Attributes
  • 27 Mar 2024
  • 14 Minutes to read
  • Dark
    Light

Attributes

  • Dark
    Light

Article summary

Overview

Attributes are key/value data sets that can be added to Indicators, Groups, and Victims in ThreatConnect®. This type of metadata provides an excellent way to organize, categorize, and integrate Indicators, Groups, and Victims into an Organization’s analytic workflow.

Organization Administrators can manage Attribute Types, their Validation Rules, and their display preferences for their Organization on the Organization Config screen under the Attribute Types, Attribute Validation Rules, and Attribute Preferences tabs, respectively. Similarly, Directors in a Community or Source can manage these features on the same tabs on the Community Config and Source Config screen, respectively. For further instruction on the actions that can be performed on these tabs for an Organization or a Community or Source, see ThreatConnect Organization Administration Guide and ThreatConnect Community and Source Administration Guide, respectively.

Note
You can also add Attributes to Workflow Cases, as detailed in Case Attributes.

Before You Start

Minimum Role(s)
  • Organization role of Standard User (for creating, editing, and deleting Attributes and for using Markdown and ThreatConnect Markup in Attributes)
  • System role of Administrator (for enabling Markdown in an Attribute Type)
PrerequisitesAn Indicator, Group, or Victim created in one of your ThreatConnect owners

Viewing Attributes

New Details Screen

On the new Details screen, you can view the Attributes added to an object on the Attributes card (Figure 1). This card is available on the Overview tab, and it can be added to a Custom View tab.

Figure 1_Attributes_7.5.0

 

The Attributes card on the new Details screen is split into three sections:

  • Default Attributes: This section contains all default Attributes—except the default Description and Source Attributes, which are on the Details card—that have a value and placeholders for default Attributes that do not have a value. Placeholder default Attributes are sorted either based on a sort index an Organization Administrator or Director in a Community or Source has configured on the Attribute Preferences tab or, if a sort index has not been configured, in alphabetical order. Default Attributes with values are sorted in descending order based on their last modified date.
  • Pinned Attributes: This section contains all pinned Attributes that have a value and are not default Attributes. Attributes in the Pinned Attributes section are sorted in descending order based on their last modified date.
  • Other Attributes: This section contains all non-default, non-pinned Attributes that have a value. Attributes in the Other Attributes section are sorted in descending order based on their last modified date.
Note
To filter Attributes by type, creation date, or last modified date, use the Filtersmenu; to filter Attributes by value, use the search bar.
Note
If an Attribute’s type supports pivoting, a Pivot button will be displayed when the Attribute is expanded. Click this button to pivot from the Attribute and view objects that contain an Attribute with the same type and value.

Legacy Details Screen

On the Overview tab of the legacy Details screen, you can view the Attributes added to an object on the Attributes card (Figure 2).

Figure 2_Attributes_7.5.0

 

  • Placeholder default Attributes are displayed at the top of the Attributes card (e.g., the Date First Seen Attribute in Figure 2). If an Attribute is displayed as a placeholder default Attribute, it is because an Organization Administrator or a Director in a Community or Source configured its Attribute Type as a default Attribute Type on the Attribute Preferences tab of the Organization Config or Community (or Source) Config screen, respectively. Placeholder default Attributes are sorted either based on a sort index an Organization Administrator or Director in a Community or Source configured on the Attribute Preferences tab or, if a sort index has not been configured, in alphabetical order.
  • All Attributes, both default and non-default, that have a value are displayed below the placeholder default Attributes and sorted in descending order based on their last modified date.
Important
Pinned Attributes are not available on the legacy Details screen.
Note
If an Attribute’s type supports pivoting, a Pivoticon will be displayed to the right of the Attribute. Click this icon to pivot from the Attribute and view objects that contain an Attribute with the same type and value.

Creating, Editing, and Deleting Attributes

New Details Screen

Creating Attributes

  1. Navigate to the Details screen for an Indicator or Group.
    Important
    The new Details screen is not currently available for Email, Signature, and Task Groups and for Victims. As such, you can add Attributes to these object types on the legacy Details screen only.
  2. Click Addat the upper-right corner of the Attributes card (Figure 1). The Add Attribute window will be displayed (Figure 3).Figure 2_Attributes_7.0.2

     

