The "Last Modified" Date
- 25 Nov 2024
- 8 Minutes to read
-
Print
-
DarkLight
The "Last Modified" Date
- Updated on 25 Nov 2024
- 8 Minutes to read
-
Print
-
DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback!
Overview
When viewing Indicators, Groups, Intelligence Requirements (IRs), and Attributes in ThreatConnect®, the Last Modified field provides the date and time when the object was last modified. Similarly, the lastModified API field provides the date and time when an Indicator, Group, IR, or Attribute was last modified when using the ThreatConnect API to interact with these object types.
This article describes the various areas in ThreatConnect where you can view the date and time when an Indicator, Group, or Attribute was last modified. It also details actions you can perform when working with these object types and whether each action updates the Last Modified date.
Before You Start
User Roles
- To view the date and time when Indicators, Groups, IRs, and Attributes in an Organization were last modified, your user account can have any Organization role.
- To view the date and time when Indicators, Groups, and Attributes in a Community or Source were last modified, your user account can have any Community role except Banned.
- To view the date and time when Indicators, Groups, IRs, and Attributes were last modified via the ThreatConnect API, your user account must have a System role of API User.
Viewing an Object’s “Last Modified” Date
ThreatConnect UI
There are five main areas in ThreatConnect where you can view the date and time when an object was last modified:
- the Browse screen
- the Details drawer
- the Details screen
- the legacy Details screen
- the Search screen
Hint
To view a log of changes made to an object in your Organization, including the date and time when the action was performed, navigate to the Activity tab of the Organization Settings screen. This tab is available only to users with an Organization role of Organization Administrator.
Browse Screen
While viewing Indicators, Groups, or IRs on the Browse screen, the results table includes a Modified column that provides the date when an object was last modified (Figure 1).
Hint
You can use the FILTERS menu on the Browse screen to filter results by the date when they were last modified. Additionally, you can use the Browse screen’s advanced search feature to run a ThreatConnect Query Language (TQL) query that uses the
lastModified TQL parameter to filter results based on the date when they were last modified.Details Drawer
On the Details drawer for Indicators and Groups, the Last Modified field in the top portion of the drawer provides the date and time when the object was last modified in the owner listed in the drawer’s header. Figure 2 shows the Details drawer for an Indicator, along with the date and time when the Indicator was last modified in the owner named “Demo Organization.”
Note
The Details drawer’s Unified View option for Indicators includes a Last Modified field that provides the most recent date and time when an Indicator was last modified in any of its owners.
In addition, an Attribute’s Last Modified field on the Attributes card on the Details drawer provides the date and time when the Attribute was last modified (Figure 3).
Note
If viewing the Details drawer for an Email, Signature, or Task Group, the Last Modified field for the Group is located at the top right of the drawer, and the date and time when each of the Group’s Attributes was last modified is located in the Last Modified column of the Attributes section on the drawer.
Details Screen
On the Details screen for Indicators, Groups, and IRs, the Last Modified field on the Details card provides the date and time when the object was last modified in the owner listed in the screen’s header (Figure 4).
Important
The new Details screen is not currently available for Email, Signature, and Task Groups. As such, you can view the Last Modified date for these Group types and their Attributes on the legacy Details screen only.
In addition, an Attribute’s Last Modified field on the Attributes card provides the date and time when the Attribute was last modified (Figure 5). The Attributes card is available on the Details screen for Indicators and Groups only.
Legacy Details Screen
On the legacy Details screen for Indicators and Groups, the Modified field on the Details card provides the date and time when the object was last modified in the owner listed at the top right of the screen (Figure 6).
In addition, an Attribute’s Last Updated field on the Attributes card provides the date and time when the Attribute was last modified (Figure 7).
Search Screen
When searching your ThreatConnect data on the Search screen, the search results table includes a Last Modified column that provides the date and time when an object was last modified in the owner listed in the Owner column (Figure 8).
