The "Last Modified" Date
  • 21 Oct 2022
  • 6 Minutes to read
  • Dark
    Light

The "Last Modified" Date

  • Dark
    Light

Minimum Role: Organization role of Read Only User to view the date and time when Indicators, Groups, and Attributes were last modified; Organization role of Standard User to update Indicators, Groups, and Attributes; System role of API User to view the lastModified field when interacting with objects using the ThreatConnect API

Prerequisites: None

Overview

When viewing Indicators and Groups in ThreatConnect®, the Modified field provides the date and time when the object was last modified. Similarly, the Last Updated field provides the date and time when an Attribute was last modified. When interacting with Indicators, Groups, and Attributes via the ThreatConnect API, the lastModified field provides the date and time when the object was last modified.

This article describes the various areas in ThreatConnect where you can view the date and time when an object was last modified. It also details actions you can perform when working with Indicators, Groups, and Attributes and whether each one updates the date and time when the object was last modified.

Viewing an Object’s “Last Modified” Date

ThreatConnect UI

There are three areas in ThreatConnect where you can view the date and time when an object was last modified: the Browse screen, the Details drawer, and the Details screen.

Note
To view a log of changes made to an object in your Organization, including the date and time when the action was performed, navigate to the Activity tab of the Organization Settings screen. This tab is available only to users with an Organization role of Organization Administrator.

Browse Screen

On the top navigation bar, hover the cursor over Browse and select Indicators, Groups, or an Indicator or Group type to display all objects of the selected type on the Browse screen. Figure 1 shows all Address Indicators that exist in the owners selected in the My Intel Sources selector.

 

The Browse screen for Indicators and Groups displays a Modified column, which provides the date when an object was last modified. Toggle the Modified heading to sort the Browse screen in ascending or descending order by Modified date.

Note
You can use a basic query to filter results by Modified date with the Modified After and Modified Before filters. Similarly, you can write an advanced query that uses the lastModified ThreatConnect Query Language (TQL) parameter to filter results based on Modified date. For more information on basic and advanced queries, see the “Query Features” section of The Browse Screen.

Details Drawer

When viewing Indicators or Groups on the Browse screen, clicking on an object will display its Details drawer (Figure 2).

Graphical user interface, text, application, email, website  Description automatically generated

 

Here, you can view the object’s Last Modified date at the top right of the drawer. In addition, you can view the Last Modified date for any Attributes added to the object in the Attributes section.

Details Screen

On the Details screen for an Indicator or Group (Figure 3), you can view the date and time when the object was last modified via the Modified field in the Details card. You can also view the date and time when Attributes added to the object were last modified via the Last Updated field in the Attributes card.

Graphical user interface, application  Description automatically generated

 

ThreatConnect API

When interacting with Indicators, Groups, and Attributes using the ThreatConnect API, the lastModified field provides the date and time when an object was last modified. The v3 API includes the lastModified field for Indicators, Groups, and Attributes; the v2 API includes the lastModified field for Indicators and Attributes only.

Note
For Case Attributes, you can view the date and time when they were last modified using the v3 API. However, you cannot view this date and time in the ThreatConnect UI.

Updating an Object’s “Last Modified” Date

Indicators

Table 1 details actions you can perform when working with Indicators and whether each one updates the date and time when an Indicator was last modified.

 

Action(s)Applies to Which Indicator Type(s)?Updates "Last Modified" Date?

Applying or removing Security Labels

All

No

Associating Groups, Indicators, Cases, or Artifacts to an Indicator

All

No

Dissociating Groups, Indicators, Cases, or Artifacts from an Indicator

All

No

Updating objects associated to an Indicator

All

No

Creating, updating, or deleting Description or Source Attributes with or without the Default checkbox selected

All

Yes

Creating, updating, or deleting Attributes

All

Yes

Creating posts via the Add New Comment card of an Indicator’s Details screen or deleting posts added or linked to an Indicator

