Basic Search
The basic Search, located to the right of the Create button in the ThreatQ navigation, allows you to find objects you are looking for quickly, without having to browse through a large number of objects.
Basic Search allows you to search for all objects in the system: Indicators, Events, Adversaries, Files, Signatures, and so on. The search capability looks at high level aspects of each object, including:
- Indicators (network or host)
- Attachment titles, hashes, keywords
- Attributes
- Adversary name
- Event title
For example, if you search for google.com, the following indicators are also returned:
- www.google.com (FQDN)
- analytic.google.com (FQDN)
- www.google.com/analytic (URL)
- analytic@google.com (email address)
Performing a Basic Search
- Choose the Search icon.
The Search dialog box appears.
- Use the Limit Search dropdown to filter your search to a specific object type.
- Enter the search criteria.
The Search field provides type ahead suggestions, if any, based on what you have typed. Portions of the suggestions that match your search criteria will be highlighted in bold.
- Select the desired result.
- If you do not retrieve any search results, we recommend trying the Threat Library advanced search.
- If there is only one result, the object details page appears.
Wildcards and Symbols in Searches
During a search, you may use a percent sign (%) to match characters in a string. The percent wildcard specifies that any characters can appear in multiple positions represented by the wildcard. For example, specifying net% matches network, netware, netscape, and so on.
Here are a number of examples showing search terms with percent wildcards:
| Search Query | Description |
|---|---|
| % panda | Finds any adversaries and indicators prefaced by another word, such as "red panda" |
| %ear | Finds any character string that ends with "ear," such as bear |
| %panda% | Finds any character string that has panda in any position |
| panda% | Finds any character string that begins with panda |
| pan%a | Finds any character string that has pan in the first three positions and ends with an "a" |
| p%a | Finds any character string that contains "p" and "a" with characters between them, such as "panda" and "pappa" |
Creating an Object During a Basic Search
The Basic Search window gives you the option to add a new object. If you enter an object name that is not found, you can click the Create link to select the object type from a drop-down list and add the new object. In addition, if you limit a basic search to a specific object type, you are linked to the corresponding form. For example, if you limit your search to Adversaries, the Create link opens the Add An Adversary form.
You cannot use the Create link to add a new investigation.
If you leave the Limit search to field set to All Objects, you can select the object type you want to create from a drop-down list.
