Custom Attributes provide additional information that enhances the details of threat intelligence. These attributes are not limited to specific types or categories and can be customized based on the unique requirements of security and business operations. You can add custom attributes and utilize them to include supplementary information to indicators when creating Quick Intel and Import Intel. For example, Credit Card number, CVV number, expiry date, and more.
Administrators can create internal custom attributes to add organization-specific details to a threat data object. These custom attributes are solely created for internal usage and are never published to collections or shared with subscribers.
You can create internal custom attributes in the x_x--internal--<attribute_name> format. For example, if an analyst wants to create a custom attribute for analyzing IP addresses from an RSS source, you create a tag like x-internal-RSS-IP-address. The x_x--internal-- is case insensitive.
Reserved attributes are specific attribute names or formats that you cannot use while creating custom attributes or mapping to custom objects. These restrictions ensure consistency and interoperability.
There are two types of reserved attributes:
STIX Reserved Attributes
The following attributes are reserved by the STIX specification and should be avoided when creating custom attributes or mapping to custom objects: type, spec_version, created, modified, object_marking_refs, created_by_ref, labels, revoked, lang, granular_markings, external_references, confidence, custom_sources, defanged, extension.
For more information, see the STIX documentation.
Intel Exchange Reserved Attributes
The following attributes include suffixes or fields that are not allowed in Intel Exchange and should be avoided when creating custom attributes or mapping them to custom objects: _ref, _refs, _bin, _hex, _enc.
Note
Reserved attributes received from external sources will remain in the system and appear in the Custom Attributes listing. However, adding custom objects in Quick Add Intel will fail if they include reserved attributes.
You can create custom attributes to provide more information that enhances the details of threat intelligence.
Before you Start
Ensure that you have View Custom Entities, Create Custom Entities, and Update Custom Entities permissions.
Steps
To create custom attributes, follow these steps:
Go to Administration > Custom Entities Management > Custom Attribute.
Click Add Custom Attribute.
Enter a unique name within 250 characters for your custom attribute to identify and assign objects to it. Allowed values are lowercase alphabets (a-z), numbers (0-9), and underscores (_). For example, campaign_type.
You can search and attach this attribute in Custom Objects > Search Custom Attributes.
Enter a description within 500 characters to add key details of a custom attribute.
Select a field type to define the value type for the custom attribute. You can choose from Input (Boolean), Input (Integer), Input (String), Single Select, Multiple Select, JSON, Date, and Input(float). For example, if the attribute is a number, then select Input (Integer).
If you choose Input (Boolean), the platform prompts you to choose actionable attributes and select the objects to align with the custom attributes.
If you choose Single Select, the platform prompts you to enter user-defined attribute values and choose actionable attributes and related objects to align with the custom attributes.
Click Save.
You can continue to add more custom attributes using Save and Add New.
You can view the custom attributes attached to an object in Threat Data.
After you add custom attributes, you can perform the following activities:
Search: Click on Search or filter results to search custom attributes based on attribute name, created range, modified range, status, and field type.
Clone: Click on the vertical ellipsis of an attribute and select Clone to clone the user-defined custom attributes to utilize the same properties. You cannot clone a system-defined custom attribute.
Disable: Click the Disable button for a custom attribute to disable it