    • Attribute Type: Select an Attribute Type. Note that you can filter Attribute Types in the dropdown by name.
    • Security Labels: Select one or more Security Labels to apply to the Attribute.
    • Attribute Source: Select an existing Attribute source from the dropdown menu, or enter a new one.
    • Save Source: If you did not select a saved Attribute source from the Attribute Source dropdown, this button will be enabled. Click it to save the Attribute source entered in the Attribute Source field so that it will be displayed as an option in the Attribute Source dropdown in the future for objects belonging to the same owner.
    • Value: Enter the Attribute’s value, either in plain text or, if enabled, Markdown in the text box. Note that this text box will be displayed after you select an Attribute Type.
    • Preview Markdown: If Markdown is enabled for the selected Attribute Type, this element will be displayed above the Value text box. Click the link to toggle to a preview of the Attribute’s value with the rendered Markdown formatting.
      Note
      URLs and hyperlinks in an Attribute’s value will be rendered as unclickable strings unless you format them with Markdown. Webpage and image URLs formatted with Markdown will be rendered as clickable links and images, respectively, when viewing the Attribute.
    • Set as Pinned Attribute: Select this checkbox to this checkbox to make the Attribute a pinned Attribute.
    • Click the Save button.

If you selected the Set as Pinned Attribute checkbox, the Attribute will be displayed in the Pinned Attributes section. Otherwise, the Attribute will be displayed in the Other Attributes section (Figure 4).

 

Editing Attributes

Click Editto the right of an Attribute, or click the Security Labels, Attribute Source, or Value field while an Attribute is expanded. The Attribute will now be editable (Figure 5).

 

  • Edit the Attribute’s value, Security Labels, or source.
  • Click Confirmat the top right of the Attribute to save your changes.

Deleting Attributes

Click Deleteto the right of an Attribute to delete it. If you delete a default Attribute with a value, a placeholder for the default Attribute will be placed at the top of the Default Attributes section, above all default Attributes with a value.

Legacy Details Screen

Creating Attributes

  1. Navigate to the legacy Details screen for an Indicator, Group, or Victim.
  2. Click New AttributeIcon  Description automatically generatedat the upper-right corner of the Attributes card (Figure 2). The Edit Attribute window will be displayed (Figure 6).Graphical user interface, application  Description automatically generated

     

    • Attribute Type: Select an Attribute Type. After selecting an Attribute Type, its definition will be displayed below the dropdown. (See Figure 9 later in this article for an example of an Attribute Type’s description being displayed in the Edit Attribute window.)
    • Default: If you selected Description or Source from the Attribute Type dropdown, the Default checkbox will be displayed. Select this checkbox to display the value of the Description and Source Attribute in the Description or Source card, respectively, on the Overview tab of the legacy Details screen.
    • Choose Security Labels: Select one or more Security Labels to apply to the Attribute.
    • Attribute Source: Select an existing Attribute source from the dropdown, or enter a new one.
    • Save Source: Select this checkbox to save a new Attribute source so it will be displayed as an option in the Attribute Source dropdown in the future for objects belonging to the same owner.
    • Text Box: Enter the Attribute’s value. If Markdown is enabled for the selected Attribute Type, a Markdownicon will be displayed to the right of the text box, as in Figure 9 later in this article. See the “Using Markdown and ThreatConnect Markup in Attributes” section for instructions for using Markdown and ThreatConnect Markup when creating an Attribute.
      Note
      URLs and hyperlinks in an Attribute’s value will be rendered as unclickable strings. Image URLs formatted with Markdown will be rendered as images when viewing the Attribute; however, webpage URLs formatted with Markdown will still be rendered as unclickable strings.
    • Click the SAVE button. If the Indicator, Group, or Victim contains a placeholder default Attribute that does not have a value (e.g., the Date First Seen Attribute in Figure 2), a SAVE AND NEXT button will be displayed on the Edit Attribute window. Clicking this button will save the changes to the Attribute you are currently creating (or editing) and reopen the Edit Attribute window for the placeholder default Attribute.

Editing Attributes

Click EditPencil iconto the right of an Attribute to edit it. The Edit Attribute window will be displayed. Edit the Attribute’s Security Labels, source, or value, and then click the SAVE button to save your changes.

Deleting Attributes

Click DeleteTrash iconto the right of an Attribute to delete it. If you delete a default Attribute with a value, a placeholder default Attribute will be placed at the top the Attributes card, above all default and non-default Attributes with a value.

Default and Pinned Attributes

The following subsections describe how default and pinned Attributes function on the new Details screen.

Default Attributes

Organization Administrators and Directors in a Community or Source can configure Attribute Types as default Attribute Types for a given object type (e.g., Adversary Groups) on the Attribute Preferences tab of the Organization Config or Community (or Source) Config screen, respectively. When an Attribute Type is configured as a default Attribute Type for a given object type, a placeholder default Attribute will be displayed on the Attributes card for objects of that type.

