Contents x
Attributes
  • 19 Oct 2023
  • 12 Minutes to read
  • Print
  • Dark
    Light
Contents

Attributes

  • Updated on 19 Oct 2023
  • 12 Minutes to read
  • Print
  • Dark
    Light
Article Summary

Overview

Attributes are key/value data sets that can be added to Indicators, Groups, and Victims in ThreatConnect®. This type of metadata provides an excellent way to organize, categorize, and integrate Indicators, Groups, and Victims into an Organization’s analytic workflow.

Attributes, their values, and their display preferences for an Organization are managed on the Organization Config screen under the Attribute Types, Attribute Validation Rules, and Attribute Preferences tabs, respectively. For a Community or Source, these features are managed on the same tabs on the Community Config screen.

Note
You can also add Attributes to Workflow Cases, as detailed in Case Attributes.

Before You Start

Minimum Role(s)
  • Organization role of Standard User for creating, editing, and deleting Attributes and for using Markdown and ThreatConnect Markup in Attributes
  • System role of Administrator for enabling Markdown in an Attribute
PrerequisitesAn Indicator, Group, or Victim

Creating, Editing, and Deleting Attributes

New Details Screen

Creating Attributes

  1. Navigate to the Details screen for an Indicator or Group.
    Important
    The new Details screen is not currently available for Email, Signature, and Task Groups and for Victims. As such, you can add Attributes to these object types on the legacy Details screen only.
  2. Scroll down to the Attributes card on the left side of the screen (Figure 1).

     

    Note
    Use the Filtersmenu to filter Attributes by Attribute Type, a range of dates within which they were created, or a range of dates within which they were last modified. You can also enter text in the search bar to the left of the Filtersmenu to filter Attributes by value.
  3. Click Addat the upper-right corner of the Attributes card. The Add Attribute window will be displayed (Figure 2).

    Figure 2_Attributes_7.0.2

     

    • Attribute Type: Select an Attribute Type.
    • Security Labels: Select one or more Security Labels to apply to the Attribute, if desired.
    • Attribute Source: Select an existing Attribute source from the dropdown menu, or enter a new one.
    • Save Source: If you did not select a saved Attribute source from the Attribute Source dropdown, this button will be enabled. Click it to save the Attribute source entered in the Attribute Source field so that it will be displayed as an option in the Attribute Source dropdown menu in the future for objects belonging to the same owner.
    • Value: Enter the Attribute’s value, either in plain text or, if enabled, Markdown in the text box. Note that this text box will be displayed after you select an Attribute Type.
    • Preview Markdown: If Markdown is enabled for the selected Attribute Type, this element will be displayed above the Value text box. Click the link to toggle to a preview of the Attribute’s value with the rendered Markdown formatting.
      Note
      URLs and hyperlinks in an Attribute’s value will be rendered as unclickable strings unless you format them with Markdown. Webpage and image URLs formatted with Markdown will be rendered as clickable links and images, respectively, when viewing the Attribute.
    • Default Attribute: Select this checkbox to set the Attribute as the default of its type in the event that other Attributes of the same type are added to the object. For more information on default Attributes, see the “Default and Pinned Attributes” section.
    • Pinned Attribute: Select this checkbox to display the Attribute in the Pinned Attributes section of the Attributes card. For more information on pinned Attributes, see the “Default and Pinned Attributes” section.
    • Click the Save button.

If you selected the Pinned Attribute checkbox when creating the Attribute, it will be displayed in the Pinned Attributes section; otherwise, the Attribute will be displayed in the Other Attributes section. Click the Attribute to expand it and display its details (Figure 3).

 

Note
If an Attribute’s type supports pivoting, the Pivot button will be displayed when the Attribute is expanded. Click it to pivot from the Attribute and view objects that contain an Attribute with the same type and value.

Editing Attributes

Expand the desired Attribute in the Attributes card (Figure 3) and click Editat the top right of the Attribute, or click the Security Labels, Attribute Source, or Value field. The Attribute will now be editable (Figure 4).

 

  • Edit the Attribute’s Security Labels, source, or value as desired.
  • Click Confirmat the top right of the Attribute to save your changes.

