The "Last Modified" Date
  • 19 Oct 2023
  • 7 Minutes to read
  • Dark
    Light

The "Last Modified" Date

  • Dark
    Light

Article Summary

Overview

When viewing Indicators, Groups, Intelligence Requirements (IRs), and Attributes in ThreatConnect®, the Last Modified field provides the date and time when the object was last modified. Similarly, the lastModified field provides the date and time when an Indicator, Group, IR, or Attribute was last modified when using the ThreatConnect API to interact with these object types.

This article describes the various areas in ThreatConnect where you can view the date and time when an Indicator, Group, or Attribute was last modified. It also details actions you can perform when working with these object types and whether each action updates the Last Modified date.

Before You Start

Minimum Role(s)
  • Organization role of Read Only User to view the date and time when Indicators, Groups, IRs, and Attributes were last modified
  • Organization role of Standard User to update Indicators, Groups, IRs, and Attributes
  • System role of API User to view the lastModified field when interacting with objects using the ThreatConnect API
PrerequisitesNone

Viewing an Object’s “Last Modified” Date

ThreatConnect UI

There are four areas in ThreatConnect where you can view the date and time when an object was last modified: the Browse screen, the Details drawer, the new Details screen, and the legacy Details screen.

Note
To view a log of changes made to an object in your Organization, including the date and time when the action was performed, navigate to the Activity tab of the Organization Settings screen. This tab is available only to users with an Organization role of Organization Administrator.

Browse Screen

On the top navigation bar, hover the cursor over Browse and select Indicators or a specific Indicator type; Groups or a specific Group type; or Intelligence Requirements (IR) to display all objects of the selected type on the Browse screen. Figure 1 shows all Address Indicators that exist in the owners selected in the My Intel Sources selector .

Figure 1_The Last Modified Date_7.1.0

 

The Browse screen for Indicators, Groups, and IRs displays a Modified column, which provides the date when an object was last modified. Toggle the Modified heading to sort the Browse screen in ascending or descending order by Modified date.

Note
You can use a basic query to filter results by Modified date with the Modified After and Modified Before filters. Similarly, you can write an advanced query that uses the lastModified ThreatConnect Query Language (TQL) parameter to filter results based on Modified date. For more information on basic and advanced queries, see the “Query Features” section of The Browse Screen.

Details Drawer

When viewing Indicators or Groups on the Browse screen, clicking on an object will display its Details drawer (Figure 2).

Graphical user interface, text, application, email, website  Description automatically generated

 

Here, you can view the object’s Last Modified date at the top right of the drawer. In addition, you can view the Last Modified date for the object's Attributes in the Attributes section.

New Details Screen

On the Details screen for an Indicator, Group, or IR, you can view the date and time when the object was last modified via the Last Modified field in the Details card (Figure 3). For Indicators and Groups, you can also view the date and time when Attributes added to the object were last modified via the Last Updated field in the Attributes card (Figure 4).

Important
The new Details screen is not currently available for Email, Signature, and Task Groups. As such, you can view the Last Modified date for these Group types and their Attributes on the legacy Details screen only.

 

 

Legacy Details Screen

On the legacy Details screen for an Indicator or Group, you can view the date and time when the object was last modified via the Modified field in the Details card (Figure 5). You can also view the date and time when the object’s Attributes were last modified via the Last Updated field in the Attributes card (Figure 6).

Graphical user interface, application  Description automatically generated

 

 

ThreatConnect API

When using the ThreatConnect API to interact with Indicators, Groups, IRs, and Attributes, the lastModified field provides the date and time when an object was last modified. The v3 API includes the lastModified field for Indicators, Groups, IRs, and Attributes; the v2 API includes the lastModified field for Indicators and Attributes only.

Note
For Case Attributes, you can view the date and time when they were last modified using the v3 API. However, you cannot view this date and time in the ThreatConnect UI.

Updating an Object’s “Last Modified” Date

Indicators

Table 1 details the actions you can perform when working with Indicators and whether each one updates the date and time when an Indicator was last modified.

 

Action(s)Applies to Which Indicator Type(s)?Updates "Last Modified" Date?
Applying or removing Security LabelsAllYes1, 2
Associating Groups or Indicators to an IndicatorAllYes
Associating Cases or Artifacts to an Indicator
AllNo3
Dissociating Groups or Indicators from an IndicatorAllNo2
Dissociating Cases or Artifacts from an Indicator
AllNo3
Updating objects associated to an IndicatorAllNo
Creating, updating, or deleting Description or Source Attributes with or without the Default checkbox selectedAllYes
Creating or updating AttributesAllYes1
Deleting AttributesAllYes
Creating posts via the Add New Comment card of an Indicator’s Details screen or deleting posts added or linked to an IndicatorAllNo
Applying or removing TagsAllYes
Following or unfollowing an IndicatorAllNo
Adding a Task to an IndicatorAllNo
Updating or deleting a Task added to an IndicatorAllNo
Reporting false positives or deleting false positive reports for an IndicatorAllNo
Reporting observations for an IndicatorAllNo
Updating an Indicator’s Threat RatingAllYes
Updating an Indicator’s Confidence RatingAllYes
ThreatConnect updates an Indicator’s ThreatAssess scoreAllNo
Updating an Indicator's StatusAllYes
Turning the CAL Status Lock on or offAllYes
Marking an Indicator as privateAllYes
Reimporting an existing IndicatorAllYes
Creating, updating, or deleting File OccurrencesFileYes1, 2
Updating a File’s behavior modelFileNo
Adding or removing a file hashFileYes
Adding, updating, or removing a File Indicator’s size valueFileYes
Turning the DNS resolution tracking feature on or offHostYes1, 2
Turning the WHOIS feature on or offHostYes1, 2

1 Performing this action on the legacy Details screen will not update the Last Modified date.
2 Performing this action via the ThreatConnect v3 API will update the Last Modified date; however, performing this action via the ThreatConnect v2 API will not update the Last Modified date.
3 Performing this action via the ThreatConnect v3 API will update the Last Modified date; however, this action may not be performed using the ThreatConnect v2 API, as it does not support Workflow-related features.