All

No

Applying or removing Tags

All

Yes

Following or unfollowing an Indicator

All

No

Adding a Task to an Indicator

All

No

Updating or deleting a Task added to an Indicator

All

No

Reporting false positives or deleting false positive reports for an Indicator

All

No

Reporting observations for an Indicator

All

No

Updating an Indicator’s Threat Rating

All

Yes

Updating an Indicator’s Confidence Rating1

All

Yes

ThreatConnect updates an Indicator’s ThreatAssess score

All

No

Selecting or clearing the Active checkbox for Indicator Status

All

Yes

Selecting or clearing the CAL Status Lock checkbox for Indicator Status

All

Yes

Selecting or clearing the Private checkbox for an Indicator

All

Yes

Reimporting an existing Indicator

All

Yes

Creating, updating, or deleting a File occurrence

File

No

Updating a File’s behavior model

File

No

Adding or removing a File hash

File

Yes

Adding, updating, or removing a File’s size value

File

Yes

Selecting or clearing the DNS checkbox

Host

No

Selecting or clearing the Whois checkbox

Host

No

1 If the Confidence Rating for an Indicator that exists in an Organization or Source is updated via a deprecation rule, its Modified date will be updated. This will not be the case for an Indicator that exists in a Community.

Groups

Table 2 details actions you can perform when working with Groups and whether each one updates the date and time when a Group was last modified.

 

Action(s)Applies to Which Group Type(s)?Updates "Last Modified" Date?

Applying or removing Security Labels

All

Yes

Associating Groups, Indicators, Victim Assets, Cases, or Artifacts to a Group

All

Yes

Dissociating Groups, Indicators, Victim Assets, Cases, or Artifacts from a Group

All

Yes

Updating objects associated to a Group

All

No

Creating, updating, or deleting Description or Source Attributes with or without the Default checkbox selected

All

Yes

Creating, updating, or deleting Attributes

All

Yes

Creating posts via the Add New Comment card of a Group’s Details screen or deleting posts added or linked to a Group

All

Yes

Applying or removing Tags

All

Yes

Following or unfollowing a Group

All

No

Adding a Task to a Group

All

Yes

Updating or deleting a Task added to a Group

All

No1

Voting for a Group

All

Yes

Contributing a Group to a Community or Source

All

No

Copying a Group from a Community to an Organization

All

No2

Publishing a Group

All

Yes

Updating a Group’s summary

All

Yes

Generating a PDF report of a Group

All Group types except Document, Email, Signature, and Task

No

Adding an Adversary asset

Adversary

Yes

Deleting an Adversary asset

Adversary

No

Enabling or disabling a Track

Adversary

No

Track results are found for an Adversary

Adversary

No

Adding, updating, or removing a Campaign’s First Seen date

Campaign

Yes

Updating the file name of the file corresponding to a Document

Document

Yes

Downloading the file corresponding to a Document

Document

No

Uploading a file to a Document

Document

Yes

Updating the analysis for an Email (i.e., updating the Body, From field, Header, or Subject of the email corresponding to the Group)

Email

Yes

Adding, updating, or removing an Event’s Event Date

Event

Yes

Adding or updating an Event’s Status

Event

Yes

Adding, updating, or removing an Incident’s Event Date

Incident

Yes

Adding or updating an Incident’s Status

Incident

Yes

Downloading the file corresponding to a Report

Report

No

Uploading a file to a Report

Report

Yes

Adding, updating, or removing a Report’s Publish Date

Report

Yes

Downloading a Signature’s file contents

Signature

No

Importing a new Signature file

Signature

Yes

Updating a Signature file’s name, type, or contents

Signature

Yes

Adding or removing Task Assignees

Task

Yes

Adding or removing users to whom a Task is to be escalated

Task

Yes

Adding or updating a Task’s Status

Task

Yes

Adding, updating, or removing a Task’s Due Date

Task

Yes

Adding, updating, or removing a Task’s Escalation Time

Task

Yes

Adding, updating, or removing a Task’s Reminder Time

Task

Yes

1 If updating a Task added to a Group, the Modified date for the Group to which the Task was added will not be updated, but the Modified date for the Task will be updated.

2 The Modified date for the Group that exists in the Community will not be updated; the Modified date for the copy of the Group created in the Organization will match the Added date.

Attributes

Table 3 details actions you can perform when working with Attributes and whether each one updates the date and time when an Attribute was last modified.

 

Action(s)Updates "Last Modified" Date?

Applying or removing Security Labels

Yes

Creating, updating, or removing an Attribute’s Source

Yes

Updating an Attribute’s value

Yes

Saving an Attribute’s Source so that it can be reused by the same owner

Yes

Selecting or clearing the Default checkbox for Description and Source Attributes

Yes


ThreatConnect® is a registered trademark of ThreatConnect, Inc.

20132-01 v.01.B


Was this article helpful?