Deleting Attributes

Expand the desired Attribute in the Attributes card (Figure 3) and click Deleteat the top right of the Attribute to delete it.

Legacy Details Screen

Creating Attributes

  1. Navigate to the legacy Details screen for an Indicator, Group, or Victim.
  2. Scroll down to the Attributes card on the right side of the screen (Figure 5).

    Graphical user interface, text, application, email Description automatically generated

     

    Note
    If an Attribute’s type supports pivoting, the PivotPivot icon_Blueicon will be displayed to the right of the Attribute. Click it to pivot from the Attribute and view objects that contain an Attribute with the same type and value.
    Note
    In Figure 5, the Date First Seen Attribute is displayed as a placeholder default Attribute Type on the Attributes card because an Organization Administrator or Director in a Community or Source configured it as such on the Attribute Preferences tab of the Organization Config or Community (or Source) Config screen, respectively. For instructions on configuring placeholder default Attribute Types for an Organization or Community/Source, see ThreatConnect Organization Administration Guide and ThreatConnect Community and Source Administration Guide, respectively.
  3. Click New AttributeIcon Description automatically generatedat the upper-right corner of the card. The Edit Attribute window will be displayed (Figure 6).

    Graphical user interface, application Description automatically generated

     

    • Attribute Type: Select an Attribute Type. After selecting an Attribute Type, its definition will be displayed below the dropdown menu. (See Figure 9 later in this article for an example of an Attribute Type’s description being displayed in the Edit Attribute window.)
    • Default: If you selected Description or Source from the Attribute Type dropdown, the Default checkbox will be displayed. Select this checkbox to display the value of the Description and Source Attribute in the Description or Source card, respectively, on the Overview tab of the legacy Details screen.
    • Choose Security Labels: Select one or more Security Labels to apply to the Attribute, if desired.
    • Attribute Source: Select an existing Attribute source from the dropdown menu, or enter a new one.
    • Save Source: Select this checkbox to save a new Attribute source so it will be displayed as an option in the Attribute Source dropdown menu in the future for objects belonging to the same owner.
    • Text Box: Enter the Attribute’s value. If Markdown is enabled for the selected Attribute Type, a Markdownicon will be displayed to the right of the text box, as in Figure 9 later in this article. See the “Using Markdown and ThreatConnect Markup in Attributes” sectionfor instructions for using Markdown and ThreatConnect Markup when creating an Attribute.
      Note
      URLs and hyperlinks in an Attribute’s value will be rendered as unclickable strings. Image URLs formatted with Markdown will be rendered as images when viewing the Attribute; however, webpage URLs formatted with Markdown will still be rendered as unclickable strings.
    • Click the SAVE button. If the Indicator, Group, or Victim contains a placeholder default Attribute Type for which no value has been provided (e.g., the Date First Seen Attribute in Figure 5), a SAVE AND NEXT button will be displayed on the Edit Attribute window. Clicking this button will save the changes to the Attribute you are currently creating (or editing) and reopen the Edit Attribute window for the placeholder default Attribute Type.

Editing Attributes

Click EditPencil iconto the right of an Attribute on the Attributes card (Figure 5). The Edit Attribute window will be displayed. Edit the Attribute’s Security Labels, source, or value as desired, and then click the SAVE button to save your changes.

Deleting Attributes

Click DeleteTrash iconto the right of an Attribute on the Attributes card (Figure 5) to delete it.

Default and Pinned Attributes

When creating Attributes on the new Details screen, you can configure the Attribute as a default or pinned Attribute by selecting the Default Attribute or Pinned Attribute checkbox, respectively, on the Add Attribute window (Figure 2). The following subsections describe how default and pinned Attributes function on the new Details screen.

Default Attributes

Default Attributes are affixed to the top of the Other Attributes section of the Attributes card on the new Details screen and sorted in alphabetical order by their Attribute Type. When a new Attribute that is not configured as a default Attribute is added to the Other Attributes section, it will be placed below all default Attributes. If an object contains a default Attribute and you add another default Attribute of the same type to the object, the new default Attribute will be displayed at the top of the Other Attributes section and the former default Attribute will be placed below all default Attributes.

