Attributes

Overview

Attributes are key/value data sets that can be added to Indicators, Groups, and Victims in ThreatConnect^®. This type of metadata provides an excellent way to organize, categorize, and integrate Indicators, Groups, and Victims into an Organization’s analytic workflow.

Attributes, their values, and their display preferences for an Organization are managed on the Organization Config screen under the Attribute Types, Attribute Validation Rules, and Attribute Preferences tabs, respectively. For a Community or Source, these features are managed on the same tabs on the Community Config screen.

Before You Start

Creating, Editing, and Deleting Attributes

New Details Screen

Creating Attributes

1. Navigate to the Details screenfor an Indicator or Group.
   Important

   The new Details screen is not currently available for Document, Email, Report, and Signature Groups and for Victims. As such, you can add Attributes to these object types on the legacy Details screen only.
2. Scroll down to the Attributes card on the left side of the screen (Figure 1).

   

    

   Note

   Use the Filtersmenu to filter Attributes by Attribute Type, a range of dates within which they were created, or a range of dates within which they were last modified. You can also enter text in the search bar to the left of the Filtersmenu to filter Attributes by value.
3. Click Addat the upper-right corner of the Attributes card. The Add Attribute window will be displayed (Figure 2).

   

    

   • Attribute Type: Select an Attribute Type.
   • Security Labels: Select one or more Security Labels to apply to the Attribute, if desired.
   • Attribute Source: Select an existing Attribute source from the dropdown menu, or enter a new one.
   • Save Source: If you did not select a saved Attribute source from the Attribute Source dropdown, this button will be enabled. Click it to save the Attribute source entered in the Attribute Source field so that it will be displayed as an option in the Attribute Source dropdown menu in the future for objects belonging to the same owner.
   • Value: Enter the Attribute’s value, either in plain text or, if enabled, Markdown in the text box. Note that this text box will be displayed after you select an Attribute Type.
   • Preview Markdown: If Markdown is enabled for the selected Attribute Type, this element will be displayed above the Value text box. Click the link to toggle to a preview of the Attribute’s value with the rendered Markdown formatting.
   • Default Attribute: Select this checkbox to set the Attribute as the default of its type in the event that other Attributes of the same type are added to the object. For more information on default Attributes, see the “Default and Pinned Attributes” section.
   • Pinned Attribute: Select this checkbox to display the Attribute in the Pinned Attributes section of the Attributes card. For more information on pinned Attributes, see the “Default and Pinned Attributes” section.
   • Click the Save button.

If you selected the Pinned Attribute checkbox when creating the Attribute, it will be displayed in the Pinned Attributes section; otherwise, the Attribute will be displayed in the Other Attributes section. Click the Attribute to expand it and display its details (Figure 3).

Editing Attributes

Expand the desired Attribute in the Attributes card (Figure 3) and click Editat the top right of the Attribute, or click the Security Labels, Attribute Source, or Value field. The Attribute will now be editable (Figure 4).

• Edit the Attribute’s Security Labels, source, or value as desired.
• Click Confirmat the top right of the Attribute to save your changes.

Deleting Attributes

Expand the desired Attribute in the Attributes card (Figure 3) and click Deleteat the top right of the Attribute to delete it.

Legacy Details Screen

Creating Attributes

1. Navigate to the legacy Details screen for an Indicator, Group, or Victim.
2. Scroll down to the Attributes card on the right side of the screen (Figure 5).

   

    

   Note

   If an Attribute’s type supports pivoting, the Pivoticon will be displayed to the right of the Attribute. Click it to pivot from the Attribute and view objects that contain an Attribute with the same type and value.
   Note

   In Figure 5, the Date First Seen Attribute is displayed as a placeholder default Attribute Type on the Attributes card because an Organization Administrator or Director in a Community or Source configured it as such on the Attribute Preferences tab of the Organization Config or Community (or Source) Config screen, respectively. For instructions on configuring placeholder default Attribute Types for an Organization or Community/Source, see ThreatConnect Organization Administration Guide and ThreatConnect Community and Source Administration Guide, respectively.
3. Click New Attributeat the upper-right corner of the card. The Edit Attribute window will be displayed (Figure 6).

