The Browse Screen

To access the Browse screen in ThreatConnect^®, click Browse on the top navigation bar. There are five primary components on the Browse screen: the My Intel Sources selector, Object filters (Intelligence Requirements, Indicators, Groups, Tags, Tracks, Victims, and Victim Assets), the query features, the EXPORT button, and the DELETE button (Figure 1).

My Intel Sources Selector

The My Intel Sources selector (Figure 2) at the upper-left corner of the Browse screen provides you with the ability to include your Organization and any of your Communities and intelligence Sources in your filtered queries. To include your Organization in filtered queries, toggle the View <Organization name> slider on; to include a Community or Source in your filtered queries, select the checkbox to the left of the Community or Source.

The Filter communities and Filter sources search bars allow you to filter the displayed Communities and Sources, respectively, which can be helpful if you want to select or deselect a particular set of Communities or Sources.

In addition, you can select a single Community or Source by hovering over its name and clicking only. Doing so will deselect all other owners automatically.

Note

Super Users can select a single Organization by hovering over the Organization's name and clickingonly. Doing so will deselect all other owners automatically.

The number of selected owners (i.e., Organizations, Communities, and Sources) is displayed to the right of the My Intel Sources text. When all owners have been selected, the selector will look the same as Figure 2. If one or more owners are not selected, a color-coded circle will be displayed at the upper left corner of the selector.

• Red circle: No owners have been selected.
• Orange circle: Only one owner has been selected.
• Blue circle: Two or more, but not all, owners have been selected.

This element helps alert you to the fact that you might be viewing an “incomplete” set of data.

The Feed Explorer

The Feed Explorer is similar in function to the Feeds tab of TC Exchange™. This feature, available to all ThreatConnect users, is accessed by clicking Feed Explorer on the My Intel Sources selector. The Feed Explorer displays all active TC Exchange feeds, presenting them in a table with their associated metric data displayed in columns, which are populated by CAL™. Additional feed information is displayed by clicking theicon found in the Report Card column of the Feed Explorer.

Object Filters

On the Browse screen, you can search for Intelligence Requirements (IRs), Indicators, Groups, Tags, Tracks, Victims, and Victim Assets using the filters on the left side of the screen (Figure 1). When searching for Indicators, Groups, and Victim Assets, you can filter results by one or more object types.

When you select an Indicator, Group, or Victim Asset type, a checkmark will be displayed to the right of the object type’s name, and the Browse screen will display only objects of that type in the owners selected in the My Intel Sources selector. Clicking on a selected object type will remove the checkmark to the right of its name, and the Browse screen will not display objects of that type.

Intelligence Requirements Filter

The Intelligence Requirements filter allows you to search for Intelligence Requirements. Select the Intelligence Requirements heading to display IRs in your Organization.

When viewing IRs, the Browse screen will display a table with the following columns:

• ID: This column displays the IR’s ID.
• Requirement: This column displays the IR’s summary.
• Subtype: This column displays the IR’s subtype.
• Category: This column displays the IR’s category.
• Tags: If one or more Tags are applied to the IR, this column will display a count of those Tags; otherwise, no value will be displayed in this column. Click on the number displayed in this column to view the standard Tags and ATT&CK® Tags applied to the IR, as well as links to each Tag’s Details screen.
• Added: This column displays the date when the IR was created.
• Modified: This column displays the date when the IR was last modified.

Indicators Filter

The Indicators filter contains a multi-select list of Indicator types. Select one or more Indicator types, or click the Indicators heading to select all Indicator types. The Browse screen will display Indicators of the selected type(s) in the owners selected in the My Intel Sources selector.

When viewing Indicators, the Browse screen will display a table with the following columns:

• Type: This column displays the Indicator’s type.
• Summary: This column displays the Indicator’s summary.
• Tags: If one or more Tags are applied to the Indicator, this column will display a count of those Tags; otherwise, no value will be displayed in this column. Click on the number displayed in this column to view the standard Tags and ATT&CK Tags applied to the Indicator, as well as links to each Tag’s Details screen.
• Owner: This column displays the owner to which the Indicator belongs.
• Threat Rating: This column displays the Indicator’s Threat Rating, if one has been set for the Indicator.
• ThreatAssess: This column displays the Indicator’s ThreatAssess score.
• Obs: This column displays the number of times, if any, the Indicator was observed.
• F/P: This column displays the number of times, if any, the Indicator was reported as a false positive.
• Added: This column displays the date when the Indicator was created.
• Modified: This column displays the date when the Indicator was last modified.