ThreatConnect API
When using the ThreatConnect API to interact with Indicators, Groups, IRs, and Attributes, the lastModified API field provides the date and time when an object was last modified. The v3 API includes the lastModified API field for Indicators, Groups, IRs, and Attributes; the v2 API includes the lastModified API field for Indicators and Attributes only.
Note
For Case Attributes, you can view the date and time when they were last modified using the v3 API. However, you cannot view this date and time in the ThreatConnect UI.
Updating an Object’s “Last Modified” Date
Indicators
Table 1 details the actions you can perform when working with Indicators and whether each one updates the date and time when an Indicator was last modified.
| Action(s) | Applies to Which Indicator Type(s)? | Updates "Last Modified" Date? |
|---|---|---|
| Applying or removing Security Labels | All | Yes1, 2 |
| Associating Groups or Indicators to an Indicator | All | Yes |
| Associating Cases or Artifacts to an Indicator | All | No3 |
| Dissociating Groups or Indicators from an Indicator | All | No2 |
| Dissociating Cases or Artifacts from an Indicator | All | No3 |
| Updating objects associated to an Indicator | All | No |
| Creating, updating, or deleting Description or Source Attributes with or without the Default checkbox selected | All | Yes |
| Creating or updating Attributes | All | Yes1 |
| Deleting Attributes | All | Yes |
| Creating posts via the Add New Comment card of an Indicator’s Details screen or deleting posts added or linked to an Indicator | All | No |
| Applying or removing Tags | All | Yes |
| Following or unfollowing an Indicator | All | No |
| Adding a Task to an Indicator | All | No |
| Updating or deleting a Task added to an Indicator | All | No |
| Reporting false positives or deleting false positive reports for an Indicator | All | No |
| Reporting observations for an Indicator | All | No |
| Updating an Indicator’s Threat Rating | All | Yes |
| Updating an Indicator’s Confidence Rating | All | Yes |
| ThreatConnect updates an Indicator’s ThreatAssess score | All | No |
| Updating an Indicator's Status | All | Yes |
| Turning the CAL Status Lock on or off | All | Yes |
| Marking an Indicator as private | All | Yes |
| Reimporting an existing Indicator | All | Yes |
| Creating, updating, or deleting File Occurrences | File | Yes1, 2 |
| Updating a File’s behavior model | File | No |
| Adding or removing a file hash | File | Yes |
| Adding, updating, or removing a File Indicator’s size value | File | Yes |
| Turning the DNS resolution tracking feature on or off | Host | Yes1, 2 |
| Turning the WHOIS feature on or off | Host | Yes1, 2 |
1 Performing this action on the legacy Details screen will not update the Last Modified date.
2 Performing this action via the ThreatConnect v3 API will update the Last Modified date; however, performing this action via the ThreatConnect v2 API will not update the Last Modified date.
3 Performing this action via the ThreatConnect v3 API will update the Last Modified date; however, this action may not be performed using the ThreatConnect v2 API, as it does not support Workflow-related features.
Groups
Table 2 details the actions you can perform when working with Groups and whether each one updates the date and time when a Group was last modified.
