The "Last Modified" Date
- 21 Oct 2022
- 6 Minutes to read
-
Print
-
DarkLight
The "Last Modified" Date
- Updated on 21 Oct 2022
- 6 Minutes to read
-
Print
-
DarkLight
Minimum Role: Organization role of Read Only User to view the date and time when Indicators, Groups, and Attributes were last modified; Organization role of Standard User to update Indicators, Groups, and Attributes; System role of API User to view the lastModified field when interacting with objects using the ThreatConnect API
Prerequisites: None
Overview
When viewing Indicators and Groups in ThreatConnect®, the Modified field provides the date and time when the object was last modified. Similarly, the Last Updated field provides the date and time when an Attribute was last modified. When interacting with Indicators, Groups, and Attributes via the ThreatConnect API, the lastModified field provides the date and time when the object was last modified.
This article describes the various areas in ThreatConnect where you can view the date and time when an object was last modified. It also details actions you can perform when working with Indicators, Groups, and Attributes and whether each one updates the date and time when the object was last modified.
Viewing an Object’s “Last Modified” Date
ThreatConnect UI
There are three areas in ThreatConnect where you can view the date and time when an object was last modified: the Browse screen, the Details drawer, and the Details screen.
Note
To view a log of changes made to an object in your Organization, including the date and time when the action was performed, navigate to the Activity tab of the Organization Settings screen. This tab is available only to users with an Organization role of Organization Administrator.
Browse Screen
On the top navigation bar, hover the cursor over Browse and select Indicators, Groups, or an Indicator or Group type to display all objects of the selected type on the Browse screen. Figure 1 shows all Address Indicators that exist in the owners selected in the My Intel Sources selector.
The Browse screen for Indicators and Groups displays a Modified column, which provides the date when an object was last modified. Toggle the Modified heading to sort the Browse screen in ascending or descending order by Modified date.
Note
You can use a basic query to filter results by Modified date with the Modified After and Modified Before filters. Similarly, you can write an advanced query that uses the lastModified ThreatConnect Query Language (TQL) parameter to filter results based on Modified date. For more information on basic and advanced queries, see the “Query Features” section of The Browse Screen.
Details Drawer
When viewing Indicators or Groups on the Browse screen, clicking on an object will display its Details drawer (Figure 2).
Here, you can view the object’s Last Modified date at the top right of the drawer. In addition, you can view the Last Modified date for any Attributes added to the object in the Attributes section.
Details Screen
On the Details screen for an Indicator or Group (Figure 3), you can view the date and time when the object was last modified via the Modified field in the Details card. You can also view the date and time when Attributes added to the object were last modified via the Last Updated field in the Attributes card.
ThreatConnect API
When interacting with Indicators, Groups, and Attributes using the ThreatConnect API, the lastModified field provides the date and time when an object was last modified. The v3 API includes the lastModified field for Indicators, Groups, and Attributes; the v2 API includes the lastModified field for Indicators and Attributes only.
Note
For Case Attributes, you can view the date and time when they were last modified using the v3 API. However, you cannot view this date and time in the ThreatConnect UI.
Updating an Object’s “Last Modified” Date
Indicators
Table 1 details actions you can perform when working with Indicators and whether each one updates the date and time when an Indicator was last modified.
| Action(s) | Applies to Which Indicator Type(s)? | Updates "Last Modified" Date? |
|---|---|---|
Applying or removing Security Labels | All | No |
Associating Groups, Indicators, Cases, or Artifacts to an Indicator | All | No |
Dissociating Groups, Indicators, Cases, or Artifacts from an Indicator | All | No |
Updating objects associated to an Indicator | All | No |
Creating, updating, or deleting Description or Source Attributes with or without the Default checkbox selected | All | Yes |
Creating, updating, or deleting Attributes | All | Yes |
Creating posts via the Add New Comment card of an Indicator’s Details screen or deleting posts added or linked to an Indicator | All | No |
Applying or removing Tags | All | Yes |
Following or unfollowing an Indicator | All | No |
Adding a Task to an Indicator | All | No |
Updating or deleting a Task added to an Indicator | All | No |
Reporting false positives or deleting false positive reports for an Indicator | All | No |
Reporting observations for an Indicator | All | No |
Updating an Indicator’s Threat Rating | All | Yes |
Updating an Indicator’s Confidence Rating1 | All | Yes |
ThreatConnect updates an Indicator’s ThreatAssess score | All | No |
Selecting or clearing the Active checkbox for Indicator Status | All | Yes |
Selecting or clearing the CAL Status Lock checkbox for Indicator Status | All | Yes |
Selecting or clearing the Private checkbox for an Indicator | All | Yes |
Reimporting an existing Indicator | All | Yes |
Creating, updating, or deleting a File occurrence | File | No |
Updating a File’s behavior model | File | No |
Adding or removing a File hash | File | Yes |
Adding, updating, or removing a File’s size value | File | Yes |
Selecting or clearing the DNS checkbox | Host | No |
Selecting or clearing the Whois checkbox | Host | No |
1 If the Confidence Rating for an Indicator that exists in an Organization or Source is updated via a deprecation rule, its Modified date will be updated. This will not be the case for an Indicator that exists in a Community.
