Custom Attributes
Custom Attributes provide additional information that enhances the details of threat intelligence. These attributes are not limited to specific types or categories and can be customized based on the unique requirements of security and business operations. You can add custom attributes and utilize them to include supplementary information to indicators when creating Quick Intel and Import Intel. For example, Credit Card number, CVV number, expiry date, and more.
Internal Custom Attributes
Administrators can create internal custom attributes to add organization-specific details to a threat data object. These custom attributes are solely created for internal usage and are never published to collections or shared with subscribers.
You can create internal custom attributes in the x_x--internal--<attribute_name> format. For example, if an analyst wants to create a custom attribute for analyzing IP addresses from an RSS source, they can create a tag like x-internal-RSS-IP-address. The x_x--internal-- is case insensitive.
Reserved Attributes
Reserved attributes are specific attribute names or formats that you cannot use while creating custom attributes or mapping to custom objects. These restrictions ensure consistency and interoperability.
There are two types of reserved attributes:
STIX Reserved Attributes
The following attributes are reserved by the STIX specification and should be avoided when creating custom attributes or mapping to custom objects: type
, spec_version
, created
, modified
, object_marking_refs
, created_by_ref
, labels
, revoked
, lang
, granular_markings
, external_references
, confidence
, custom_sources
, defanged
, extension
.
For more information, see the STIX documentation.
Intel Exchange Reserved Attributes
The following attributes include suffixes or fields that are not allowed in Intel Exchange and should be avoided when creating custom attributes or mapping them to custom objects: _ref
, _refs
, _bin
, _hex
, _enc
.
Note
Reserved attributes received from external sources will remain in the system and appear in the Custom Attributes listing. However, adding custom objects in Quick Add Intel will fail if they include reserved attributes.
Create Custom Attributes
You can create custom attributes to provide more information that enhances the details of threat intelligence.
Before you Start
Ensure that you have View Custom Entities, Create Custom Entities, and Update Custom Entities permissions.
Steps
To create custom attributes, follow these steps:
Go to Administration > Custom Entities Management > Custom Attribute.
Click Add Custom Attribute.
Enter a unique name within 100 characters for your custom attribute to identify and assign objects to it. Allowed values are lowercase alphabets (a-z), numbers (0-9), and underscores (_). For example, campaign_type.
You can search and attach this attribute in Custom Objects > Search Custom Attributes.
Enter a description within 500 characters to add key details of a custom attribute.
Select a field type to define the value type for the custom attribute. You can choose from Input (Boolean), Input (Integer), Input (String), Input(Float), Single Select, Multiple Select, JSON, and Date.
Note
When using Single or Multiple Select, you can define and manage the selectable values during configuration.
Click Save. You can continue to add more custom attributes using Save and Add New.
You can view the custom attributes attached to an object in Threat Data.
Note
Re-ingestion Behaviour
Intel Exchange updates custom attribute values during re-ingestion based on the attribute type:
String, Float, Single Select, Boolean, Integer, JSON, Date: The existing value is replaced with the latest one based on the
source_modified
timestamp. You can edit the custom attribute and change its type to Multiple Select from Administration > Custom Entities Management.Multiple Select: New values from different sources are appended. All distinct values are retained.
New value additions to the attribute option list are supported only for Single Select and Multiple Select fields. Intel Exchange retains only supported attribute types, and attributes of unsupported types are excluded during ingestion.
Manage Custom Attributes
After you add custom attributes, you can perform the following activities:
Search: Click on Search or filter results to search custom attributes based on attribute name, created range, modified range, status, and field type.