Important
You cannot update an Attribute’s Default Attribute setting after it is created. If you no longer want an Attribute to be the default Attribute of its type, delete the Attribute or create a new Attribute of the same Attribute Type and make it the default Attribute.
Important
As of ThreatConnect version 7.0, Attribute Types configured as placeholder default Attribute Types via the Attribute Preferences tab of the Organization Config or Community (or Source) Config screen will not be pre-populated on the Attributes card on the new Details screen.

Default Description Attribute

On the new Details screen, an object’s default Description Attribute is displayed in the Description section of the Details card only. If you add another default Description Attribute to the object, the new default Description Attribute will be displayed in the Description section of the Details card and the former default Description Attribute will be displayed in the Other Attributes section of the Attributes card.

Default Source Attribute

On the new Details screen, an object’s default Source Attribute is displayed in the Source section of the Details card and the Other Attributes section of the Attributes card. If you add another default Source Attribute to the object, the new default Source Attribute will be displayed in the Source section of the Details card and the Other Attributes section of the Attributes card; the former default Source Attribute will be displayed in the Other Attributes section of the Attributes card only.

Pinned Attributes

Attributes that are of particular interest to you or your team can be pinned on the Attributes card on the new Details screen. An object’s pinned Attributes are displayed in the Pinned Attributes section of the Attributes card, and they are ordered based on when they were last modified, from most to least recent.

If an Organization Administrator or Director in a Community or Source configured an Attribute Type as a pinned Attribute Type for a given object type via the Attribute Preferences tab of the Organization Config or Community (or Source) Config screen, respectively, then Attributes of that Attribute Type that are added to an object of the specified type will be displayed in the Pinned Attributes section of the Attributes card automatically, regardless of whether the Pinned Attribute checkbox was selected during the creation of the Attribute. For instructions on configuring pinned Attribute Types for an Organization or Community/Source, see ThreatConnect Organization Administration Guide and ThreatConnect Community and Source Administration Guide, respectively.

Important
You cannot update an Attribute’s Pinned Attribute setting after it is created. To remove an Attribute from the Pinned Attributes section of the Attributes card, create a copy of the Attribute without selecting the Pinned Attribute checkbox and then delete the pinned Attribute.

Enabling and Using Markdown in Attributes

ThreatConnect supports a subset of Markdown, including Markdown table formatting. The following Attribute Types support the use of Markdown by default:

  • Additional Analysis and Context
  • Adversary Origin & Source
  • Adversary Type
  • Aliases
  • AV Scanner Results
  • Capabilities
  • Compiler
  • Compiler Language
  • Course of Action Recommendation
  • Course of Action Taken
  • Description
  • Goals
  • Impact Description
  • Impact Score
  • .NET Assembly References
  • Network Protocol Analysis
  • PE Imports
  • PE Resources
  • PE Sections
  • Report Type
  • Response Team & Staff Involved
  • Source
  • Tactics, Techniques, and Procedures
  • Targeted Industry Sector
  • Targeted Location
  • Threat Scope
  • TTP Description: Email
  • TTP Description: Malware/Tool Information

These Attribute Types may also include ThreatConnect Markup—that is, syntax that directly links to objects in your ThreatConnect instance. External links are not supported in order to mitigate the risk of accidental infection.

Enabling Markdown for an Attribute Type

  1. Log into ThreatConnect as a System Administrator.
  2. On the top navigation bar, hover the cursor over SettingsA picture containing text, clipart, light Description automatically generatedand select System Settings. The System Settings screen will be displayed.
  3. Select the Attribute Types tab. The Attribute Types screen will be displayed (Figure 7).

    Graphical user interface Description automatically generated with medium confidence

     

  4. Locate the desired Attribute Type in the table (Campaign Objective in this example), and click EditPencil icon_Blackin its Options column. The Configure Attribute Type window will be displayed (Figure 8).

    Graphical user interface, application Description automatically generated

     

    • Select the Allow Markdown checkbox at the lower-left corner of the screen.
    • Click the SAVE button.

Using Markdown and ThreatConnect Markup in Attributes

New Details Screen

When creating or editing an Attribute, a Preview Markdownlink will be displayed above the Value text box if Markdown is enabled for the selected Attribute Type (Figure 4). After entering the desired text using Markdown, click the Preview Markdownlink to display a preview of the text with the rendered Markdown formatting in the Value text box.

