Creating Custom Attribute Types
  • 04 Mar 2024
  • 4 Minutes to read
  • Dark
    Light

Creating Custom Attribute Types

  • Dark
    Light

Article Summary

Overview

Attributes are a very powerful way to enrich data in ThreatConnect®. This article covers creating Attribute Types in an Organization, but you can also create them in Communities and Sources and on the System level. For more information, see ThreatConnect Community and Source Administration Guide and ThreatConnect System Administration Guide, respectively.

You can add Attributes of a custom Attribute Type to the following types of data:

  • All ThreatConnect Indicator Types
  • All ThreatConnect Group Types
  • Workflow Case
  • Victim

Before You Start

Minimum Role(s)Organization role of Organization Administrator or System role of Administrator or Operations Administrator
PrerequisitesNone

Creating Custom Attribute Types

  1. On the top navigation bar, hover the cursor over Settings A picture containing text, clipart, light  Description automatically generated and select Org Config. The Attribute Types tab of the Organization Config screen will be displayed (Figure 1).

    Graphical user interface  Description automatically generated

     

  2. Click the + NEW button. The Configure Attribute Type window will be displayed (Figure 2).

    Graphical user interface, application  Description automatically generated

     

    • Name: Enter the name of the custom Attribute Type as it will appear on menus and on the Details screen for Indicators and Groups.
    • Description: Enter a description of the custom Attribute Type as seen by users when entering a value for the Attribute or when viewing it on the Details screen.
    • Error Message: Enter the message presented to users who try to input a value that does not meet the custom Attribute Type’s Validation Rule.
    • Validation Rule: Select the schema that determines whether a user’s input is valid when logging an Attribute of the given Type for an Indicator or Group. ThreatConnect is preloaded with a variety of Validation Rules, such as Boolean, Country, and Date. System, Community, and Organization Administrators may define custom Attribute Validation Rules.
    • Max Length: Enter the maximum size, in characters, of the custom Attribute Type, if applicable, based on the Attribute Type’s assigned Validation Rule.
    • Allow Markdown: Select this checkbox to allow Markdown to be used when configuring an Attribute.
    • Enable in GroupBy: Select this checkbox to allow the Attribute Type to be grouped or queried by dashboardcards.
      Note
      If an Attribute Type’s maximum length is greater than 500 characters, the Enable in GroupBy checkbox will be disabled.
    • Mapping:
      • Indicators: Click the dropdown to display a scrollable multi-select list of Indicators, and select the checkboxes to specify the types of Indicators to which the Attribute Type can apply. For example, it may make sense to track a “work-hours” Attribute Type against an Incident or File, but not against a URL.
      • Groups: Click the dropdown to display a scrollable multi-select list of Groups, and select the checkboxes to specify the types of Groups to which the Attribute Type can apply.
      • Case: Select this checkbox if the Attribute Type should apply to a Case.
      • Max Allowed: If the Case checkbox is selected, the Max Allowed option will become enabled. Enter the maximum number of times that the Attribute Type can be added to a single Case, or use the plus and minus buttons to add or subtract increments of 1, respectively.
        Note
        If a user tries to add an Attribute to a Case when the Attribute Type’s Max Allowed limit has been reached, an error message will be displayed stating that the maximum allowed for the Attribute Type has been exceeded on the current Case, and the user will be directed to select an alternative Attribute Type or remove an existing Attribute of the maxed-out Attribute Type from the Case.
      • Victim: Select this checkbox if the Attribute Type should apply to a Victim.
    • Click the SAVE button.

Uploading Attribute Types

  1. Click the UPLOAD button on the Attribute Types screen (Figure 1). The Upload Attributes window will be displayed (Figure 3).

    Graphical user interface, text, application, email, Teams  Description automatically generated

     

  2. Click the + SELECT FILE button to locate and select a file to upload. After the file is uploaded, the Upload Attributes window will display the name(s) of the Attribute Type(s) contained in the file (Figure 4).

    Graphical user interface, application  Description automatically generated

     

  3. Click the SAVE button to import the Attribute Type(s).

You can upload Attribute Types using a text or JavaScript Object Notation (JSON) file. If uploading an Attribute Type via a text file, use the following format: Name, Description, Error Message, Length, Applicable Types.

Note
In text files, columns are delimited by the comma character (,). Applicable Types are delimited by the pipe character (|).

If uploading an Attribute Type via a JSON file, refer to Table 1 for the fields that can be included in the file.

 

FieldRequiredType
allowMarkdownFALSEBoolean
descriptionTRUEString
errorMessageTRUEString
groupsFALSEString
indicatorsFALSEString
maxLengthTRUEInteger
nameTRUEString
systemFALSEBoolean
versionFALSEInteger
Note
To upload an Attribute Type as a System Attribute Type, assign the system field a value of true.
Note
Upon creation of a new Attribute Type, the version field is automatically assigned a value of 1.
Note
To update an existing Attribute Type, the value for the name field must equal the name of the Attribute Type being updated, and the value for the version field must be incremented from the previous value by at least 1.

The following is an example JSON file format used to upload an Attribute Type:

{
    "types": [
        {
            "allowMarkdown": true,
            "description": "An example custom Attribute Type",
            "errorMessage": "Enter a valid value",
            "groups": [
                "Adversary",
                "Campaign",
                "Course of Action",
                "Document",
                "Email",
                "Incident",
                "Malware",
                "Threat"
            ],
            "indicators": [
                "Address",
                "EmailAddress",
                "File",
                "Host",
                "Url"
            ],
            "maxLength": 100,
            "name": "Demo Attribute Type",
            "system": false,
            "version": 2
        }
    ]
}

ThreatConnect® is a registered trademark of ThreatConnect, Inc.

20029-01 v.10.B


Was this article helpful?