If you are viewing only Address Indicators, the table on the Browse screen will display an additional column labeled Version that indicates whether the Address Indicator represents an IPv4 or IPv6 address.

Groups Filter

The Groups filter contains a multi-select list of Group types. Select one or more Group types, or click the Groups heading to select all Group types. The Browse screen will display Groups of the selected type(s) in the owners selected in the My Intel Sources selector.

When viewing Groups, the Browse screen will display a table with the following columns:

• Type: This column displays the Group’s type.
• Summary: This column displays the Group’s summary.
• Tags: If one or more Tags are applied to the Group, this column will display a count of those Tags; otherwise, no value will be displayed in this column. Click on the number displayed in this column to view the standard Tags and ATT&CK Tags applied to the Group, as well as links to each Tag’s Details screen.
• Owner: This column displays the owner to which the Group belongs.
• Upvote Count: This column displays the number of upvotes, if any, the Group has received.
• Downvote Count: This column displays the number of downvotes, if any, the Group has received.
• Added: This column displays the date when the Group was created.
• Modified: This column displays the date when the Group was last modified.

Table 1 outlines additional columns the table on the Browse screen will display when only one of the following Group types is selected: Campaign, Document, E-mail, Event, Incident, Report, or Task.

Tags Filter

The Tags filter allows you to search for Tags. Select the Tags heading to display Tags in the owners selected in the My Intel Sources selector.

When viewing Tags, the Browse screen will display a table with the following columns:

• Type: This column will display “Tag” for all entries.
• Summary: This column displays the Tag’s summary.
• Synonymous Tags: For main Tags defined in Tag normalization rules (i.e., Tags with anicon displayed to the left of their name in the Summary column), this column displays a count of synonymous Tags defined in the corresponding rule; for all other Tags, no value is displayed in this column. Click on the number displayed in this column to view a list of synonymous Tags associated with the main Tag.
• Owner: This column displays the owner to which the Tag belongs.
• Last Used: This column displays the date when the Tag was last used. For Tags that have not been used since the Last Used date for Tags was introduced in ThreatConnect, a value of Unknown will be displayed in this column.

Tracks Filter

The Tracks filter allows you to search for Tracks. Select the Tracks heading to display Tracks in the owners selected in the My Intel Sources selector.

When viewing Tracks, the Browse screen will display a table with the following columns:

• Type: This column will display “Track” for all entries.
• Summary: This column displays the Track’s summary.
• Owner: This column displays the owner to which the Track belongs.
• Results: This column displays the number of new results, if any, for the Track.
• Status: This column indicates whether the Track is active.
• Added: This column displays the date when the Track was created.

Victims Filter

The Victims filter allows you to search for Victims. Select the Victims heading to display Victims in the owners selected in the My Intel Sources selector.

When viewing Victims, the Browse screen will display a table with the following columns:

• Type: This column will display “Victim” for all entries.
• Summary: This column displays the Victim’s summary.
• Tags: If one or more Tags are applied to the Victim, this column will display a count of those Tags; otherwise, no value will be displayed in this column. Click on the number displayed in this column to view the standard Tags and ATT&CK Tags applied to the Victim, as well as links to each Tag’s Details screen.
• Owner: This column displays the owner to which the Victim belongs.
• Org: This column displays the Victim’s organization.
• Sub-Organization: This column displays the Victim’s sub-organization.
• Nationality: This column displays the Victim’s nationality.
• Location: This column displays the Victim’s work location.

Victim Assets Filter

The Victim Assets filter contains a multi-select list of Victim Asset types (E-Mail Address, Network Account, Phone, Social Network, and WebSite). Select one or more Victim Asset types, or click the Victim Assets heading to select all Victim Asset types. The Browse screen will display Victim Assets of the selected type(s) in the owners selected in the My Intel Sources selector.

