The Browse screen provides a central point to access and filter content in ThreatConnect®. Use the Browse screen to view objects (Indicators, Groups, Tags, Tracks, Victims, or Victim Assets) for an Organization, Community, or Source and to save queries for later viewing or use in custom dashboards (if enabled).
The Browse Screen
To access the Browse screen, place the cursor over BROWSE on the top navigation bar (Figure 1).
On the Browse screen, there are six primary components: the MY THREATCONNECT dropdown menu, Object filters (Indicators, Groups, Tags, Tracks, Victims, and Victim Assets), the FILTERS menu, Advanced query, the EXPORT button, and the DELETE button (Figure 2).
MY THREATCONNECT Dropdown Menu
The MY THREATCONNECT dropdown menu (Figure 3) at the top left of the screen provides users with the ability to include their own Organization and any Communities or intelligence Sources in their filtered queries.
The number of selected Organizations, Communities, and Sources is displayed in parentheses next to the MY THREATCONNECT text in the orange box. If all Organizations, Communities, and Sources have been selected, then the orange box will appear as in Figure 3. If no Organizations, Communities, or Sources have been selected, then the orange box will have a red dot at the top left (Figure 4).
If only one Organization, Community, or Source has been selected, then the orange box will have an orange dot at the top left (Figure 5).
If two or more, but not all, Organizations, Communities, or Sources have been selected, then the orange box will have a blue dot at the top left (Figure 6).
The Indicators filter (Figure 7) gives users the ability to filter and search Indicators—including Addresses, E-mail Addresses, Files, Hosts, URLs, ASNs, CIDRs, Mutexes, Registry Keys, and User Agents—within ThreatConnect.
The Groups filter (Figure 8) gives users the ability to filter and search Groups—including Adversaries, Campaigns, Documents, E-mails, Events, Incidents, Intrusion Sets, Reports, Signatures, Threats, and Tasks—within ThreatConnect.
The Tags filter gives users the ability to filter and search based on an Organization’s existing Tags within ThreatConnect.
The Tracks filter gives users the ability to filter and search based on an Organization’s existing Tracks within ThreatConnect.
The Victims filter gives users the ability to filter and search based on an Organization’s existing Victims within ThreatConnect.
Victim Assets Filter
The Victim Assets filter (Figure 9) gives users the ability to filter and search based on Victim Assets—including E-mail Addresses, Network Accounts, Phone Numbers, Social Networks, and WebSites—within ThreatConnect.
The FILTERS Menu
The FILTERS menu provides two different options: a simple string query and a filtered query.
The simple string query allows users to narrow down results based on a string of text that is entered in the window to the right of the FILTERS dropdown menu (Figure 10). ThreatConnect will then filter and provide results in a table.
In this example, the string evil provided one result: evilll.com. The filtering also displays a tracking string next to the Contains: text so that strings entered may be easily deselected.
A filtered query employs the string from the simple string query, but also provides users with the capability to filter their results with the help of the following parameters: Tags, Date Created, Indicator Status, Observed Since, Threat and Confidence Ratings, and Attributes that exist within ThreatConnect.
Click on the FILTERS dropdown menu (Figure 11), define the filtered parameters, and then click on the APPLY button to obtain results. To clear the query parameters, click on the Clear All text.
NOTE: The date entered in the “Created After” and “Created Before” fields will not be included in the query range. For example, if “2016-12-04” is entered in the “Created After” field, then the query will display results beginning on the day after (i.e., beginning on “2016-12-05”).
An advanced query (Figure 12) is initiated by clicking on the Advanced text at the top right of the screen (Figure 2). The advanced query filter allows users to build structured queries using an SQL-like query language called ThreatConnect Query Language (TQL). See Using ThreatConnect Query Language (TQL) for more information. With this feature, an analyst can specify criteria that cannot be defined using a simple string query.
Saving and Viewing Queries
Queries may be saved for later viewing or for use in custom dashboards (if enabled).
- Click the vertical ellipsis icon at the top right of the screen (next to Basic or Advanced). A menu will appear (Figure 13).
- Click on Save Current Query..., and the Save Current Query... flyout will appear (Figure 14).
- Enter a name for the query, and then click the SAVE button. To view all saved queries, choose the View Queries option from the vertical ellipsis menu. The View Queries flyout will appear (Figure 15).
- Use the Filter box to enter text by which to filter the query names. Click on the name of a query to view it in the Browse screen. Click on the trash icon to delete a query.
Click on the EXPORT button at the bottom of the Browse screen (Figure 12), and the Export Data window will appear (Figure 16). Here, users with the Sharing Administrator role can select which data points they wish to export from the items in the filtered results list to a Comma-Separated Values (CSV) file. See Exporting Indicators for more details.
If the filtered results are limited to a single owner for which the analyst is a Sharing Administrator or higher, a DELETE button will be available next to the EXPORT button (Figure 17). Clicking this button will bring up a window asking if the user wants to delete all of the filtered items from the Organization (or Community or Source).
The Details Flyout
Clicking on an entry in the Browse table displays the Details flyout (Figure 18), which gives a detailed overview of the selected object. The overview includes a description (if provided) and the following components: Indicator Status, Description, Type, Owner, Date Added, Date Last Modified, whether DNS and Whois are active or not, ThreatAssess metrics (see ThreatAssess and CAL), Threat and Confidence Ratings, how many False Positives have been reported and when they were last reported, Security Labels, Tags, any Associated Intel (up to the first 10), any Associated Indicators (up to the first 10), Collective Analytics Layer (CAL™) Insights (see ThreatAssess and CAL), and Investigation Links.
NOTE: To obtain a full listing of Associated Intel, click the vertical ellipsis icon at the top right corner and then choose Pivot from the dropdown menu. (See Pivoting on Data.) To view more information about the object, click the Details icon. (See The Details Screen.) To see all associated Indicators, click on the all associated indicators... text at the bottom of the screen, which will appear if there are more than 10 associated Indicators.