References - Platform Standard Attributes
Overview
This page provides a standard list of attributes available within the ThreatConnect Platform.
Currently this list reflects ThreatConnect Platform version 6.1
Standard Attributes Table
Attribute Name | Attribute Description | Attribute Field/Object Size | Applicable ThreatConnect Data Model Objects | Additional Information | Allows Markdown? |
Additional Analysis and Context | Relevant research and analysis associated with this Indicator, Signature, or Activity Group. Can be internal analysis or links to published articles, whitepapers, websites, or any reference providing amplifying information or geo-political context. | 64K | ASN | Please enter valid Additional Analysis and Context. | True |
Admiralty Code | The Admiralty System is a method for evaluating collected items of intelligence. | 2 characters | ASN | Please enter a valid Admiralty Code. | False |
Adversary Motivation Type | Select an overall motivation. | 21 characters | Adversary | Please enter a valid Adversary Motivation Type. | False |
Adversary Origin & Source | The observed and or assumed attacker origin or source. | 500 characters | Adversary | Please enter an observed and or assumed attacker origin or source. | True |
Adversary Type | The type of Adversary. | 50 characters | Adversary | Please enter a valid Adversary Type: Group, Persona | False |
Aliases | Other names used to refer to this entity. | 500 characters | Adversary | Please enter a valid Aliases. | True |
AMA Signature | Text string returned by an AMA for structural or behavioral signatures triggered by the file sample. | 500 characters | File | Please enter a valid Signature of 500 characters or fewer. | False |
Archive Password | Password for Malware Documents | 255 characters | Document | Please input password. Default password is "TCInfected". | False |
Attribution Assessment | Attribution of Threat activity to a given person, group, or entity. | 500 characters | Campaign | Please enter a valid Attribution Assessment. | False |
Attribution Confidence | Confidence of attribution of Threat activity to a given person, group, entity. | 5 characters | Campaign | Please enter a valid attribution confidence with a value 0-100. | False |
Autonomous System Name | The Autonomous System Name for this ASN. | 250 characters | ASN | Please enter a valid Autonomous System Name. | False |
AV Scanner Results | This type is a markdown formatted antivirus scanner results from an AV scanner bank. | 8K | File | Please check that your AV scanner results are fewer than 8192 characters. | True |
AV Scan Timestamp | The timestamp when this file was most recently scanned by AV engines. Example: 2017-05-03T14:38:02Z | 20 characters | File | Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z" | False |
Bitcoin Address | Bitcoin wallet address. | 34 characters | Adversary | Check that the bitcoin address is the correct format. | False |
Body Type | The Body Type of this Email. | 250 characters | Please enter a valid Body Type. | False | |
Campaign Objective | Defines the Campaign’s primary goal, objective, desired outcome, or intended effect. | 500 characters | Campaign | Please enter a valid Campaign Objective. | False |
Capabilities | Overview of Threat or Adversary capabilities. | 500 characters | Adversary | Please enter a valid capabilities. | True |
Code Page | Code page is a table of values that describes the character set used for encoding a particular set of characters. Code page here is an integer 1-65520 referencing this table. | 5 characters | File | Please enter a valid code page 1-65520. | False |
Collection Location | Location in the email header or body where an email address indicator was collected. | 13 characters | EmailAddress | Please enter a valid collection location: Body, Reply-To, From, Sender, Envelope-from, or Return-Path. | False |
Compiler | The compiler used for this File. | 300 characters | File | Please enter a valid Compiler. | True |
Compiler Language | The compiler language of this File. | 100 characters | File | Please enter a valid Compiler Language. | True |
Confidence | Characterizes the level of confidence held in the characterization of this Campaign or Signature. | 7 characters | Campaign | Please enter a valid Confidence: High, Medium, Low, None, Unknown | False |
Course of Action Desired Effect | Select a desired effect on the Adversary operations. | 7 characters | Adversary | Please enter a valid effect: Deny, Degrade, Deceive, Disrupt, or Destroy. | False |
Course of Action Effectiveness | Select how effective the Course of Action was. | 20 characters | Adversary | Please enter a valid COA Effect: No Effect, Low Effect, Moderately Effective, Highly Effective, or Extremely Effective. | False |
Course of Action Recommendation | Recommend a Course of Action. | 64K | Adversary | Please enter a valid Course of Action Recommendation. | True |
Course of Action Taken | Describe the Course of Action Taken. | 500 characters | Adversary | Please enter a valid Course of Action. | True |
Created Date Time | Date and time when this STIX Campaign object was created. | 255 characters | Campaign | Please enter a valid Created Date Time: YYYY/MM/DD HH:mm:ss | False |
Creation Timestamp | The time and date this document or file was created. Example: 2017-05-03T14:38:02Z | 20 characters | File | Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z" | False |
