The "Last Modified" Date
- 19 Oct 2023
- 7 Minutes to read
-
Print
-
DarkLight
The "Last Modified" Date
- Updated on 19 Oct 2023
- 7 Minutes to read
-
Print
-
DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Overview
When viewing Indicators, Groups, Intelligence Requirements (IRs), and Attributes in ThreatConnect®, the Last Modified field provides the date and time when the object was last modified. Similarly, the lastModified field provides the date and time when an Indicator, Group, IR, or Attribute was last modified when using the ThreatConnect API to interact with these object types.
This article describes the various areas in ThreatConnect where you can view the date and time when an Indicator, Group, or Attribute was last modified. It also details actions you can perform when working with these object types and whether each action updates the Last Modified date.
Before You Start
| Minimum Role(s) |
|
|---|---|
| Prerequisites | None |
Viewing an Object’s “Last Modified” Date
ThreatConnect UI
There are four areas in ThreatConnect where you can view the date and time when an object was last modified: the Browse screen, the Details drawer, the new Details screen, and the legacy Details screen.
Note
To view a log of changes made to an object in your Organization, including the date and time when the action was performed, navigate to the Activity tab of the Organization Settings screen. This tab is available only to users with an Organization role of Organization Administrator.
Browse Screen
On the top navigation bar, hover the cursor over Browse and select Indicators or a specific Indicator type; Groups or a specific Group type; or Intelligence Requirements (IR) to display all objects of the selected type on the Browse screen. Figure 1 shows all Address Indicators that exist in the owners selected in the My Intel Sources selector .
The Browse screen for Indicators, Groups, and IRs displays a Modified column, which provides the date when an object was last modified. Toggle the Modified heading to sort the Browse screen in ascending or descending order by Modified date.
Note
You can use a basic query to filter results by Modified date with the Modified After and Modified Before filters. Similarly, you can write an advanced query that uses the lastModified ThreatConnect Query Language (TQL) parameter to filter results based on Modified date. For more information on basic and advanced queries, see the “Query Features” section of The Browse Screen.
Details Drawer
When viewing Indicators or Groups on the Browse screen, clicking on an object will display its Details drawer (Figure 2).
Here, you can view the object’s Last Modified date at the top right of the drawer. In addition, you can view the Last Modified date for the object's Attributes in the Attributes section.
New Details Screen
On the Details screen for an Indicator, Group, or IR, you can view the date and time when the object was last modified via the Last Modified field in the Details card (Figure 3). For Indicators and Groups, you can also view the date and time when Attributes added to the object were last modified via the Last Updated field in the Attributes card (Figure 4).
Important
The new Details screen is not currently available for Email, Signature, and Task Groups. As such, you can view the Last Modified date for these Group types and their Attributes on the legacy Details screen only.
Legacy Details Screen
On the legacy Details screen for an Indicator or Group, you can view the date and time when the object was last modified via the Modified field in the Details card (Figure 5). You can also view the date and time when the object’s Attributes were last modified via the Last Updated field in the Attributes card (Figure 6).
ThreatConnect API
When using the ThreatConnect API to interact with Indicators, Groups, IRs, and Attributes, the lastModified field provides the date and time when an object was last modified. The v3 API includes the lastModified field for Indicators, Groups, IRs, and Attributes; the v2 API includes the lastModified field for Indicators and Attributes only.
Note
For Case Attributes, you can view the date and time when they were last modified using the v3 API. However, you cannot view this date and time in the ThreatConnect UI.
Updating an Object’s “Last Modified” Date
Indicators
Table 1 details the actions you can perform when working with Indicators and whether each one updates the date and time when an Indicator was last modified.
| Action(s) | Applies to Which Indicator Type(s)? | Updates "Last Modified" Date? |
|---|---|---|
| Applying or removing Security Labels | All | Yes1, 2 |
| Associating Groups or Indicators to an Indicator | All | Yes |
| Associating Cases or Artifacts to an Indicator | All | No3 |
| Dissociating Groups or Indicators from an Indicator | All | No2 |
| Dissociating Cases or Artifacts from an Indicator | All | No3 |
| Updating objects associated to an Indicator | All | No |
| Creating, updating, or deleting Description or Source Attributes with or without the Default checkbox selected | All | Yes |
| Creating or updating Attributes | All | Yes1 |
| Deleting Attributes | All | Yes |
| Creating posts via the Add New Comment card of an Indicator’s Details screen or deleting posts added or linked to an Indicator | All | No |
| Applying or removing Tags | All | Yes |
| Following or unfollowing an Indicator | All | No |
| Adding a Task to an Indicator | All | No |
| Updating or deleting a Task added to an Indicator | All | No |
| Reporting false positives or deleting false positive reports for an Indicator | All | No |
| Reporting observations for an Indicator | All | No |
| Updating an Indicator’s Threat Rating | All | Yes |
| Updating an Indicator’s Confidence Rating | All | Yes |
| ThreatConnect updates an Indicator’s ThreatAssess score | All | No |
| Updating an Indicator's Status | All | Yes |
| Turning the CAL Status Lock on or off | All | Yes |
| Marking an Indicator as private | All | Yes |
| Reimporting an existing Indicator | All | Yes |
| Creating, updating, or deleting File Occurrences | File | Yes1, 2 |
| Updating a File’s behavior model | File | No |
| Adding or removing a file hash | File | Yes |
| Adding, updating, or removing a File Indicator’s size value | File | Yes |
| Turning the DNS resolution tracking feature on or off | Host | Yes1, 2 |
| Turning the WHOIS feature on or off | Host | Yes1, 2 |
1 Performing this action on the legacy Details screen will not update the Last Modified date.
2 Performing this action via the ThreatConnect v3 API will update the Last Modified date; however, performing this action via the ThreatConnect v2 API will not update the Last Modified date.
