Attributes are key/value data sets that can be added to any Indicator or Group. This type of metadata provides an excellent way to organize, categorize, and integrate Indicators or Groups into an Organization’s analytic workflow. Attributes and their values are managed in the Organization Config screen under the Attribute Types and Attribute Validation Rules tabs, respectively.
Creating an Attribute
- From the top navigation bar (Figure 1), place the cursor over Browse and then over the Indicators option. Click on an object (Host in this example) to display a results table (Figure 2).
- Click on one of the entries, and the Details drawer for that entry will appear (Figure 3).
- Click the Details icon at the top right corner of the drawer, and the Overview tab of the Details screen will appear (Figure 4). Alternatively, hover over the object's entry in the table in Figure 2 and click on the Details icon that appears on the right side of its Summary cell to go straight to the Overview tab of the Details screen.
- Scroll down to the Attributes card, and click the Plus icon. The Edit Attribute window will appear (Figure 5).
- Attribute Type: Select Description from the dropdown menu at the top of the screen.
- Default: Check this box, which will appear when Description is selected as the Attribute Type, to set this Description as the default in the event that there are other Descriptions for the object from other sources.
- Choose Security Labels: Choose a Security Label for the Description.
- Attribute Source: Choose an existing Attribute Source from the dropdown menu or enter a new one.
- Save Source: Check this box to save the Source so it will appear in the Attribute Source dropdown menu in the future for objects belonging to the same owner.
- Text Box: Click inside the text box to enter a description, either in plain text or in Markdown if it has been enabled. (See the "Using Markdown with an Attribute" section later in this article.) If Markdown has been enabled, then the Markdown icon will appear to the right of the text box after Description has been selected from the Attribute Type menu, as in Figure 8 later in this article. Users should contact their System Administrator to enable Markdown if it has not been enabled.
Enabling and Using Markdown in Attributes
ThreatConnect® supports Markdown, a plaintext formatting language, with several default Attribute types, including the following: Additional Analysis and Context; Source; Description; TTP Description; Network Protocol Analysis; Signing Certificate Metadata; Tactics, Techniques, and Procedures; Course of Action Recommendation; Capabilities; TTP Description: Email; TTP Description: Malware/Tool Information; and TTP Description: Passwords.
External links are not supported in order to mitigate the risk of accidental infection.
System Administrators should follow these steps to enable Markdown in an Attribute:
- From the top navigation bar (Figure 1), hover the cursor over the Settings icon and select System Settings from the dropdown menu. The System Settings screen will appear. Click the Attribute Types tab, and the Attribute Types screen will appear (Figure 6).
- Scroll down the table to select the desired Attribute Type (Description in this example), and click on the Modify icon. The Configure Attribute Type window will appear (Figure 7).
- Check the Allow Markdown box at the bottom left of the screen.
- Click the SAVE button.
Using Markdown in an Attribute
- Follow Steps 1–3 of the "Creating an Attribute" section of this article to view the Overview tab of the Details screen for an object.
- On the Overview tab, scroll down to the Attributes card and click on the Modify icon. The Edit Attribute window will appear (Figure 8). The Markdown icon indicates that the Markdown feature is now enabled for use.
- In the text box below the Save Source checkbox, enter the desired information in Markdown format (Figure 9).
- Click the SAVE button, and the Markdown-formatted description will appear in the Description card (Figure 10) and the Attributes card.