Viewing Search Results (Beta)

Updated on 12 Jun 2024
4 Minutes to read

Print
Dark

Light

Article summary

Did you find this summary helpful?

Thank you for your feedback

Important

This article describes how to use the search feature introduced in ThreatConnect 7.6, which is currently a beta feature. For instructions on using the legacy search feature, see Searching in ThreatConnect (Legacy).

Overview

The ThreatConnect^® search engine lets you search your entire dataset to quickly find data relevant to the item you are investigating. After you run a search from the Search screen, the search engine returns a list of Indicators, Groups, Tags, Victims, and Workflow Cases that match the search query, which you can then review and analyze as part of your investigation.

When looking for matches to a search query, the search engine searches an object’s summary and metadata, including Artifacts, Attributes, file and signature contents, Notes, Tags, Tasks, and Victim Assets, to form a relevance-ordered result set based on how closely each result matches the query.

Before You Start

User Roles

To view, sort, and filter search results that are Indicators, Groups, Tags, or Victims in an Organization, your user account can have any Organization role.
To view, sort, and filter search results that are Indicators, Groups, Tags, or Victims in a Community or Source, your user account can have any Community role except Banned for that Community or Source.
To view, sort, and filter search results that are Cases in an Organization, your user account can have any Organization role except App Developer.

Prerequisites

To search your ThreatConnect data and view search results on the Search screen, turn on and configure OpenSearch^® and initialize the search index for your ThreatConnect instance via the System Settings screen (must be a System Administrator to perform this action).

Viewing Search Results

After you run a search from the Search screen, the screen will display the search results in a paginated table with the following columns (Figure 1):

Figure 1_Viewing Search Results_7.6.0

Matched On: The first part of the result that matched the search query. Possible values for this column include the following:
- Artifact Name: The summary of an Artifact added to the specified Case was a match.
- Assets Value: The summary of a Victim Asset added to the specified Victim was a match.
- Attribute: The value of one of the result’s Attributes, the value of the result’s default Description Attribute, or the value of the result’s default Source Attribute was a match.
- Case Description: The description of the specified Case was a match.
- File Contents: The contents of the file uploaded to the specified Document or Report Group were a match.
- Note Text: The contents of a Case Note added to the specified Case were a match.
- Signature Value: The contents of the signature file uploaded to the specified Signature Group were a match.
- Summary: The result’s summary was a match.
- Tag Name: The name of a standard Tag or an ATT&CK^® Tag applied to the result was a match.
- Task Description: The description of a Task added to the specified Case was a match.
- Task Name: The name of a Task added to the specified Case was a match.
Type: The result’s type. If the result is a Group or an Indicator, the Type column will also show the result's subtype (e.g., Address, Report).
Name/Summary: The result’s summary.
Owner: The owner in which the result exists.
ThreatAssess: If the result is an Indicator, the ThreatAssess column will show the Indicator’s ThreatAssess score. Otherwise, this column will show no value for the result.
Date Added: The date and time when the result was created in its owner.
Last Modified: The date and time when the result was last modified in its owner.

Viewing Search Result Details

Select a result in the table to open the Details drawer for the corresponding Case, Group, Indicator, Tag, or Victim and view detailed information about the result.

Sorting Search Results

You can sort search results by any of the table columns except for the Matched On and ThreatAssess columns. By default, search results are sorted based on how closely they match the search query, where objects whose summary matches the query are listed at the top, followed by objects with a piece of metadata (e.g., an Attribute, a Tag) that matches the query.

Note

When sorting search results by the Name/Summary column, objects whose summary begins with an uppercase letter will be sorted independently of objects whose summary begins with a lowercase letter. This issue will be fixed in a future ThreatConnect release.

Filtering Search Results

There are two ways you can filter search results on the Search screen:

Use the dropdown to the right of the Exact Match checkbox to filter results by the following ThreatConnect object types: Cases, Indicators, Groups, Tags, and Victims. After making your selections in the dropdown, run your search again to apply the filters to the results.
Use the Filtersmenu to filter results by owner; object subtype (for Indicators and Groups only); creation date; and last modified date. After making your selections, click Apply in the Filtersmenu to apply the filters to the results.
Note
The Group Type and Indicator Type filters in the Filtersmenu apply only to results that are Groups and Indicators, respectively. These filters will not affect results that are Cases, Tags, or Victims. Also, if you configured the dropdown to the right of the Exact Match checkbox to exclude Groups or Indicators from the search results, the Group Type or Indicator Type filter, respectively, will be grayed out.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
OpenSearch^® is a registered trademark of Amazon Web Services.
MITRE ATT&CK^® and ATT&CK^® are registered trademarks of The MITRE Corporation.

20075-06 v.01.A

Was this article helpful?

What's Next

Searching Your Data (Legacy)

Table of contents

Overview
Before You Start
Viewing Search Results
Sorting Search Results
Filtering Search Results