Groups

Table 2 details the actions you can perform when working with Groups and whether each one updates the date and time when a Group was last modified.

 

Action(s)Applies to Which Group Type(s)?Updates "Last Modified" Date?
Applying or removing Security LabelsAllYes
Associating Groups, Indicators, Victim Assets, Cases, or Artifacts to a GroupAllYes
Dissociating Groups, Indicators, Victim Assets, Cases, or Artifacts from a GroupAllYes
Updating objects associated to a GroupAllNo
Creating, updating, or deleting Description or Source Attributes with or without the Default checkbox selectedAllYes
Creating, updating, or deleting AttributesAllYes
Creating posts via the Add New Comment card of a Group’s Details screenAllYes
Deleting posts added or linked to a GroupAllNo1
Applying or removing TagsAllYes
Following or unfollowing a GroupAllNo
Adding a Task to a GroupAllYes
Updating or deleting a Task added to a GroupAllNo2
Updating a Group's Intel RatingAllYes
Contributing a Group to a Community or SourceAllNo
Copying a Group from a Community to an OrganizationAllNo3
Publishing a GroupAllYes
Updating a Group’s summaryAllYes
Generating a PDF report of a GroupAll Group types except Document, Email, Signature, and TaskNo
Adding an Adversary assetAdversaryYes
Deleting an Adversary assetAdversaryNo
Enabling or disabling a TrackAdversaryNo
Track results are found for an AdversaryAdversaryNo
Adding, updating, or removing a Campaign’s First Seen dateCampaignYes
Updating the file name of the file corresponding to a DocumentDocumentYes
Downloading the file corresponding to a DocumentDocumentNo
Uploading a file to a DocumentDocumentYes
Updating the analysis for an Email (i.e., updating the Body, From field, Header, or Subject of the email corresponding to the Group)EmailYes
Adding, updating, or removing an Event’s Event DateEventYes
Adding or updating an Event’s StatusEventYes
Adding, updating, or removing an Incident’s Event DateIncidentYes
Adding or updating an Incident’s StatusIncidentYes
Downloading the file corresponding to a ReportReportNo
Uploading a file to a ReportReportYes
Adding, updating, or removing a Report’s Publish DateReportYes
Downloading a Signature’s file contentsSignatureNo
Importing a new Signature fileSignatureYes
Updating a Signature file’s name, type, or contentsSignatureYes
Adding or removing Task AssigneesTaskYes
Adding or removing users to whom a Task is to be escalatedTaskYes
Adding or updating a Task’s StatusTaskYes
Adding, updating, or removing a Task’s Due DateTaskYes
Adding, updating, or removing a Task’s Escalation TimeTaskYes
Adding, updating, or removing a Task’s Reminder TimeTaskYes

1 Performing this action on the legacy Details screen will update the Last Modified date.
2 If updating a Task added to a Group, the Last Modified date for the Group to which the Task was added will not be updated, but the Last Modified date for the Task will be updated.
3 The Last Modified date for the Group that exists in the Community will not be updated; the Last Modified date for the copy of the Group created in the Organization will match the Date Added date.

Intelligence Requirements

Table 3 details the actions you can perform when working with IRs and whether each one updates the date and time when an IR was last modified.

 

Action(s)Updates “Last Modified” Date?
Associating Groups, Indicators, Victim Assets, Artifacts, or Cases to an IRYes
Dissociating Groups, Indicators, Victim Assets, Artifacts, or Cases from an IRYes
Updating objects associated to an IRNo
Adding or updating the IR's default Description AttributeYes
Updating an IR's subtypeYes
Updating an IR's categoryYes
Applying or removing TagsYes
Following or unfollowing an IRNo
Updating an IR's summaryYes
Updating an IR's keyword queryYes
Resetting archived and false results for an IRYes
Retrieving results for an IRYes
Associating a result to an IRYes
Archiving a result for an IRNo
Marking a result for an IR as a false resultNo

Attributes

Table 4 details the actions you can perform when working with Attributes and whether each one updates the date and time when an Attribute was last modified.

 

Action(s)Updates "Last Modified" Date?
Applying or removing Security LabelsYes
Creating, updating, or removing an Attribute’s SourceYes
Updating an Attribute’s valueYes
Saving an Attribute’s Source so that it can be reused by the same ownerNo1
Selecting or clearing the Default checkbox for Description and Source AttributesYes

1 Performing this action on the legacy Details screen will update the Last Modified date.


ThreatConnect® is a registered trademark of ThreatConnect, Inc.

20132-01 v.04.A


Was this article helpful?