- 24 Oct 2022
- 4 Minutes to read
-
Print
-
DarkLight
Creating Custom Attribute Types
- Updated on 24 Oct 2022
- 4 Minutes to read
-
Print
-
DarkLight
Minimum Role: Organization role of Organization Administrator or System role of Administrator or Operations Administrator
Prerequisites: None
Overview
Attributes are a very powerful way to enrich data in ThreatConnect®. This article covers creating Attribute Types in an Organization, but you can also create them in Communities and Sources and on the System level. For more information, see ThreatConnect Community and Source Administration Guide and ThreatConnect System Administration Guide, respectively.
You can add Attributes of a custom Attribute Type to the following types of data:
- All ThreatConnect Indicator Types
- All ThreatConnect Group Types
- Workflow Case
- Victim
Creating Custom Attribute Types
- On the top navigation bar, hover the cursor over Settings
and select Org Config. The Attribute Types tab of the Organization Config screen will be displayed (Figure 1).
- Click the + NEW button. The Configure Attribute Type window will be displayed (Figure 2).
- Name: Enter the name of the custom Attribute Type as it will appear on menus and on the Details screen for Indicators and Groups.
- Description: Enter a description of the custom Attribute Type as seen by users when entering a value for the Attribute or when viewing it on the Details screen.
- Error Message: Enter the message presented to users who try to input a value that does not meet the custom Attribute Type’s Validation Rule.
- Validation Rule: Select the schema that determines whether a user’s input is valid when logging an Attribute of the given Type for an Indicator or Group. ThreatConnect is preloaded with a variety of Validation Rules, such as Boolean, Country, and Date. System, Community, and Organization Administrators may define custom Attribute Validation Rules.
- Max Length: Enter the maximum size, in characters, of the custom Attribute Type, if applicable, based on the Attribute Type’s assigned Validation Rule.
- Allow Markdown: Select this checkbox to allow Markdown to be used when configuring an Attribute.
- Enable in GroupBy: Select this checkbox to allow the Attribute Type to be grouped or queried by dashboard cards.NoteIf an Attribute Type’s maximum length is greater than 500 characters, the Enable in GroupBy checkbox will be disabled.
- Mapping:
- Indicators: Click the dropdown to display a scrollable multi-select list of Indicators, and select the checkboxes to specify the types of Indicators to which the Attribute Type can apply. For example, it may make sense to track a “work-hours” Attribute Type against an Incident or File, but not against a URL.
- Groups: Click the dropdown to display a scrollable multi-select list of Groups, and select the checkboxes to specify the types of Groups to which the Attribute Type can apply.
- Case: Select this checkbox if the Attribute Type should apply to a Case.
- Max Allowed: If the Case checkbox is selected, the Max Allowed option will become enabled. Enter the maximum number of times that the Attribute Type can be added to a single Case, or use the plus and minus buttons to add or subtract increments of 1, respectively.NoteIf a user tries to add an Attribute to a Case when the Attribute Type’s Max Allowed limit has been reached, an error message will be displayed stating that the maximum allowed for the Attribute Type has been exceeded on the current Case, and the user will be directed to select an alternative Attribute Type or remove an existing Attribute of the maxed-out Attribute Type from the Case.
- Victim: Select this checkbox if the Attribute Type should apply to a Victim.
- Click the SAVE button.
Uploading Attribute Types
- Click the UPLOAD button on the Attribute Types screen (Figure 1). The Upload Attributes window will be displayed (Figure 3).
- Click the + SELECT FILE button to locate and select a file to upload. After the file is uploaded, the Upload Attributes window will display the name(s) of the Attribute Type(s) contained in the file (Figure 4).
- Click the SAVE button to import the Attribute Type(s).
You can upload Attribute Types using a text or JavaScript Object Notation (JSON) file. If uploading an Attribute Type via a text file, use the following format: Name, Description, Error Message, Length, Applicable Types.
If uploading an Attribute Type via a JSON file, refer to Table 1 for the fields that can be included in the file.
Field | Required | Type |
---|---|---|
allowMarkdown | FALSE | Boolean |
description | TRUE | String |
errorMessage | TRUE | String |
groups | FALSE | String |
indicators | FALSE | String |
maxLength | TRUE | Integer |
name | TRUE | String |
system | FALSE | Boolean |
version | FALSE | Integer |
The following is an example JSON file format used to upload an Attribute Type:
{
"types": [
{
"allowMarkdown": true,
"description": "An example custom Attribute Type",
"errorMessage": "Enter a valid value",
"groups": [
"Adversary",
"Campaign",
"Course of Action",
"Document",
"Email",
"Incident",
"Malware",
"Threat"
],
"indicators": [
"Address",
"EmailAddress",
"File",
"Host",
"Url"
],
"maxLength": 100,
"name": "Demo Attribute Type",
"system": false,
"version": 2
}
]
}
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
20029-01 v.10.B