherwise, no value will be displayed in this column. Click on the number displayed in this column to view the standard Tags and ATT&CK Tags applied to the Group, as well as links to each Tag’s Details screen.
• Owner: This column displays the owner to which the Group belongs.
• Upvote Count: This column displays the number of upvotes, if any, the Group has received.
• Downvote Count: This column displays the number of downvotes, if any, the Group has received.
• Added: This column displays the date when the Group was created.
• Modified: This column displays the date when the Group was last modified.

Table 1 outlines additional columns the table on the Browse screen will display when only one of the following Group types is selected: Campaign, Document, E-mail, Event, Incident, Report, or Task.

Tags Filter

The Tags filter allows you to search for Tags. Select the Tags heading to display Tags in the owners selected in the My Intel Sources selector.

When viewing Tags, the Browse screen will display a table with the following columns:

• Type: This column will display “Tag” for all entries.
• Summary: This column displays the Tag’s summary.
• Synonymous Tags: For main Tags defined in Tag normalization rules (i.e., Tags with anicon displayed to the left of their name in the Summary column), this column displays a count of synonymous Tags defined in the corresponding rule; for all other Tags, no value is displayed in this column. Click on the number displayed in this column to view a list of synonymous Tags associated with the main Tag.
• Owner: This column displays the owner to which the Tag belongs.
• Last Used: This column displays the date when the Tag was last used. For Tags that have not been used since the Last Used date for Tags was introduced in ThreatConnect, a value of Unknown will be displayed in this column.

Tracks Filter

The Tracks filter allows you to search for Tracks. Select the Tracks heading to display Tracks in the owners selected in the My Intel Sources selector.

When viewing Tracks, the Browse screen will display a table with the following columns:

• Type: This column will display “Track” for all entries.
• Summary: This column displays the Track’s summary.
• Owner: This column displays the owner to which the Track belongs.
• Results: This column displays the number of new results, if any, for the Track.
• Status: This column indicates whether the Track is active.
• Added: This column displays the date when the Track was created.

Victims Filter

The Victims filter allows you to search for Victims. Select the Victims heading to display Victims in the owners selected in the My Intel Sources selector.

When viewing Victims, the Browse screen will display a table with the following columns:

• Type: This column will display “Victim” for all entries.
• Summary: This column displays the Victim’s summary.
• Tags: If one or more Tags are applied to the Victim, this column will display a count of those Tags; otherwise, no value will be displayed in this column. Click on the number displayed in this column to view the standard Tags and ATT&CK Tags applied to the Victim, as well as links to each Tag’s Details screen.
• Owner: This column displays the owner to which the Victim belongs.
• Org: This column displays the Victim’s organization.
• Sub-Organization: This column displays the Victim’s sub-organization.
• Nationality: This column displays the Victim’s nationality.
• Location: This column displays the Victim’s work location.

Victim Assets Filter

The Victim Assets filter contains a multi-select list of Victim Asset types (E-Mail Address, Network Account, Phone, Social Network, and WebSite). Select one or more Victim Asset types, or click the Victim Assets heading to select all Victim Asset types. The Browse screen will display Victim Assets of the selected type(s) in the owners selected in the My Intel Sources selector.

When viewing Victim Assets, the Browse screen will display a table with the following columns:

• Type: This column displays the Victim Asset’s type.
• Summary: This column displays the Victim Asset’s summary.
• Victim: This column displays the Victim to which the Victim Asset belongs.
• Asset: For E-mail Address, Network Account, or Social Network Victim Assets, this column displays the type of email address, network account, or social network, respectively, to which the Victim Asset corresponds.

Query Features

There are four query features, found along the top of the Browse screen:

• a text box for a contains query
• an Exact matches checkbox for enabling an exact matches query
• a FILTERS selector for filtering the results of the contains or exact matches query
• a toggle (the Advanced text at the upper-right corner of Figure 1) for accessing the advanced-query functionality

Contains Query

A contains query allows you to narrow down results based on a string of text entered into the search bar to the right of the FILTERS selector. ThreatConnect will then filter the results and return those with a summary that contains the entered text (Figure 3).

In this example, submitting a query for bad returned 57 Indicators with a summary that contains the text bad. The filtering also displays the entered text next to the Summary contains: text so that it may be easily cleared.

Exact Matches Query

An exact matches query, which is enabled by selecting the Exact matches checkbox to the right of the search bar, allows you to narrow down results to those with a summary that is an exact match to the string of text entered into the search bar. This type of query is helpful when filtering large datasets for a specific object, as an exact matches query takes less time to complete than a contains query.

In the following example, submitting a query for bad with the Exact matches checkbox selected returned no results, meaning there are no Indicators with a summary that matches bad (Figure 4).

However, submitting a query for bad.com with the Exact Matches checkbox selected returned two results for the bad.com Host Indicator that exists in Demo Organization and Demo Community (Figure 5).

Filtering Results

You can filter results from a contains or exact matches query using the following parameters:

• Tags
• Created After
• Created Before
• Modified After
• Modified Before
• Indicator Status
• Observed Since
• Threat and Confidence Ratings
• ThreatAssess Score
• Observations
• False Positives
• Attributes that exist within ThreatConnect

Use the FILTERS selector to the left of the search bar to define the filtered parameters, and then click the APPLY button to obtain results (Figure 6). To clear the query parameters, click Clear All Filters to the right of the Exact matches checkbox.

Advanced Query

An advanced query is initiated by clicking Advanced at the upper-right corner of the Browse screen (Figure 7). The advanced-query filter allows you to build structured queries using an SQL-like query language called ThreatConnect Query Language (TQL). With this feature, an analyst can specify criteria that cannot be defined using the basic query and filter capabilities.

Click Basic at the upper-right corner of the Browse screen (Figure 7) to toggle back to the basic search features (i.e., contains query, exact matches query, and FILTERS selector).

Saving Queries

Follow these steps to save a query for later viewing. You may also use saved queries in Query cards in custom dashboards and add them to a Group in order to create associations between the Group and objects returned via the TQL query.

1. Click the vertical ellipsis at the upper-right corner of the Browse screen and select Save Current Query.... The Save Current Query... drawer will be displayed.
2. Enter a name for the query.
3. Click the SAVE button.

Viewing and Managing Saved Queries

To view all saved queries, click the vertical ellipsis at the upper-right corner of the Browse screen select View Queries. The View Queries drawer will be displayed. Click on a query's name to view it in the Browse screen. Note that you can use the Find by name box to filter saved queries by name.

To delete a saved query, click Deletein the Actions column of the View Queries drawer. The Confirm Delete window will be displayed. Click the YES button to delete the query.

EXPORT Button

Click the EXPORT button at the bottom of the Browse screen to display the Export Data window for Indicator export (Figure 8) or for Group export (Figure 9). Here, you can select the data points from the items in the filtered results list that you want to export to a comma-separated values (CSV) file.

DELETE Button

Click the DELETE button at the bottom of the Browse screen to display the Delete window. Click the YES button to delete all items listed in the filtered results. If you attempt to delete more than 50 items, you will be prompted to enter the text “OK” in the box, and then click the YES button (Figure 10).

ThreatConnect^® is a registered trademark, and TC Exchange™ and CAL™ are trademarks, of ThreatConnect, Inc.
MITRE ATT&CK^® and ATT&CK^® are registered trademarks of The MITRE Corporation.

20051-02 v.16.A