Using Playbooks to Populate Custom Attributes

Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

Create Custom Attribute Types and Validation Rules, then use Playbooks to populate them automatically

I was working with a customer who wanted to use ThreatConnect’s Task and workflow features like a traditional ticketing system, with a unique identifier for data objects that they could key off of and pass to other teams as needed. This is usually a value, like an “Incident Number” or “Task ID”. ThreatConnect has these values and you can see them in the weblink URL for any data object within the Platform. The customer wanted to pass these identifiers to other users/teams/applications, so we decided to use a combination of custom attributes, custom attribute validation rules, and Playbooks to make the data easier to work with, and meet their goals. Along the way we also found that once created and populated, our new attributes were searchable within ThreatConnect.

In this post, you’ll learn how to use the following ThreatConnect features:

Note: This example could easily be reused for other purposes.

Maybe you want to poll some external data source such as DomainTools and fill an attribute with a retrieved value each time you create a new incident record?  This process will show you how. And, if you have a need for some other custom attribute, the steps taken here will guide you in creating the necessary configuration.

First: for any of the Group data types, ThreatConnect already creates a unique identifier which is visible in the weblink URL:

In this example, we can see an incident with the identifier “672522”. This is the single value which identifies this incident within the organization. With this piece of information, we can always track to exactly this single incident. This URL is where we will harvest the identifier, and place it into a new attribute, which we will create.

We’ll create the Attribute called a “TC ID Number”, and make it available to Group data types such as Adversaries, Incidents, Tasks, and Threats. Rather than call this attribute something like “Incident Number” we’ll deliberately keep the name generic so that it is useful across multiple data types. You’ll see the value in this decision later in the article.

Before we create the attribute, we will create an Attribute Validation Rule. This will simply validate the data that anyone places into this attribute. In this case, we’ll use a simple rule to validate that only digits are entered. We’ll call this rule the “TC ID Number validation rule”. To create a rule, select “Org Config” in the drop-down menu, and then select “Attribute Validation Rules”.  Create a “New” rule, and complete the form as follows:

Save this rule. Now you are ready to create the new attribute. From the same Org Config page, choose the link for “Attribute Types”, and then create a “New” attribute. Complete the form as follows:

Notice we are creating an attribute called “TC ID Number”. We set a maximum length of 16 characters, and selected several Groups where this attribute may be used. We have also selected our validation rule from the previous step.

This instance of ThreatConnect now has a new attribute available. The obvious question is, how do you put it into action? You can, of course, add this attribute to your Groups manually, one at a time, but what if we applied it automatically whenever the group object is created?

That’s where Playbooks comes in!

Following is one of four Playbooks I created to utilize this new attribute. The Playbooks are triggered when a new Group object is created in My Org. The Playbook extracts the identifier from the URL, and stores it in the new attribute. The Playbook looks like this:

It does not matter how the new group object (incident, in this example) is created. It could have been created manually through the Create Group wizard, or it could have been copied into my org from another source, such as the ThreatConnect Intelligence source. The Playbook will trigger on the new object and fill in the attribute automatically. Below we have multiple Playbooks to make this possible:

After the Playbooks are installed, configured, and set to Active status, any of the defined groups that are created will have the “TC ID Number” attribute populated.

Moving forward, you now have a state where the TC ID Numbers are populated. You can pass these values to other users or even other systems for tracking purposes. For instance, your IR team might use an external ticketing system like ServiceNow to receive data about new investigations to begin. You could pass the weblink URL of our incidents in ThreatConnect to ServiceNow and perhaps use the TC ID Number as the display value for the link.

 Passing these values to ServiceNow is very straightforward with Playbooks, but beyond the scope of this blog.

Recall that I mentioned that our new attribute would be searchable. That’s available to us now without any additional configuration. On the Browse page, we can select the Group types we want to browse, then in the Filters, we can select the attribute by name. Here are those three steps:

In this example, the Playbook is looking for a group with the identifier shown earlier (672522).  The result is:

Notice we have filtered on our specific attribute and value. We found the exact entry we were searching for, and as a final confirmation we can see the “TC ID Number” for the incident in question:

To read the rest of this post, visit the

ThreatConnect blog.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
About ThreatConnect
ThreatConnect® enables organizations to identify, manage, and block threats with threat intelligence, automation, and orchestration. Providing security teams a platform to unite their people, processes, and technologies behind an intelligence-driven defense, ThreatConnect helps increase visibility into networks and integrates with defensive tools to close the gap between threat detection and response.
Promoted Content
Innovation Insight for Security Orchestration, Automation and Response
In this report: Innovation Insight for Security Orchestration, Automation and Response Gartner analysts cover the maturation of the SOAR (Security Orchestration, Automation and Response) market, and helps you determine which SOAR tools improve security operations efficiency, quality and efficacy.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?