When viewing Victim Assets, the Browse screen will display a table with the following columns:

• Type: This column displays the Victim Asset’s type.
• Summary: This column displays the Victim Asset’s summary.
• Victim: This column displays the Victim to which the Victim Asset belongs.
• Asset: For E-mail Address, Network Account, or Social Network Victim Assets, this column displays the type of email address, network account, or social network, respectively, to which the Victim Asset corresponds.

Query Features

There are four query features, found along the top of the Browse screen:

• a text box for a contains query
• an Exact matches checkbox for enabling an exact matches query
• a FILTERS selector for filtering the results of the contains or exact matches query
  Note

  The FILTERS selector is not available for Intelligence Requirements and Tags.
• a toggle (the Advanced text at the upper-right corner of Figure 1) for accessing the advanced-query functionality

Contains Query

A contains query allows you to narrow down results based on a string of text entered into the search bar to the right of the FILTERS selector. ThreatConnect will then filter the results and return those with a summary that contains the entered text (Figure 3).

In this example, submitting a query for bad returned 36 Indicators with a summary that contains the text bad. The filtering also displays the entered text next to the Summary contains: text so that it may be easily cleared.

Exact Matches Query

An exact matches query, which is enabled by selecting the Exact matches checkbox to the right of the search bar, allows you to narrow down results to those with a summary that is an exact match to the string of text entered into the search bar. This type of query is helpful when filtering large datasets for a specific object, as an exact matches query takes less time to complete than a contains query.

In the following example, submitting a query for bad with the Exact matches checkbox selected returned no results, meaning there are no Indicators with a summary that matches bad (Figure 4).

However, submitting a query for bad.com with the Exact Matches checkbox unselected returned five results for multiple Indicator types in two owners (Figure 5).

Filtering Results

For Indicators, Groups, Tracks, Victims and Victim Assets, you can expand the FILTERS selector to filter results from a contains or exact matches query. Each object type has a different set of parameters available for filtering, as detailed in Table 2.

Figure 6 shows the FILTERS selector for Indicators. Define one or more parameters, and then click the APPLY button to display the results. To clear the query parameters, click Clear All Filters to the right of the Exact matches checkbox.

Advanced Query

An advanced query is initiated by clicking Advanced at the upper-right corner of the Browse screen (Figure 7). The advanced-query filter allows you to build structured queries using an SQL-like query language called ThreatConnect Query Language (TQL). With this feature, an analyst can specify criteria that cannot be defined using the basic query and filter capabilities.

Click Basic at the upper-right corner of the Browse screen (Figure 7) to toggle back to the basic search features (i.e., contains query, exact matches query, and FILTERS selector).

Saving Queries

Follow these steps to save a query for later viewing. You may also use saved queries in Query cards in custom dashboards and add them to a Group in order to create associations between the Group and objects returned via the TQL query.

1. Click the vertical ellipsis at the upper-right corner of the Browse screen and select Save Current Query.... The Save Current Query... drawer will be displayed.
2. Enter a name for the query.
3. Click the SAVE button.

Viewing and Managing Saved Queries

To view all saved queries, click the vertical ellipsis at the upper-right corner of the Browse screen select View Queries. The View Queries drawer will be displayed. Click on a query's name to view it in the Browse screen. Note that you can use the Find by name box to filter saved queries by name.

To delete a saved query, click Deletein the Actions column of the View Queries drawer. The Confirm Delete window will be displayed. Click the YES button to delete the query.

EXPORT Button

Click the EXPORT button at the bottom of the Browse screen to display the Export Data window for Indicator export (Figure 8) or for Group export (Figure 9). Here, you can select the data points from the items in the filtered results list that you want to export to a comma-separated values (CSV) file.

DELETE Button

Click the DELETE button at the bottom of the Browse screen to display the Delete window, which display how many items you will be deleting and ask you to confirm the delete operation (Figure 10).

Click the YES button to delete all items in the filtered results. If you attempt to delete more than 50 items, you will be prompted to enter the text “OK” in the box, and then click the YES button (Figure 11).

ThreatConnect^® is a registered trademark, and TC Exchange™ and CAL™ are trademarks, of ThreatConnect, Inc.
MITRE ATT&CK^® and ATT&CK^® are registered trademarks of The MITRE Corporation.

20051-02 v.17.A