Note
The new Details screen supports the Marked library (https://marked.js.org/).
Important
As of ThreatConnect version 7.0, ThreatConnect Markup will not be rendered when viewing Attributes on the new Details screen.

Legacy Details Screen

When creating or editing an Attribute, a Markdownicon will be displayed to the right of the text box on the Edit Attribute window if Markdown is enabled for the selected Attribute Type (Figure 9).

Graphical user interface, application Description automatically generated

 

In addition to using Markdown, you can use ThreatConnect Markup in the following format to link directly to objects in the owners (i.e., Organizations, Communities, and Sources) to which you have access:

  • Indicators: [[IndicatorType:IndicatorValue|IndicatorOwner|DisplayText]]
    Note
    A colon (:) separates the IndicatorType and IndicatorValue parameters. A vertical bar, or pipe, character (|) separates the IndicatorType:IndicatorValue, IndicatorOwner, and DisplayText expressions.
    • IndicatorType: The type of Indicator (e.g., Address, EmailAddress, File, Host).
    • IndicatorValue: The value of the Indicator (e.g., 45.88.202.115, [email protected], E19010E71F256AB1FCCD07F856B32C4C, bad.com).
    • IndicatorOwner: The owner of the Indicator in ThreatConnect (e.g., Demo Organization, Demo Community). If this parameter is not specified, a default value of your Organization is assumed.
    • DisplayText: The text to display as the in-line link in the Attribute (e.g., bad.com, Malicious Log File). If this parameter is not provided, the text for the in-line link will default to the Indicator type and value (e.g., Host bad.com).
  • Groups: [[GroupType:GroupID||DisplayText]]
    Note
    A colon (:) separates the GroupType and GroupID parameters. Two vertical bars, or pipe, characters (|) separate the GroupType:GroupID and DisplayText expressions.
    • GroupType: The type of Group (e.g., Adversary, Document, Threat).
    • GroupID: The ThreatConnect ID number of the Group. This number may be found by navigating to the Details screen for the Group and identifying the number in the URL. For example, in the URL https://app.threatconnect.com/auth/adversary/adversary.xhtml?adversary=12345, the ID number for the given Adversary Group is 12345. Because the GroupID is unique across all owners on your ThreatConnect instance, there is no need to specify a Group owner.
    • DisplayText: The text to display as the in-line link in the Attribute (e.g., Bad Guy, FBI Intelligence Advisory, Fancy Bear). If this parameter is not provided, the text for the in-line link will default to the Group type and ID number (e.g., Adversary 12345).
  • Tags: [[Tag:TagValue|Tag Owner|DisplayText]]
    Note
    A colon (:) separates the Tag and TagValue parameters. A vertical bar, or pipe, character (|) separates the Tag:TagValue, TagOwner, and DisplayText expressions.
    • Tag: Only the word Tag should be used here, to indicate that the object being linked is a Tag.
    • TagValue: The value of the Tag (e.g., hacker, apt, Loan Scam).
    • TagOwner: The owner of the Tag in ThreatConnect (e.g., Demo Organization, Demo Community). If this parameter is not specified, a default value of your Organization is assumed.
    • DisplayText: The text to display as the in-line link in the Attribute (e.g., Click here!, this tag, the hacker Tag). If this parameter is not provided, the text for the in-line link will default to the object type (i.e., Tag) and value (e.g., hacker).

Figure 10 shows an example of an Attribute value using a combination of Markdown and ThreatConnect Markup.

 

After entering the desired text using Markdown or ThreatConnect Markup in the text box on the Edit Attribute window, click the SAVE button. The Attribute will be displayed in the Attributes card with the rendered ThreatConnect Markup and Markdown formatting (Figure 11).

Graphical user interface, text, application, email Description automatically generated

 

ThreatConnect®is a registered trademark of ThreatConnect, Inc.

20019-01 v.14.C

Was this article helpful?
Related articles
What's Next
Company
Sales and Support
Follow Us
© 2012–2023 ThreatConnect, Inc. All Rights Reserved.