On the new Details screen, all default Attributes for an object—except default Description and Source Attributes, which are on the Details card—are displayed in the Default Attributes section of the Attributes card. Placeholder default Attributes without values are displayed at the top of the Default Attributes section, while default Attributes with values are displayed below all placeholder default Attributes. If an Organization Administrator or Director in a Community or Source configured a sort index for an object’s default Attribute Types via the Attribute Preferences tab, placeholder default Attributes will be sorted according to that sort index. Otherwise, placeholder default Attributes will be sorted alphabetically.

While a placeholder default Attribute is expanded, the Value field displays a prompt configured by an Organization Administrator or Director in a Community or Source that directs you to enter a value for the Attribute (e.g., “Enter the Adversary’s motivation type.”). To edit a placeholder default Attribute, click the Security Labels, Attribute Source, or Value field while the Attribute is expanded, or click Editto the right of the Attribute. After you add a value to a placeholder default Attribute, the Attribute will move to the bottom of the Default Attributes section, below all placeholder default Attributes. Default Attributes with values are sorted in descending order by their last modified date. If you delete the value for a default Attribute, a placeholder for the default Attribute will be placed at the top of the Default Attributes section, above all default Attributes with values.

Default Description Attribute

On the new Details screen, you can view and manage an object’s default Description Attribute in the Description section of the Details card. If you add a Description Attribute to the object via the Attributes card, it will be displayed in either the Pinned Attributes or the Other Attributes section of the Attributes card, depending on whether you selected the Set as Pinned Attribute checkbox when creating the Attribute.

Note
If a Description Attribute is displayed in the Default Attributes section of the Attributes card on the new Details screen, it is because an Organization Administrator or a Director in a Community or Source configured the Description Attribute Type as a default Attribute Type on the Attribute Preferences tab of the Organization Config or Community (or Source) Config screen, respectively. However, this default Description Attribute is independent of the one displayed on the Details card, and updating either one of these Description Attributes will not affect the other.

Default Source Attribute

On the new Details screen, you can view and manage an object’s default Source Attribute in the Source section of the Details card. If you add a Source Attribute to the object via the Attributes card, it will be displayed in either the Pinned Attributes or the Other Attributes section of the Attributes card, depending on whether you selected the Set as Pinned Attribute checkbox when creating the Attribute.

Note
If a Source Attribute is displayed in the Default Attributes section of the Attributes card on the new Details screen, it is because an Organization Administrator or a Director in a Community or Source configured the Source Attribute Type as a default Attribute Type on the Attribute Preferences tab of the Organization Config or Community (or Source) Config screen, respectively. However, this default Source Attribute is independent of the one displayed on the Details card, and updating either one of these Source Attributes will not affect the other.

Pinned Attributes

Non-default Attributes that are of particular interest to you or your team can be displayed in the Pinned Attributes section of the Attributes card on the new Details screen for an object by clicking the Pin button while the Attribute is expanded (Figure 1). To unpin a pinned Attribute and move it to the Other Attributes section of the Attributes card, click the Unpin button while the Attribute is expanded.

If an Organization Administrator or Director in a Community or Source configured an Attribute Type as a pinned Attribute Type for a given object type via the Attribute Preferences tab of the Organization Config or Community (or Source) Config screen, respectively, then Attributes of that Attribute Type that are added to an object of the specified type will be displayed in the Pinned Attributes section of the Attributes card automatically, regardless of whether the Set as Pinned Attribute checkbox was selected during the creation of the Attribute.

Enabling and Using Markdown in Attributes

ThreatConnect supports a subset of Markdown, including Markdown table formatting. The following Attribute Types support the use of Markdown by default:

  • Additional Analysis and Context
  • Adversary Origin & Source
  • Adversary Type
  • Aliases
  • AV Scanner Results
  • Capabilities
  • Compiler
  • Compiler Language
  • Course of Action Recommendation
  • Course of Action Taken
  • Description
  • Goals
  • Impact Description
  • Impact Score
  • .NET Assembly References
  • Network Protocol Analysis
  • PE Imports
  • PE Resources
  • PE Sections
  • Report Type
  • Response Team & Staff Involved
  • Source
  • Tactics, Techniques, and Procedures
  • Targeted Industry Sector
  • Targeted Location
  • Threat Scope
  • TTP Description: Email
  • TTP Description: Malware/Tool Information

These Attribute Types may also include ThreatConnect Markup—that is, syntax that directly links to objects in your ThreatConnect instance. External links are not supported in order to mitigate the risk of accidental infection.

Enabling Markdown for an Attribute Type

  1. Log into ThreatConnect as a System Administrator.
  2. On the top navigation bar, hover the cursor over SettingsA picture containing text, clipart, light  Description automatically generatedand select System Settings. The System Settings screen will be displayed.
  3. Select the Attribute Types tab. The Attribute Types screen will be displayed (Figure 7).

