- 24 Oct 2022
- 5 Minutes to read
- Updated on 24 Oct 2022
- 5 Minutes to read
Minimum Role: Any System role except Read Only User and any Organization role except Read Only User and Read Only Commenter for creating and using Markdown and ThreatConnect Markup in Attributes; System role of Administrator (System Administrator) for enabling Markdown in an Attribute
Prerequisites: An Indicator or Group
Attributes are key/value data sets that can be added to any Indicator or Group. This type of metadata provides an excellent way to organize, categorize, and integrate Indicators or Groups into an Organization’s analytic workflow. Attributes and their values are managed in the Organization Config screen under the Attribute Types and Attribute Validation Rules tabs, respectively.
Creating an Attribute
- Navigate to an Indicator’s or Group’s Details screen. For instructions on accessing an object’s Details screen, see the “Viewing the Details Screen” section of The Details Screen.
- Scroll down to the Attributes card on the right side of the Details screen (Figure 1).
- Click New Attribute at the upper-right corner of the card. The Edit Attribute window will be displayed (Figure 2).
- Attribute Type: Select an Attribute Type. After selecting an Attribute Type, its definition will be displayed below the dropdown menu.
- Default: A checkbox labeled Default will be displayed when certain Attribute Types (e.g., Description) are selected. Select the checkbox to set the information entered for this Attribute as the default in the event that there are other Attributes of the same type for the object from other sources.
- Choose Security Labels: Select one or more Security Labels to apply to the Attribute, if desired.
- Attribute Source: Select an existing Attribute Source from the dropdown menu, or enter a new one.
- Save Source: Select this checkbox to save a new Attribute Source so it will be displayed as an option in the Attribute Source dropdown menu in the future for objects belonging to the same owner.
- Text Box: Enter the content of the Attribute, either in plain text or, if enabled, Markdown (including ThreatConnect Markup). Instructions for using Markdown and ThreatConnect Markup when creating an Attribute are available in the “Using Markdown and ThreatConnect Markup in an Attribute”section later in this article.NoteIf Markdown has been enabled, a Markdown icon will be displayed to the right of the text box after a selection has been made from the Attribute Type menu, as in Figure 6 later in this article. Contact your System Administrator to inquire about enabling Markdown if it is not enabled.
- Click the SAVE button.
Enabling and Using Markdown in Attributes
ThreatConnect® supports some of the syntax of Markdown, a plaintext formatting language, in the following Attribute Types:
- Additional Analysis and Context
- TTP Description
- Network Protocol Analysis
- Signing Certificate Metadata
- Tactics, Techniques, and Procedures
- Course of Action Recommendation
- TTP Description: Email
- TTP Description: Malware/Tool Information
- TTP Description: Passwords.
These Attribute Types may also include ThreatConnect Markup—that is, syntax that directly links to objects on your ThreatConnect instance. External links are not supported in order to mitigate the risk of accidental infection.
System Administrators should follow these steps to enable Markdown in an Attribute Type:
- On the top navigation bar, hover the cursor over Settings and select System Settings. The System Settings screen will be displayed.
- Select the Attribute Types tab. The Attribute Types screen will be displayed (Figure 3).
- Locate the desired Attribute Type in the table (Description in this example), and click Edit in its Options column. The Configure Attribute Type window will be displayed (Figure 4).
- Select the Allow Markdown checkbox at the lower-left corner of the screen.
- Click the SAVE button.
Using Markdown and ThreatConnect Markup in an Attribute
- Follow Steps 1–3 of the “Creating an Attribute” section of this article to create an Attribute, or click Edit to the right of an existing Attribute in the Attributes card of an object’s Details screen to edit it (Figure 1). The Edit Attribute window will be displayed (Figure 5). The Markdown icon indicates that the Markdown feature is now enabled for use.
- In the text box below the Save Source checkbox, enter the desired information in Markdown format (Figure 6). There are many online resources, such as markdownguide.org, that provide instruction on using Markdown. ThreatConnect supports a subset of Markdown syntax, including Markdown table formatting. You can also use ThreatConnect Markup in the following format to link directly to objects on your ThreatConnect instance:
- Indicators: [[IndicatorType:IndicatorValue|IndicatorOwner|DisplayText]]NoteA colon (:) separates the IndicatorType and IndicatorValue parameters. A vertical bar, or pipe, character (|) separates the IndicatorType:IndicatorValue, IndicatorOwner, and DisplayText expressions.
- IndicatorType: The type of Indicator (e.g., Address, EmailAddress, File, Host).
- IndicatorValue: The value of the Indicator (e.g., 188.8.131.52, email@example.com, E19010E71F256AB1FCCD07F856B32C4C, bad.com).
- IndicatorOwner: The owner (Organization, Community, or Source) of the Indicator in ThreatConnect (e.g., Acme Corp, Demo Community). If this parameter is not specified, a default value of your Organization is assumed.
- DisplayText: The text to display as the in-line link in the Attribute (e.g., bad.com, Malicious Log File). If this parameter is not provided, the text for the in-line link will default to the Indicator type and value (e.g., Host bad.com).
- Groups: [[GroupType:GroupID||DisplayText]]NoteA colon (:) separates the GroupType and GroupID parameters. Two vertical bars, or pipe, characters (|) separate the GroupType:GroupID and DisplayText expressions.
- GroupType: The type of Group (e.g., Adversary, Document, Threat).
- GroupID: The ThreatConnect ID number of the Group. This number may be found by navigating to the Details screen for the Group and identifying the number in the URL. For example, in the URL https://app.threatconnect.com/auth/adversary/adversary.xhtml?adversary=4120663907&owner=Acme%20Corp#/, the ID number for given Adversary Group is 4120663907. Because the GroupID is unique across all owners on your ThreatConnect instance, there is no need to specify a Group owner.
- DisplayText: The text to display as the in-line link in the Attribute (e.g., Bad Guy, FBI Intelligence Advisory, Fancy Bear). If this parameter is not provided, the text for the in-line link will default to the Group type and ID number (e.g., Adversary 4120663907).
- Tags: [[Tag:TagValue|Tag Owner|DisplayText]]NoteA colon (:) separates the Tag and TagValue parameters. A vertical bar, or pipe, character (|) separates the GroupType:GroupID and DisplayText expressions.
- Tag: Only the word Tag should be used here, to indicate that the object being linked is a Tag.
- TagValue: The value of the Tag (e.g., hacker, apt, Loan Scam).
- TagOwner: The owner (Organization, Community, or Source) of the Tag in ThreatConnect (e.g., Acme Corp, Demo Community). If this parameter is not specified, a default value of your Organization is assumed.
- DisplayText: The text to display as the in-line link in the Attribute (e.g., Click here!, this tag, the hacker Tag). If this parameter is not provided, the text for the in-line link will default to the object type (i.e., Tag) and value (e.g., hacker).
- Indicators: [[IndicatorType:IndicatorValue|IndicatorOwner|DisplayText]]
- Click the SAVE button. The Markdown-formatted Attribute will be displayed in the Attributes card (Figure 7). If the Attribute is a Description or Source Attribute, the text entered in Figure 6 will also be displayed on the Description and Source cards, respectively.
ThreatConnect®is a registered trademark of ThreatConnect, Inc.