Using the Advanced-Query Filter

Overview

In ThreatConnect^®, you can use the advanced-query filter on the Browse screen to perform highly targeted searches of your threat intelligence data with structured queries written in ThreatConnect Query Language (TQL). This filter provides flexibility to search and filter your data based on criteria that cannot be defined using the Browse screen’s basic query and filter capabilities.

After you construct a TQL query on the Browse screen, you can save it for later viewing and use on this screen. You can also use saved TQL queries when adding Query cards to custom dashboards, as well as to create associations between a Group and objects returned via the TQL query.

Before You Start

User Roles

• To access the advanced-query filter, run TQL queries, save TQL queries, and manage saved TQL queries on the Browse screen, your user account can have any Organization role.
• To search for threat intelligence data objects in an Organization with the advanced-query filter on the Browse screen, your user account can have any Organization role.
• To search for threat intelligence data objects in a Community or Source with the advanced-query filter on the Browse screen, your user account can have any Community role except Banned for that Community or Source.

Running TQL Queries

Follow these steps to run a TQL query with the advanced-query filter on the Browse screen:

1. Click Browse on the top navigation bar. Then click Advanced at the upper-right corner of the Browse screen to access the advanced-query filter (Figure 1).

   

    

   Note

   A list of commonly used TQL queries and a link to a complete list of TQL operators and parameters are available in the ThreatConnect Query Language (TQL) pane on the left side of the Browse screen.
   Note

   If you created a contains or exact matches query with the basic search features on the Browse screen, clicking Advanced at the upper-right corner of the screen will convert the query into a TQL query.
2. Select the type of object to query for from the dropdown to the left of the search bar at the top of the Browse screen. Available options include Intelligence Requirements, Indicators, Groups, Tags, Tracks, Victims, and Victim Assets.
3. Enter a TQL query into the search bar at the top of the Browse screen. Then click Search, or press the Enter key on your keyboard, to run the query.
4. (Optional) Use the My Intel Sources selector at the top left of the Browse screen to select which owners to display data from on the Browse screen.

Saving TQL Queries

Follow these steps to save a TQL query on the Browse screen:

1. Navigate to the advanced-query filter on the Browse screen and construct a TQL query.
2. Click the ⋮ menu at the upper-right corner of the Browse screen and select Save Current Query….
3. On the Save Current Query… drawer, enter a name for the query, and then click SAVE.

Managing Saved TQL Queries

Follow these steps to manage your saved TQL queries on the Browse screen:

1. Click Browse on the top navigation bar. Then click Advanced at the upper-right corner of the Browse screen to access the advanced-query filter.
2. Click the ⋮ menu at the upper-right corner of the Browse screen and select View Queries.
3. On the View Queries drawer, you can perform the following actions:
4. Select a saved TQL query to run it with the advanced-query filter on the Browse screen immediately.
5. Click Deletefor a saved TQL query to delete it.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.

20052-02 v.18.A