    Graphical user interface  Description automatically generated with medium confidence

     

  4. Locate the desired Attribute Type in the table (Campaign Objective in this example), and click EditPencil icon_Blackin its Options column. The Configure Attribute Type window will be displayed (Figure 8).

    Graphical user interface, application  Description automatically generated

     

    • Select the Allow Markdown checkbox at the lower-left corner of the screen.
    • Click the SAVE button.

Using Markdown and ThreatConnect Markup in Attributes

New Details Screen

When creating or editing an Attribute, a Preview Markdownlink will be displayed above the Value text box if Markdown is enabled for the selected Attribute Type (Figure 4). After entering the desired text using Markdown, click the Preview Markdownlink to display a preview of the text with the rendered Markdown formatting in the Value text box.

Note
The new Details screen supports the Marked library (https://marked.js.org/).
Important
ThreatConnect Markup will not be rendered when viewing Attributes on the new Details screen.

Legacy Details Screen

When creating or editing an Attribute, a Markdownicon will be displayed to the right of the text box on the Edit Attribute window if Markdown is enabled for the selected Attribute Type (Figure 9).

Graphical user interface, application  Description automatically generated

 

In addition to using Markdown, you can use ThreatConnect Markup in the following format to link directly to objects in the owners (i.e., Organizations, Communities, and Sources) to which you have access:

  • Indicators: [[IndicatorType:IndicatorValue|IndicatorOwner|DisplayText]]
    Note
    A colon (:) separates the IndicatorType and IndicatorValue parameters. A vertical bar, or pipe, character (|) separates the IndicatorType:IndicatorValue, IndicatorOwner, and DisplayText expressions.
    • IndicatorType: The type of Indicator (e.g., Address, EmailAddress, File, Host).
    • IndicatorValue: The value of the Indicator (e.g., 45.88.202.115, hacker@bad.com, E19010E71F256AB1FCCD07F856B32C4C, bad.com).
    • IndicatorOwner: The owner of the Indicator in ThreatConnect (e.g., Demo Organization, Demo Community). If this parameter is not specified, a default value of your Organization is assumed.
    • DisplayText: The text to display as the in-line link in the Attribute (e.g., bad.com, Malicious Log File). If this parameter is not provided, the text for the in-line link will default to the Indicator type and value (e.g., Host bad.com).
  • Groups: [[GroupType:GroupID||DisplayText]]
    Note
    A colon (:) separates the GroupType and GroupID parameters. Two vertical bars, or pipe, characters (|) separate the GroupType:GroupID and DisplayText expressions.
    • GroupType: The type of Group (e.g., Adversary, Document, Threat).
    • GroupID: The ThreatConnect ID number of the Group. This number may be found by navigating to the Details screen for the Group and identifying the number in the URL. For example, in the URL https://app.threatconnect.com/auth/adversary/adversary.xhtml?adversary=12345, the ID number for the given Adversary Group is 12345. Because the GroupID is unique across all owners on your ThreatConnect instance, there is no need to specify a Group owner.
    • DisplayText: The text to display as the in-line link in the Attribute (e.g., Bad Guy, FBI Intelligence Advisory, Fancy Bear). If this parameter is not provided, the text for the in-line link will default to the Group type and ID number (e.g., Adversary 12345).
  • Tags: [[Tag:TagValue|Tag Owner|DisplayText]]
    Note
    A colon (:) separates the Tag and TagValue parameters. A vertical bar, or pipe, character (|) separates the Tag:TagValue, TagOwner, and DisplayText expressions.
    • Tag: Only the word Tag should be used here, to indicate that the object being linked is a Tag.
    • TagValue: The value of the Tag (e.g., hacker, apt, Loan Scam).
    • TagOwner: The owner of the Tag in ThreatConnect (e.g., Demo Organization, Demo Community). If this parameter is not specified, a default value of your Organization is assumed.
    • DisplayText: The text to display as the in-line link in the Attribute (e.g., Click here!, this tag, the hacker Tag). If this parameter is not provided, the text for the in-line link will default to the object type (i.e., Tag) and value (e.g., hacker).

Figure 10 shows an example of an Attribute value using a combination of Markdown and ThreatConnect Markup.

 

After entering the desired text using Markdown or ThreatConnect Markup in the text box on the Edit Attribute window, click the SAVE button. The Attribute will be displayed in the Attributes card with the rendered ThreatConnect Markup and Markdown formatting (Figure 11).

Graphical user interface, text, application, email  Description automatically generated

 


ThreatConnect®is a registered trademark of ThreatConnect, Inc.

20019-01 v.15.A


Was this article helpful?