- 19 Oct 2023
- 12 Minutes to read
-
Print
-
DarkLight
Attributes
- Updated on 19 Oct 2023
- 12 Minutes to read
-
Print
-
DarkLight
Overview
Attributes are key/value data sets that can be added to Indicators, Groups, and Victims in ThreatConnect®. This type of metadata provides an excellent way to organize, categorize, and integrate Indicators, Groups, and Victims into an Organization’s analytic workflow.
Attributes, their values, and their display preferences for an Organization are managed on the Organization Config screen under the Attribute Types, Attribute Validation Rules, and Attribute Preferences tabs, respectively. For a Community or Source, these features are managed on the same tabs on the Community Config screen.
Before You Start
Minimum Role(s) |
|
---|---|
Prerequisites | An Indicator, Group, or Victim |
Creating, Editing, and Deleting Attributes
New Details Screen
Creating Attributes
- Navigate to the Details screen for an Indicator or Group.ImportantThe new Details screen is not currently available for Email, Signature, and Task Groups and for Victims. As such, you can add Attributes to these object types on the legacy Details screen only.
- Scroll down to the Attributes card on the left side of the screen (Figure 1).NoteUse the Filters
menu to filter Attributes by Attribute Type, a range of dates within which they were created, or a range of dates within which they were last modified. You can also enter text in the search bar to the left of the Filters
menu to filter Attributes by value.
- Click Add
at the upper-right corner of the Attributes card. The Add Attribute window will be displayed (Figure 2).
- Attribute Type: Select an Attribute Type.
- Security Labels: Select one or more Security Labels to apply to the Attribute, if desired.
- Attribute Source: Select an existing Attribute source from the dropdown menu, or enter a new one.
- Save Source: If you did not select a saved Attribute source from the Attribute Source dropdown, this button will be enabled. Click it to save the Attribute source entered in the Attribute Source field so that it will be displayed as an option in the Attribute Source dropdown menu in the future for objects belonging to the same owner.
- Value: Enter the Attribute’s value, either in plain text or, if enabled, Markdown in the text box. Note that this text box will be displayed after you select an Attribute Type.
- Preview Markdown
: If Markdown is enabled for the selected Attribute Type, this element will be displayed above the Value text box. Click the link to toggle to a preview of the Attribute’s value with the rendered Markdown formatting.
NoteURLs and hyperlinks in an Attribute’s value will be rendered as unclickable strings unless you format them with Markdown. Webpage and image URLs formatted with Markdown will be rendered as clickable links and images, respectively, when viewing the Attribute. - Default Attribute: Select this checkbox to set the Attribute as the default of its type in the event that other Attributes of the same type are added to the object. For more information on default Attributes, see the “Default and Pinned Attributes” section.
- Pinned Attribute: Select this checkbox to display the Attribute in the Pinned Attributes section of the Attributes card. For more information on pinned Attributes, see the “Default and Pinned Attributes” section.
- Click the Save button.
If you selected the Pinned Attribute checkbox when creating the Attribute, it will be displayed in the Pinned Attributes section; otherwise, the Attribute will be displayed in the Other Attributes section. Click the Attribute to expand it and display its details (Figure 3).
Editing Attributes
Expand the desired Attribute in the Attributes card (Figure 3) and click Editat the top right of the Attribute, or click the Security Labels, Attribute Source, or Value field. The Attribute will now be editable (Figure 4).
- Edit the Attribute’s Security Labels, source, or value as desired.
- Click Confirm
at the top right of the Attribute to save your changes.
Deleting Attributes
Expand the desired Attribute in the Attributes card (Figure 3) and click Deleteat the top right of the Attribute to delete it.
Legacy Details Screen
Creating Attributes
- Navigate to the legacy Details screen for an Indicator, Group, or Victim.
- Scroll down to the Attributes card on the right side of the screen (Figure 5).NoteIf an Attribute’s type supports pivoting, the Pivot
icon will be displayed to the right of the Attribute. Click it to pivot from the Attribute and view objects that contain an Attribute with the same type and value.
NoteIn Figure 5, the Date First Seen Attribute is displayed as a placeholder default Attribute Type on the Attributes card because an Organization Administrator or Director in a Community or Source configured it as such on the Attribute Preferences tab of the Organization Config or Community (or Source) Config screen, respectively. For instructions on configuring placeholder default Attribute Types for an Organization or Community/Source, see ThreatConnect Organization Administration Guide and ThreatConnect Community and Source Administration Guide, respectively. - Click New Attribute
at the upper-right corner of the card. The Edit Attribute window will be displayed (Figure 6).
- Attribute Type: Select an Attribute Type. After selecting an Attribute Type, its definition will be displayed below the dropdown menu. (See Figure 9 later in this article for an example of an Attribute Type’s description being displayed in the Edit Attribute window.)
