Attributes are a very powerful way to enrich data in ThreatConnect®. The following types of data can have custom Attributes added to them:
- Address (IP)
- E-mail Address
- Registry Key
- User Agent
- Intrusion Set
NOTE: Only an Organization Administrator or higher can create and edit custom Attributes.
Creating Custom Attributes
- On the top navigation bar (Figure 1), place the cursor over the Settings icon and select Org Config from the dropdown menu (Figure 2).
- The Organization Config screen will be displayed (Figure 3).
- Click the + NEW button, and the Configure Attribute Type window will be displayed (Figure 4).
- Name: Click in the box to enter the name of the custom Attribute as it will appear on menus and on the Details screen for Indicators and Groups.
- Max Length: Click in the box (or use the plus and minus symbols) to enter the maximum size, in characters, of the custom Attribute, if applicable, based on the Attribute’s assigned Validation Rule.
- Description: Click in the box to enter a description of the custom Attribute as seen by users when inputting a value for the Attribute or when viewing it from the Details screen.
- Error Message: Click in the box to enter the message presented to users who try to input a value that does not meet the custom Attribute’s Validation Rules.
- Validation Rule: Click on the dropdown menu to select the schema that determines whether a user’s input is valid when logging an Attribute for an Indicator or Group. ThreatConnect is preloaded with a variety of Validation Rules, such as Boolean, Country, and Date. System, Community, and Organization Administrators are able to define their own Attribute Validation Rules as needed.
- Allow Markdown: Select this checkbox to allow Markdown to be used when configuring an Attribute. (See Creating Attributes for more information.)
- Mapping: Select the checkboxes to specify the types of Indicators or Groups to which the Attribute can apply. For example, it may make sense to track a "work-hours" Attribute against an Incident or File, but not against a URL.