   

    

   • Attribute Type: Select an Attribute Type. After selecting an Attribute Type, its definition will be displayed below the dropdown menu. (See Figure 9 later in this article for an example of an Attribute Type’s description being displayed in the Edit Attribute window.)
   • Default: If you selected Description or Source from the Attribute Type dropdown, the Default checkbox will be displayed. Select this checkbox to display the value of the Description and Source Attribute in the Description or Source card, respectively, on the Overview tab of the legacy Details screen.
   • Choose Security Labels: Select one or more Security Labels to apply to the Attribute, if desired.
   • Attribute Source: Select an existing Attribute source from the dropdown menu, or enter a new one.
   • Save Source: Select this checkbox to save a new Attribute source so it will be displayed as an option in the Attribute Source dropdown menu in the future for objects belonging to the same owner.
   • Text Box: Enter the Attribute’s value. If Markdown is enabled for the selected Attribute Type, a Markdownicon will be displayed to the right of the text box, as in Figure 9 later in this article. See the “Using Markdown and ThreatConnect Markup in Attributes” section for instructions for using Markdown and ThreatConnect Markup when creating an Attribute 
   • Click the SAVE button. If the Indicator, Group, or Victim contains a placeholder default Attribute Type for which no value has been provided (e.g., the Date First Seen Attribute in Figure 5), a SAVE AND NEXT button will be displayed on the Edit Attribute window. Clicking this button will save the changes to the Attribute you are currently creating (or editing) and reopen the Edit Attribute window for the placeholder default Attribute Type.

Editing Attributes

Click Editto the right of an Attribute on the Attributes card (Figure 5). The Edit Attribute window will be displayed. Edit the Attribute’s Security Labels, source, or value as desired, and then click the SAVE button to save your changes.

Deleting Attributes

Click Deleteto the right of an Attribute on the Attributes card (Figure 5) to delete it.

Default and Pinned Attributes

When creating Attributes on the new Details screen, you can configure the Attribute as a default or pinned Attribute by selecting the Default Attribute or Pinned Attribute checkbox, respectively, on the Add Attribute window (Figure 2). The following subsections describe how default and pinned Attributes function on the new Details screen.

Default Attributes

Default Attributes are affixed to the top of the Other Attributes section of the Attributes card on the new Details screen and displayed in the order in which they were last modified, from most to least recent. When a new Attribute that is not configured as a default Attribute is added to the Other Attributes section, it will be placed below all default Attributes. If an object contains a default Attribute and you add another default Attribute of the same type to the object, the new default Attribute will be displayed at the top of the Other Attributes section and the former default Attribute will be placed below all default Attributes.

When you add a default Description Attribute to an object on the new Details screen, it will be displayed on the Details card instead of the Attributes card. If you add another default Description Attribute to the object, the new default Description Attribute will be displayed on the Details card and the former default Description Attribute will be displayed in the Other Attributes section of the Attributes card.

Pinned Attributes

Attributes that are of particular interest to you or your team can be pinned on the Attributes card on the new Details screen. An object’s pinned Attributes are displayed in the Pinned Attributes section of the Attributes card, and they are ordered based on when they were last modified, from most to least recent.

Enabling and Using Markdown in Attributes

ThreatConnect supports a subset of Markdown, including Markdown table formatting. The following Attribute Types support the use of Markdown by default:

• Additional Analysis and Context
• Adversary Origin & Source
• Adversary Type
• Aliases
• AV Scanner Results
• Capabilities
• Compiler
• Compiler Language
• Course of Action Recommendation
• Course of Action Taken
• Description
• Goals
• Impact Description
• Impact Score
• .NET Assembly References
• Network Protocol Analysis
• PE Imports
• PE Resources
• PE Sections
• Report Type
• Response Team & Staff Involved
• Source
• Tactics, Techniques, and Procedures
• Targeted Industry Sector
• Targeted Location
• Threat Scope
• TTP Description: Email
• TTP Description: Malware/Tool Information

These Attribute Types may also include ThreatConnect Markup—that is, syntax that directly links to objects in your ThreatConnect instance. External links are not supported in order to mitigate the risk of accidental infection.

Enabling Markdown for an Attribute Type

1. Log into ThreatConnect as a System Administrator.
2. On the top navigation bar, hover the cursor over Settingsand select System Settings. The System Settings screen will be displayed.
3. Select the Attribute Types tab. The Attribute Types screen will be displayed (Figure 7).

