Current ThreatQ Version Filter
 

Basic Search

The ThreatQ Basic Search feature provides a fast, intuitive way for users to locate objects across the ThreatQ platform without navigating through multiple modules or object lists. Positioned prominently in the ThreatQ navigation bar next to the Create button, Basic Search is designed to accelerate investigations, improve analyst efficiency, and surface relevant intelligence with minimal friction .

Basic Search operates across all core ThreatQ object types, including but not limited to Indicators, Events, Adversaries, Files, and Signatures. Rather than performing deep field-level queries, it focuses on high-level object attributes, enabling broad discovery and quick pivots during triage and analysis workflows.

What Basic Search Can Match

When a query is submitted, ThreatQ evaluates multiple top-level data points across objects, including:

  • Network and host-based indicators
  • Attachment titles, hashes, and keywords
  • Object attributes
  • Adversary names
  • Event titles

For example, searching for google.com does not only return an exact FQDN match. It also surfaces related objects such as subdomains, URLs, and even email indicators associated with the same root domain, providing immediate contextual breadth . 

Performing a Basic Search

The Basic Search workflow is intentionally streamlined:

  1. Select the Search icon in the ThreatQ navigation.

    The Search dialog box appears.

  2. (Optional) Use the Limit search to dropdown to constrain results to a specific object type.
  3. Enter search criteria into the search field.
  4. Review type-ahead suggestions, which dynamically appear as you type and highlight matching text.
  5. Select a result to navigate directly to the object’s details page.

    If a single match is found, ThreatQ automatically opens the corresponding object. If no results are returned, users are guided to leverage Threat Library Advanced Search for more granular querying.

Search Scope and Object Filtering

The Limit Search dropdown allows users to narrow results to a specific object class, such as Adversaries or Indicators. This is particularly useful in environments with large data volumes, where the same term may exist across multiple object types.

Limiting the search also affects object creation behavior. If a search term yields no results and the search is constrained to a specific object type, the Create option automatically routes users to the appropriate object creation form, streamlining data entry workflows.

Wildcards and Search Types

ThreatQ Basic Search supports flexible pattern matching through the use of the percent sign (%) wildcard. Wildcards allow users to control how strictly or broadly their search terms are evaluated, making the feature effective for both precise lookups and exploratory analysis .

Search Type Pattern  Behavior  Examples  Notes 
Exact Term Match TERM Matches only the exact term or phrase. Searching for the term target german will result in the application only finding target german. It will not find similar results like targeting german or retarget german. Best used when the exact object name or phrase is known.
Starts with Search TERM% Matches any value that begins with the specified term. Searching for target% will return results such as target, targeting, and targets. It will not find not find results that do not begin with the search term like retarget. This is useful for discovering naming variations or object families that share a common prefix.
Ends with Search %TERM Matches any value that ends with the specified term. Searching for %german will return results such as german, target german, and east german. It will not find not find results that do not end with the search term like germanic. Common use cases include suffix-based searches such as file extensions or domain endings.
Ends with Term Search % TERM Matches any value preface by another word. Search for % bear will result in the application returning results such as red bear, black bear, and brown bear. It will not find terms such as bear blue. This is useful for discovering variations that utilize the search term in its naming convention. 
Contains Search %TERM% Matches the term anywhere within the value. Search for %target% will return results such as target, targeting, and retarget. This is the most flexible and expansive option, well-suited for exploratory searches where the exact structure of the data is unknown. 
Character Search T%M Matches any term that contains both characters. Searching b%r will return results such as black bear, black rust, and blue rubber. This is useful for narrowing down the search for objects without knowing the exact name. 

Creating an Object During a Basic Search

The Basic Search window gives you the option to add a new object. If you enter an object name that is not found, you can click the Create link to select the object type from a drop-down list and add the new object.  In addition, if you limit a basic search to a specific object type, you are linked to the corresponding form. For example, if you limit your search to Adversaries, the Create link opens the Add An Adversary form.

You cannot use the Create link to add a new investigation.

If you leave the Limit search to field set to All Objects, you can select the object type you want to create from a drop-down list. 

Best Practices and Usage Guidance

  • Start with an exact search and progressively broaden using wildcards if results are too limited.
  • Use Starts With or Ends With searches to manage large result sets more effectively.
  • Apply Contains searches sparingly for very short terms, as they may return excessive matches.
  • Leverage object type filtering to improve relevance and reduce noise in mature ThreatQ environments.
  • Contact ThreatQuotient Support for any additional search questions or issues.