Date of Discovery | Select the date when the Event, Incident, Threat, or Adversary was discovered. | 25 characters | ASN | Please enter a valid date in YYYY/MM/DD format. | False |
Debug Symbol Path | Path to windows debugging symbol file. Found in the debug info of a PE file. | 500 characters | File | Please check the format and that the length is 500 characters or less. | False |
Deployment Status | Enter any sensors or hosts this signature is deployed to. | 500 characters | Signature | Please enter a valid deployment status. | False |
Description | A general description. There may be several descriptions from various sources. Check the Default checkbox above to make this description the default. | 100K | ASN | Please enter a valid description. | True |
Detection Percentage | The percentage of AV engines that are detecting the file as malicious. | 3 characters | File | Please enter a valid detection percentage between 0 and 100. | False |
Detection Ratio | This type is a ratio of positive AV scanner results to the total number of scanners with which the sample was checked. | 7 characters | File | Please input a valid detection ratio value. Maximum is 100/100. | False |
Dll Name | When present, this is the Name field in the Export Directory struct of a PE file. | 100 characters | File | Please enter the dll name extracted from PE file. | False |
Document Author | Author field from the document metadata. | 100 characters | File | Please check the input length for document author is 100 characters or fewer. | False |
Document Company | Company field from the document metadata. | 100 characters | File | Please check the input length for document company is 100 characters or fewer. | False |
Document Creation Tool | Software tool used to create this document, if available. | 100 characters | File | Please check the input length for document creation tool is 100 characters or fewer. | False |
Document Description | Description field from document metadata. | 100 characters | File | Please check the input length for document description is 100 characters or fewer. | False |
Document Last Modified By | Name of the last individual to modify this document from metadata. | 100 characters | File | Please check the input length for document last modified by is 100 characters or fewer. | False |
Document Subject | Subject of the document from metadata. | 100 characters | File | Please check the input length for document subject is 100 characters or fewer. | False |
Document Title | Title of the document from metadata. | 100 characters | File | Please check the input length for document title is 100 characters or fewer. | False |
EmailAddress Usage | Select the Tactics, Techniques, and Procedures (TTPs) the Adversary used in relation to this Email Address. | 26 characters | EmailAddress | Please enter a valid option: Phishing Email Sender, Command and Control, Personal Email Account, Professional Email Account, Domain Registrant, Drop Email. | False |
Entropy | Overall Shannon entropy of a file. | 4 characters | File | Please enter the file entropy as a decimal number to the precision of 2 (1.02) and a maximum of 8.00. | False |
Entry Point | Location where control is transferred from the operating system to a computer program, at which place the processor enters a program or a code fragment and execution begins. | 8 characters | File | Please enter a valid entry point that is a 32-bit lowercase hex string (8 characters). | False |
Event End Date | The end date of the event reported in this Incident. Example: 2017-05-03T14:38:02Z | 100 characters | Incident | Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z" | False |
Event Log | Logs that pertain to an event. | 100K | Event | Please enter a valid event log. | False |
Events | Notable events this indicator was observed in. | 500 characters | Address | Please enter a valid Event. | False |
External Date Created | The External timestamp of when this resource was Create. Example: 2017-05-03T14:38:02Z | 100 characters | ASN | Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z" | False |
External Date Expires | The External timestamp of when this resource will expire. Example: 2017-05-03T14:38:02Z | 100 characters | ASN | Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z" | False |
External Date Last Modified | The External timestamp of when this resource was Last Modified. Example: 2017-05-03T14:38:02Z | 100 characters | ASN | Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z" | False |
External ID | ID used by system outside of ThreatConnect. | 255 characters | ASN | Please enter an External ID of 255 characters or less. | False |
External References | Specifies a list of external references which refers to non-STIX information. | 500 characters | Campaign | Please enter a valid External References. | False |
File Type | File type as determined by libmagic or the file command. | 500 characters | Document | Please enter a File Type of 500 characters or fewer. | False |
First Seen | The timestamp of when this indicator or activity was first seen. Example: 2017-05-03T14:38:02Z | 20 characters | ASN | Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z" | False |
First Seen Timestamp Precision | The precision of the First Seen timestamp. | 50 characters | Campaign | Please enter a valid First Seen Timestamp Precision. | False |
Frequency | How frequently this event or activity occurs. | 9 characters | Event | Please enter a valid frequency: Often, Sometimes, Rarely. | False |
Granular Markings | Specifies a list of granular markings applied to this. | 100 characters |