3 Performing this action via the ThreatConnect v3 API will update the Last Modified date; however, this action may not be performed using the ThreatConnect v2 API, as it does not support Workflow-related features.
Groups
Table 2 details the actions you can perform when working with Groups and whether each one updates the date and time when a Group was last modified.
| Action(s) | Applies to Which Group Type(s)? | Updates "Last Modified" Date? |
|---|---|---|
| Applying or removing Security Labels | All | Yes |
| Associating Groups, Indicators, Victim Assets, Cases, or Artifacts to a Group | All | Yes |
| Dissociating Groups, Indicators, Victim Assets, Cases, or Artifacts from a Group | All | Yes |
| Updating objects associated to a Group | All | No |
| Creating, updating, or deleting Description or Source Attributes with or without the Default checkbox selected | All | Yes |
| Creating, updating, or deleting Attributes | All | Yes |
| Creating posts via the Add New Comment card of a Group’s Details screen | All | Yes |
| Deleting posts added or linked to a Group | All | No1 |
| Applying or removing Tags | All | Yes |
| Following or unfollowing a Group | All | No |
| Adding a Task to a Group | All | Yes |
| Updating or deleting a Task added to a Group | All | No2 |
| Updating a Group's Intel Rating | All | Yes |
| Contributing a Group to a Community or Source | All | No |
| Copying a Group from a Community to an Organization | All | No3 |
| Publishing a Group | All | Yes |
| Updating a Group’s summary | All | Yes |
| Generating a PDF report of a Group | All Group types except Document, Email, Signature, and Task | No |
| Adding an Adversary asset | Adversary | Yes |
| Deleting an Adversary asset | Adversary | No |
| Enabling or disabling a Track | Adversary | No |
| Track results are found for an Adversary | Adversary | No |
| Adding, updating, or removing a Campaign’s First Seen date | Campaign | Yes |
| Updating the file name of the file corresponding to a Document | Document | Yes |
| Downloading the file corresponding to a Document | Document | No |
| Uploading a file to a Document | Document | Yes |
| Updating the analysis for an Email (i.e., updating the Body, From field, Header, or Subject of the email corresponding to the Group) | Yes | |
| Adding, updating, or removing an Event’s Event Date | Event | Yes |
| Adding or updating an Event’s Status | Event | Yes |
| Adding, updating, or removing an Incident’s Event Date | Incident | Yes |
| Adding or updating an Incident’s Status | Incident | Yes |
| Downloading the file corresponding to a Report | Report | No |
| Uploading a file to a Report | Report | Yes |
| Adding, updating, or removing a Report’s Publish Date | Report | Yes |
| Downloading a Signature’s file contents | Signature | No |
| Importing a new Signature file | Signature | Yes |
| Updating a Signature file’s name, type, or contents | Signature | Yes |
| Adding or removing Task Assignees | Task | Yes |
| Adding or removing users to whom a Task is to be escalated | Task | Yes |
| Adding or updating a Task’s Status | Task | Yes |
| Adding, updating, or removing a Task’s Due Date | Task | Yes |
| Adding, updating, or removing a Task’s Escalation Time | Task | Yes |
| Adding, updating, or removing a Task’s Reminder Time | Task | Yes |
1 Performing this action on the legacy Details screen will update the Last Modified date.
2 If updating a Task added to a Group, the Last Modified date for the Group to which the Task was added will not be updated, but the Last Modified date for the Task will be updated.
3 The Last Modified date for the Group that exists in the Community will not be updated; the Last Modified date for the copy of the Group created in the Organization will match the Date Added date.
Intelligence Requirements
Table 3 details the actions you can perform when working with IRs and whether each one updates the date and time when an IR was last modified.
| Action(s) | Updates “Last Modified” Date? |
|---|---|
| Associating Groups, Indicators, Victim Assets, Artifacts, or Cases to an IR | Yes |
| Dissociating Groups, Indicators, Victim Assets, Artifacts, or Cases from an IR | Yes |
| Updating objects associated to an IR | No |
| Adding or updating the IR's default Description Attribute | Yes |
| Updating an IR's subtype | Yes |
| Updating an IR's category | Yes |
| Applying or removing Tags | Yes |
| Following or unfollowing an IR | No |
| Updating an IR's summary | Yes |
| Updating an IR's keyword query | Yes |
| Resetting archived and false results for an IR | Yes |
| Retrieving results for an IR | Yes |
| Associating a result to an IR | Yes |
| Archiving a result for an IR | No |
| Marking a result for an IR as a false result | No |
Attributes
Table 4 details the actions you can perform when working with Attributes and whether each one updates the date and time when an Attribute was last modified.
| Action(s) | Updates "Last Modified" Date? |
|---|---|
| Applying or removing Security Labels | Yes |
| Creating, updating, or removing an Attribute’s Source | Yes |
| Updating an Attribute’s value | Yes |
| Saving an Attribute’s Source so that it can be reused by the same owner | No1 |
| Selecting or clearing the Default checkbox for Description and Source Attributes | Yes |
1 Performing this action on the legacy Details screen will update the Last Modified date.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
20132-01 v.04.A
Was this article helpful?