- Default: If you selected Description or Source from the Attribute Type dropdown, the Default checkbox will be displayed. Select this checkbox to display the value of the Description and Source Attribute in the Description or Source card, respectively, on the Overview tab of the legacy Details screen.
- Choose Security Labels: Select one or more Security Labels to apply to the Attribute, if desired.
- Attribute Source: Select an existing Attribute source from the dropdown menu, or enter a new one.
- Save Source: Select this checkbox to save a new Attribute source so it will be displayed as an option in the Attribute Source dropdown menu in the future for objects belonging to the same owner.
- Text Box: Enter the Attribute’s value. If Markdown is enabled for the selected Attribute Type, a Markdown
icon will be displayed to the right of the text box, as in Figure 9 later in this article. See the “Using Markdown and ThreatConnect Markup in Attributes” sectionfor instructions for using Markdown and ThreatConnect Markup when creating an Attribute.
NoteURLs and hyperlinks in an Attribute’s value will be rendered as unclickable strings. Image URLs formatted with Markdown will be rendered as images when viewing the Attribute; however, webpage URLs formatted with Markdown will still be rendered as unclickable strings. - Click the SAVE button. If the Indicator, Group, or Victim contains a placeholder default Attribute Type for which no value has been provided (e.g., the Date First Seen Attribute in Figure 5), a SAVE AND NEXT button will be displayed on the Edit Attribute window. Clicking this button will save the changes to the Attribute you are currently creating (or editing) and reopen the Edit Attribute window for the placeholder default Attribute Type.
Editing Attributes
Click Editto the right of an Attribute on the Attributes card (Figure 5). The Edit Attribute window will be displayed. Edit the Attribute’s Security Labels, source, or value as desired, and then click the SAVE button to save your changes.
Deleting Attributes
Click Deleteto the right of an Attribute on the Attributes card (Figure 5) to delete it.
Default and Pinned Attributes
When creating Attributes on the new Details screen, you can configure the Attribute as a default or pinned Attribute by selecting the Default Attribute or Pinned Attribute checkbox, respectively, on the Add Attribute window (Figure 2). The following subsections describe how default and pinned Attributes function on the new Details screen.
Default Attributes
Default Attributes are affixed to the top of the Other Attributes section of the Attributes card on the new Details screen and sorted in alphabetical order by their Attribute Type. When a new Attribute that is not configured as a default Attribute is added to the Other Attributes section, it will be placed below all default Attributes. If an object contains a default Attribute and you add another default Attribute of the same type to the object, the new default Attribute will be displayed at the top of the Other Attributes section and the former default Attribute will be placed below all default Attributes.
Default Description Attribute
On the new Details screen, an object’s default Description Attribute is displayed in the Description section of the Details card only. If you add another default Description Attribute to the object, the new default Description Attribute will be displayed in the Description section of the Details card and the former default Description Attribute will be displayed in the Other Attributes section of the Attributes card.
Default Source Attribute
On the new Details screen, an object’s default Source Attribute is displayed in the Source section of the Details card and the Other Attributes section of the Attributes card. If you add another default Source Attribute to the object, the new default Source Attribute will be displayed in the Source section of the Details card and the Other Attributes section of the Attributes card; the former default Source Attribute will be displayed in the Other Attributes section of the Attributes card only.
Pinned Attributes
Attributes that are of particular interest to you or your team can be pinned on the Attributes card on the new Details screen. An object’s pinned Attributes are displayed in the Pinned Attributes section of the Attributes card, and they are ordered based on when they were last modified, from most to least recent.
If an Organization Administrator or Director in a Community or Source configured an Attribute Type as a pinned Attribute Type for a given object type via the Attribute Preferences tab of the Organization Config or Community (or Source) Config screen, respectively, then Attributes of that Attribute Type that are added to an object of the specified type will be displayed in the Pinned Attributes section of the Attributes card automatically, regardless of whether the Pinned Attribute checkbox was selected during the creation of the Attribute. For instructions on configuring pinned Attribute Types for an Organization or Community/Source, see ThreatConnect Organization Administration Guide and ThreatConnect Community and Source Administration Guide, respectively.
Enabling and Using Markdown in Attributes
ThreatConnect supports a subset of Markdown, including Markdown table formatting. The following Attribute Types support the use of Markdown by default:
- Additional Analysis and Context
- Adversary Origin & Source
- Adversary Type
- Aliases
- AV Scanner Results
- Capabilities
- Compiler
- Compiler Language
- Course of Action Recommendation
- Course of Action Taken
- Description
- Goals
- Impact Description
- Impact Score
- .NET Assembly References
- Network Protocol Analysis
- PE Imports
- PE Resources
- PE Sections
- Report Type
- Response Team & Staff Involved
- Source
- Tactics, Techniques, and Procedures
- Targeted Industry Sector
- Targeted Location
- Threat Scope
- TTP Description: Email
- TTP Description: Malware/Tool Information
These Attribute Types may also include ThreatConnect Markup—that is, syntax that directly links to objects in your ThreatConnect instance. External links are not supported in order to mitigate the risk of accidental infection.