   

    

4. Locate the desired Attribute Type in the table (Campaign Objective in this example), and click Editin its Options column. The Configure Attribute Type window will be displayed (Figure 8).

   

    

   • Select the Allow Markdown checkbox at the lower-left corner of the screen.
   • Click the SAVE button.

Using Markdown and ThreatConnect Markup in Attributes

New Details Screen

When creating or editing an Attribute, a Preview Markdownlink will be displayed above the Value text box if Markdown is enabled for the selected Attribute Type (Figure 4). After entering the desired text using Markdown, click the Preview Markdownlink to display a preview of the text with the rendered Markdown formatting in the Value text box.

Legacy Details Screen

When creating or editing an Attribute, a Markdownicon will be displayed to the right of the text box on the Edit Attribute window if Markdown is enabled for the selected Attribute Type (Figure 9).

In addition to using Markdown, you can use ThreatConnect Markup in the following format to link directly to objects in the owners (i.e., Organizations, Communities, and Sources) to which you have access:

• Indicators: [[IndicatorType:IndicatorValue|IndicatorOwner|DisplayText]]
  Note

  A colon (:) separates the IndicatorType and IndicatorValue parameters. A vertical bar, or pipe, character (|) separates the IndicatorType:IndicatorValue, IndicatorOwner, and DisplayText expressions.
  • IndicatorType: The type of Indicator (e.g., Address, EmailAddress, File, Host).
  • IndicatorValue: The value of the Indicator (e.g., 45.88.202.115, hacker@bad.com, E19010E71F256AB1FCCD07F856B32C4C, bad.com).
  • IndicatorOwner: The owner of the Indicator in ThreatConnect (e.g., Demo Organization, Demo Community). If this parameter is not specified, a default value of your Organization is assumed.
  • DisplayText: The text to display as the in-line link in the Attribute (e.g., bad.com, Malicious Log File). If this parameter is not provided, the text for the in-line link will default to the Indicator type and value (e.g., Host bad.com).
• Groups: [[GroupType:GroupID||DisplayText]]
  Note

  A colon (:) separates the GroupType and GroupID parameters. Two vertical bars, or pipe, characters (|) separate the GroupType:GroupID and DisplayText expressions.
  • GroupType: The type of Group (e.g., Adversary, Document, Threat).
  • GroupID: The ThreatConnect ID number of the Group. This number may be found by navigating to the Details screen for the Group and identifying the number in the URL. For example, in the URL https://app.threatconnect.com/auth/adversary/adversary.xhtml?adversary=12345, the ID number for the given Adversary Group is 12345. Because the GroupID is unique across all owners on your ThreatConnect instance, there is no need to specify a Group owner.
  • DisplayText: The text to display as the in-line link in the Attribute (e.g., Bad Guy, FBI Intelligence Advisory, Fancy Bear). If this parameter is not provided, the text for the in-line link will default to the Group type and ID number (e.g., Adversary 12345).
• Tags: [[Tag:TagValue|Tag Owner|DisplayText]]
  Note

  A colon (:) separates the Tag and TagValue parameters. A vertical bar, or pipe, character (|) separates the Tag:TagValue, TagOwner, and DisplayText expressions.
  • Tag: Only the word Tag should be used here, to indicate that the object being linked is a Tag.
  • TagValue: The value of the Tag (e.g., hacker, apt, Loan Scam).
  • TagOwner: The owner of the Tag in ThreatConnect (e.g., Demo Organization, Demo Community). If this parameter is not specified, a default value of your Organization is assumed.
  • DisplayText: The text to display as the in-line link in the Attribute (e.g., Click here!, this tag, the hacker Tag). If this parameter is not provided, the text for the in-line link will default to the object type (i.e., Tag) and value (e.g., hacker).

Figure 10 shows an example of an Attribute value using a combination of Markdown and ThreatConnect Markup.

After entering the desired text using Markdown or ThreatConnect Markup in the text box on the Edit Attribute window, click the SAVE button. The Attribute will be displayed in the Attributes card with the rendered ThreatConnect Markup and Markdown formatting (Figure 11).

ThreatConnect^®is a registered trademark of ThreatConnect, Inc.

20019-01 v.14.A