| Action(s) | Applies to Which Group Type(s)? | Updates "Last Modified" Date? |
|---|---|---|
| Applying or removing Security Labels | All | Yes |
| Associating Groups, Indicators, Victim Assets, Cases, or Artifacts to a Group | All | Yes |
| Dissociating Groups, Indicators, Victim Assets, Cases, or Artifacts from a Group | All | Yes |
| Updating objects associated to a Group | All | No |
| Creating, updating, or deleting Description or Source Attributes with or without the Default checkbox selected | All | Yes |
| Creating, updating, or deleting Attributes | All | Yes |
| Creating posts via the Add New Comment card of a Group’s Details screen | All | Yes |
| Deleting posts added or linked to a Group | All | No1 |
| Applying or removing Tags | All | Yes |
| Following or unfollowing a Group | All | No |
| Adding a Task to a Group | All | Yes |
| Updating or deleting a Task added to a Group | All | No2 |
| Updating a Group's Intel Rating | All | Yes |
| Contributing a Group to a Community or Source | All | No |
| Copying a Group from a Community to an Organization | All | No3 |
| Publishing a Group | All | Yes |
| Updating a Group’s summary | All | Yes |
| Generating a PDF report of a Group | All Group types except Document, Email, Signature, and Task | No |
| Adding an Adversary asset | Adversary | Yes |
| Deleting an Adversary asset | Adversary | No |
| Enabling or disabling a Track | Adversary | No |
| Track results are found for an Adversary | Adversary | No |
| Adding, updating, or removing a Campaign’s First Seen date | Campaign | Yes |
| Updating the file name of the file corresponding to a Document | Document | Yes |
| Downloading the file corresponding to a Document | Document | No |
| Uploading a file to a Document | Document | Yes |
| Updating the analysis for an Email (i.e., updating the Body, From field, Header, or Subject of the email corresponding to the Group) | Yes | |
| Adding, updating, or removing an Event’s Event Date | Event | Yes |
| Adding or updating an Event’s Status | Event | Yes |
| Adding, updating, or removing an Incident’s Event Date | Incident | Yes |
| Adding or updating an Incident’s Status | Incident | Yes |
| Downloading the file corresponding to a Report | Report | No |
| Uploading a file to a Report | Report | Yes |
| Adding, updating, or removing a Report’s Publish Date | Report | Yes |
| Downloading a Signature’s file contents | Signature | No |
| Importing a new Signature file | Signature | Yes |
| Updating a Signature file’s name, type, or contents | Signature | Yes |
| Adding or removing Task Assignees | Task | Yes |
| Adding or removing users to whom a Task is to be escalated | Task | Yes |
| Adding or updating a Task’s Status | Task | Yes |
| Adding, updating, or removing a Task’s Due Date | Task | Yes |
| Adding, updating, or removing a Task’s Escalation Time | Task | Yes |
| Adding, updating, or removing a Task’s Reminder Time | Task | Yes |
1 Performing this action on the legacy Details screen will update the Last Modified date.
2 If updating a Task added to a Group, the Last Modified date for the Group to which the Task was added will not be updated, but the Last Modified date for the Task will be updated.
3 The Last Modified date for the Group that exists in the Community will not be updated; the Last Modified date for the copy of the Group created in the Organization will match the Date Added date.
Intelligence Requirements
Table 3 details the actions you can perform when working with IRs and whether each one updates the date and time when an IR was last modified.
| Action(s) | Updates “Last Modified” Date? |
|---|---|
| Associating Groups, Indicators, Victim Assets, Artifacts, or Cases to an IR | Yes |
| Dissociating Groups, Indicators, Victim Assets, Artifacts, or Cases from an IR | Yes |
| Updating objects associated to an IR | No |
| Adding or updating the IR's default Description Attribute | Yes |
| Updating an IR's subtype | Yes |
| Updating an IR's category | Yes |
| Applying or removing Tags | Yes |
| Following or unfollowing an IR | No |
| Updating an IR's summary | Yes |
| Updating an IR's keyword query | Yes |
| Resetting archived and false results for an IR | Yes |
| Retrieving results for an IR | Yes |
| Associating a result to an IR | Yes |
| Archiving a result for an IR | No |
| Marking a result for an IR as a false result | No |
Attributes
Table 4 details the actions you can perform when working with Attributes and whether each one updates the date and time when an Attribute was last modified.
| Action(s) | Updates "Last Modified" Date? |
|---|---|
| Applying or removing Security Labels | Yes |
| Creating, updating, or removing an Attribute’s Source | Yes |
| Updating an Attribute’s value | Yes |
| Saving an Attribute’s Source so that it can be reused by the same owner | No1 |
| Selecting or clearing the Default checkbox for Description and Source Attributes | Yes |
1 Performing this action on the legacy Details screen will update the Last Modified date.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
20132-01 v.04.B
Was this article helpful?