Enabling Markdown for an Attribute Type
- Log into ThreatConnect as a System Administrator.
- On the top navigation bar, hover the cursor over Settings
and select System Settings. The System Settings screen will be displayed.
- Select the Attribute Types tab. The Attribute Types screen will be displayed (Figure 7).
- Locate the desired Attribute Type in the table (Campaign Objective in this example), and click Edit
in its Options column. The Configure Attribute Type window will be displayed (Figure 8).
- Select the Allow Markdown checkbox at the lower-left corner of the screen.
- Click the SAVE button.
Using Markdown and ThreatConnect Markup in Attributes
New Details Screen
When creating or editing an Attribute, a Preview Markdownlink will be displayed above the Value text box if Markdown is enabled for the selected Attribute Type (Figure 4). After entering the desired text using Markdown, click the Preview Markdown
link to display a preview of the text with the rendered Markdown formatting in the Value text box.
Legacy Details Screen
When creating or editing an Attribute, a Markdownicon will be displayed to the right of the text box on the Edit Attribute window if Markdown is enabled for the selected Attribute Type (Figure 9).
In addition to using Markdown, you can use ThreatConnect Markup in the following format to link directly to objects in the owners (i.e., Organizations, Communities, and Sources) to which you have access:
- Indicators: [[IndicatorType:IndicatorValue|IndicatorOwner|DisplayText]]NoteA colon (:) separates the IndicatorType and IndicatorValue parameters. A vertical bar, or pipe, character (|) separates the IndicatorType:IndicatorValue, IndicatorOwner, and DisplayText expressions.
- IndicatorType: The type of Indicator (e.g., Address, EmailAddress, File, Host).
- IndicatorValue: The value of the Indicator (e.g., 45.88.202.115, [email protected], E19010E71F256AB1FCCD07F856B32C4C, bad.com).
- IndicatorOwner: The owner of the Indicator in ThreatConnect (e.g., Demo Organization, Demo Community). If this parameter is not specified, a default value of your Organization is assumed.
- DisplayText: The text to display as the in-line link in the Attribute (e.g., bad.com, Malicious Log File). If this parameter is not provided, the text for the in-line link will default to the Indicator type and value (e.g., Host bad.com).
- Groups: [[GroupType:GroupID||DisplayText]]NoteA colon (:) separates the GroupType and GroupID parameters. Two vertical bars, or pipe, characters (|) separate the GroupType:GroupID and DisplayText expressions.
- GroupType: The type of Group (e.g., Adversary, Document, Threat).
- GroupID: The ThreatConnect ID number of the Group. This number may be found by navigating to the Details screen for the Group and identifying the number in the URL. For example, in the URL https://app.threatconnect.com/auth/adversary/adversary.xhtml?adversary=12345, the ID number for the given Adversary Group is 12345. Because the GroupID is unique across all owners on your ThreatConnect instance, there is no need to specify a Group owner.
- DisplayText: The text to display as the in-line link in the Attribute (e.g., Bad Guy, FBI Intelligence Advisory, Fancy Bear). If this parameter is not provided, the text for the in-line link will default to the Group type and ID number (e.g., Adversary 12345).
- Tags: [[Tag:TagValue|Tag Owner|DisplayText]]NoteA colon (:) separates the Tag and TagValue parameters. A vertical bar, or pipe, character (|) separates the Tag:TagValue, TagOwner, and DisplayText expressions.
- Tag: Only the word Tag should be used here, to indicate that the object being linked is a Tag.
- TagValue: The value of the Tag (e.g., hacker, apt, Loan Scam).
- TagOwner: The owner of the Tag in ThreatConnect (e.g., Demo Organization, Demo Community). If this parameter is not specified, a default value of your Organization is assumed.
- DisplayText: The text to display as the in-line link in the Attribute (e.g., Click here!, this tag, the hacker Tag). If this parameter is not provided, the text for the in-line link will default to the object type (i.e., Tag) and value (e.g., hacker).
Figure 10 shows an example of an Attribute value using a combination of Markdown and ThreatConnect Markup.
After entering the desired text using Markdown or ThreatConnect Markup in the text box on the Edit Attribute window, click the SAVE button. The Attribute will be displayed in the Attributes card with the rendered ThreatConnect Markup and Markdown formatting (Figure 11).
ThreatConnect®is a registered trademark of ThreatConnect, Inc.
20019-01 v.14.C