Groups
Table 2 details actions you can perform when working with Groups and whether each one updates the date and time when a Group was last modified.
| Action(s) | Applies to Which Group Type(s)? | Updates "Last Modified" Date? |
|---|---|---|
Applying or removing Security Labels | All | Yes |
Associating Groups, Indicators, Victim Assets, Cases, or Artifacts to a Group | All | Yes |
Dissociating Groups, Indicators, Victim Assets, Cases, or Artifacts from a Group | All | Yes |
Updating objects associated to a Group | All | No |
Creating, updating, or deleting Description or Source Attributes with or without the Default checkbox selected | All | Yes |
Creating, updating, or deleting Attributes | All | Yes |
Creating posts via the Add New Comment card of a Group’s Details screen or deleting posts added or linked to a Group | All | Yes |
Applying or removing Tags | All | Yes |
Following or unfollowing a Group | All | No |
Adding a Task to a Group | All | Yes |
Updating or deleting a Task added to a Group | All | No1 |
All | Yes | |
All | No | |
All | No2 | |
All | Yes | |
Updating a Group’s summary | All | Yes |
All Group types except Document, Email, Signature, and Task | No | |
Adding an Adversary asset | Adversary | Yes |
Deleting an Adversary asset | Adversary | No |
Enabling or disabling a Track | Adversary | No |
Track results are found for an Adversary | Adversary | No |
Adding, updating, or removing a Campaign’s First Seen date | Campaign | Yes |
Updating the file name of the file corresponding to a Document | Document | Yes |
Downloading the file corresponding to a Document | Document | No |
Uploading a file to a Document | Document | Yes |
Updating the analysis for an Email (i.e., updating the Body, From field, Header, or Subject of the email corresponding to the Group) | Yes | |
Adding, updating, or removing an Event’s Event Date | Event | Yes |
Adding or updating an Event’s Status | Event | Yes |
Adding, updating, or removing an Incident’s Event Date | Incident | Yes |
Adding or updating an Incident’s Status | Incident | Yes |
Downloading the file corresponding to a Report | Report | No |
Uploading a file to a Report | Report | Yes |
Adding, updating, or removing a Report’s Publish Date | Report | Yes |
Downloading a Signature’s file contents | Signature | No |
Importing a new Signature file | Signature | Yes |
Updating a Signature file’s name, type, or contents | Signature | Yes |
Adding or removing Task Assignees | Task | Yes |
Adding or removing users to whom a Task is to be escalated | Task | Yes |
Adding or updating a Task’s Status | Task | Yes |
Adding, updating, or removing a Task’s Due Date | Task | Yes |
Adding, updating, or removing a Task’s Escalation Time | Task | Yes |
Adding, updating, or removing a Task’s Reminder Time | Task | Yes |
1 If updating a Task added to a Group, the Modified date for the Group to which the Task was added will not be updated, but the Modified date for the Task will be updated.
2 The Modified date for the Group that exists in the Community will not be updated; the Modified date for the copy of the Group created in the Organization will match the Added date.
Attributes
Table 3 details actions you can perform when working with Attributes and whether each one updates the date and time when an Attribute was last modified.
| Action(s) | Updates "Last Modified" Date? |
|---|---|
Applying or removing Security Labels | Yes |
Creating, updating, or removing an Attribute’s Source | Yes |
Updating an Attribute’s value | Yes |
Saving an Attribute’s Source so that it can be reused by the same owner | Yes |
Selecting or clearing the Default checkbox for Description and Source Attributes | Yes |
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
20132-01 v.01.B
Was this article helpful?
