Viewing Search Results for All Object Types

Overview

The ThreatConnect^® search engine lets you search your entire dataset to quickly find data relevant to the item you are investigating. After you run a search of all object types , the search engine returns a results set of Indicators, Groups, Tags, Victims, and Workflow Cases that match the search query, which you can then review and analyze as part of your investigation.

When looking for matches to a search query, the search engine searches an object’s summary and metadata—including Attributes; Descriptions; Case Artifacts, Notes, and Tasks; file and signature contents; Tags; and Victim Assets and Victim details—and provides a relevance-ordered result set based on how closely each result matches the query.

Before You Start

User Roles

• To view and export Indicators, Groups, Tags, or Victims in an Organization, your user account can have any Organization role.
• To view and export Indicators, Groups, Tags, or Victims in a Community or Source, your user account can have any Community role except Banned for that Community or Source.
• To view and export Cases in an Organization, your user account can have any Organization role except App Developer.
• To delete Indicators, Groups, standard Tags, or Victims in an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
• To delete Indicators, Groups, standard Tags, or Victims in a Community or Source, your user account must have a Community role of Editor or Director for that Community or Source.
• To delete Cases in an Organization, your user account must have an Organization role of Organization Administrator.
• To apply Tags to Indicators, Groups, and Victims in an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
• To apply Tags to Cases in an Organization, you must have an Organization role of Standard User, Sharing User, or Organization Administrator.
• To apply Tags to Indicators, Groups, and Victims in a Community or Source, your user account must have a Community role of Contributor, Editor, or Director for that Community or Source.

Prerequisites

• To search your ThreatConnect data and view search results on the Search: All Object Types screen, turn on and configure OpenSearch^® and initialize the search index for your ThreatConnect instance on the System Settings screen (must be a System Administrator to perform this action).
• To view and manage search results that are Cases, select the Enable Workflow checkbox on the Permissions tab of the Organization Information window when editing your Organization on the Organizations tab of the Account Settings screen (must be an Accounts Administrator, Operations Administrator, or System Administrator to perform this action).

Viewing Search Results

After you run a search of all object types, the Search: All Object Types screen displays the search results in a paginated table with the following columns (Figure 1):

• Matched On: The property of the result that matched the search query. To view details about each property of a result that matched the search query, click the value oricon in the Matched On column. Table 1 defines the possible values for this column and the applicable result type for each value.
• Type: The result’s type. For Groups and Indicators, the Type column also displays the result's subtype (e.g., Address, Vulnerability).
• Name/Summary: The result’s name/summary.
• Owner: The result’s owner.
• ThreatAssess: (Indicators only) The result’s ThreatAssess score.
• Date Added: The date and time the result was created in its owner.
• Last Modified: The date and time the result was last modified in its owner.

Viewing Match Details for Search Results

A search result’s Result Details drawer displays each of the result’s properties that matched the search query, with each part of the property that matched the query highlighted in blue. For example, in Figure 2, the following properties of the result matched the search query from Figure 1 (ransomware 140.82.29.65 "scattered spider"): the result’s name/summary, the value of the result’s Source Attribute, the value of the result’s Description Attribute, and the name of one of the result’s standard Tags.

There are two ways to open a search result’s Result Details drawer on the Search: All Object Types screen:

• Click the value oricon in the result’s Matched On column.
• Click the result’s ⋯ menu and select View Match Details.

Viewing Search Result Details

Click a search result’s table row, or click a result’s ⋯ menu and select View Details, to open the Details drawer for the corresponding Case, Group, Indicator, Tag, or Victim and view detailed information about the result.

To open a search result’s Details screen , click the result’s name/summary in the results table on the Search: All Object Types screen.

Hint

Search results will not persist if you navigate to a different screen in the browser tab. Click View details in new tabnext to a result’s name/summary to retain your search results when viewing a result’s Details screen.

Managing Search Results

Selection Actions

You can select one or more search results and then use Selection Actions dropdown to perform the following actions:

• Add Tags…: Enter and apply Tags to all selected objects.
  Note

  Tags are applied only to objects in owners for which your user account has permission to create data. Tags are not applied to other Tags.
• Export…: Export all selected objects to a comma-separated values (CSV) file.
  Note

  You can export all objects in the results table, including those on other table pages, to a CSV file by clicking the ⋯ menu at the upper right of the Search: All Object Types screen and selecting Export Returned Objects….

Search Result Options

You can use a search result’s ⋯ menu to manage and analyze the result. Table 2 describes the options available in the ⋯ menu and the applicable result types for each option.

Sorting Search Results

You can sort search results by any table column except Matched On. By default, search results are sorted by how closely they match the search query, where objects whose name/summary matches the query are listed at the top, followed by objects with metadata (e.g., an Attribute, a Tag) that matches the query.

Filtering Search Results

The Search: All Object Types screen provides the following options for filtering search results:

• The object type dropdown next to the Exact Match checkbox lets you filter results by the following ThreatConnect object types: Cases, Indicators, Groups, Tags, and Victims. Results are filtered automatically as you select options in the dropdown.
• The owner dropdown next to the Filtersmenu lets you filter results by one or more owners. Results are filtered automatically as you select options in the dropdown.
• The Filtersmenu lets you filter results by object metadata. After selecting and configuring filters, click Apply. Results may be filtered by the following metadata:
  • Object Subtypes (Indicators and Groups only)
  • Date Added
  • Last Modified
  • Matched On (i.e., the property that matched the search query)
  • ThreatAssess (Indicators only)

Note

The Group Type and Indicator Type filters in the Filtersmenu apply only to results that are Groups and Indicators, respectively. If you configure the object type dropdown to exclude Groups or Indicators from the search results, the Group Type or Indicator Type filter, respectively, will be grayed out.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
OpenSearch^® is a registered trademark of Amazon Web Services.
MITRE ATT&CK^® and ATT&CK^® are registered trademarks of The MITRE Corporation.

20075-06 v.03.A