Attributes are key/value data sets that can be added to any Indicator or Group. This type of metadata provides an excellent way to organize, categorize, and integrate Indicators or Groups into an Organization’s analytic workflow. Attributes and their values are managed in the Organization Config screen under the Attribute Types and Attribute Validation Rules tabs, respectively.
- From the top navigation bar (Figure 1), place the cursor over BROWSE and then over the INDICATORS option. Click on an object (HOST in this example) to display a results table (Figure 2).
- Click on one of the entries, and the Details window for that entry will appear (Figure 3).
- Click the Details icon at the top right corner of the window, and the Overview tab of the Details screen will appear (Figure 4).
- Scroll down to the Attributes card, click the Plus (+) button, and the Edit Attribute window will appear (Figure 5).
- Attribute Type: Select Description from the dropdown menu at the top of the screen.
- Default: Check this box to set this Description as the default in the event that there are other Descriptions for the object from other sources.
- Choose Security Labels: Choose a Security Label for the Description.
- Attribute Source: Choose an existing Attribute Source from the dropdown menu or enter a new one.
- Save Source: Click this checkbox to save the Source so it will appear in the Attribute Source dropdown menu in the future for objects belonging to the same owner.
- Text Box: Click inside the text box to enter a description, either in plain text or in Markdown. (See the "Using Markdown with an Attribute" section below.)
Using Markdown with an Attribute
ThreatConnect® supports Markdown, a plaintext formatting language, with several default Attribute types, including the following: Additional Analysis and Context; Source; Description; TTP Description; Network Protocol Analysis; Signing Certificate Metadata; Tactics, Techniques, and Procedures; Course of Action Recommendation; Capabilities; TTP Description: Email; TTP Description: Malware/Tool Information; and TTP Description: Passwords.
External links are not supported in order to mitigate the risk of accidental infection, but internal links to Indicators and Groups are supported and are written in wiki-style syntax. For instance, to include a link to Indicator 0.0.0.0 stored within the Common Community, a user would use the following syntax:
The foregoing text navigates to the relevant Indicator, with Address 0.0.0.0 as the link. Optionally, the user may include a description of the link, such as Malicious hosting:
[[address:0.0.0.0|common community | Malicious hosting]]
In general, an Indicator may be referenced by including its type, raw data, and owner, and each Indicator is assumed to be globally unique for a given type and owner:
NOTE: Files can be referenced by including any of their unique hashes (i.e., MD5, SHA1, or SHA-256).
The following are supported Indicator types:
- E-mail Address
- Registry Key
- User Agent
Similarly, a Group may be referenced by including its unique ID, type, and owner:
The following are supported Group types:
- Intrusion Set
The following other type is supported as well:
NOTE: Obtain the unique ID for a Group from the URL endpoint (e.g., an Incident with ID 1337: https://app.threatconnect.com/auth/incident/incident.xhtml?incident=1337).
NOTE: When sharing data into a Community or Source, the Group ID used should be checked to make sure it points to the expected new Groups in the destination after sharing is complete.
Follow these steps to enable Markdown in an Attribute:
- From the top navigation bar (Figure 1), hover the cursor over the Settings icon and select SYSTEM SETTINGS from the dropdown menu. The System Settings screen will appear. Click the Attribute Types tab, and the Attribute Types screen will appear (Figure 6).
- Scroll down the table to select the desired Attribute Type (Description in this example), and click on the Modify icon. The Configure Attribute Type window will appear (Figure 7).
- Check the Allow Markdown box at the bottom left of the screen.
- Follow Steps 1–3 of the previous section in this article to view the Overview tab of the Details screen for an object.
- On the Overview tab, scroll down to the Attributes card and click on the Modify icon. The Edit Attribute window will appear (Figure 8). The Markdown icon indicates that the Markdown feature is now enabled for use.
- In the text box below the Save Source checkbox, enter the desired information in Markdown format (Figure 9).
- Click the SAVE button, and the Markdown-formatted description will appear under Description (Figure 10) and under Attributes (Figure 11).
Refer to the Cheat Sheet for ThreatConnect Markup for syntax for linking valuable context to specific object types.