Easily add metadata (in the form of certain attributes and tags) to the all of the Indicators associated with any Group
ThreatConnect developed the Playbooks capability to help analysts automate time consuming and repetitive tasks so they can focus on what is most important. And in many cases, to ensure the analysis process can occur consistently and in real time, without human intervention.
In the process of an investigation or even months after an investigation, incident responders and analysts often come across valuable information they would like to record in ThreatConnect. To make this process easier, this playbook system allows ThreatConnect power-users to easily add metadata (in the form of certain attributes and tags) to the all of the Indicators associated with any Group.
This playbook system is helpful for the following reasons:
- Because it is so easy to use, the Playbook encourages incident responders and analysts to record metadata about Indicators in the form of attributes and tags. This leads to more accurate and thorough intelligence.
- It saves ThreatConnect users time by providing the tools for metadata creation on the details page for every Group
This playbook system is made up of two, separate playbooks. The first playbook is triggered with a User Action Trigger available on the details pages for all Groups. This trigger does not do very much other than provide a form into which the user can provide the data they would like to add to the Indicators associated with the Group.
After the first Playbook is triggered and the user submits the form, the data from the form is posted to another Playbook (pictured below) which takes that data and adds it appropriately to all of the Indicators associated with the current Group (all behind the scenes).
Using the Playbook
To start using this playbook, go to https://github.com/ThreatConnect-Inc/threatconnect-playbooks/tree/master/playbooks/attribute-and-tag-adder and download the Add Attribute and_or Tag to Associated Indicators - Adder.pbx and Add Attribute and_or Tag to Associated Indicators - Trigger.pbx files. Now we need to import it into ThreatConnect. Go to the "Playbooks" tab in ThreatConnect and click "New" > "Import" (on ThreatConnect versions before 5.7, you can just click the "Import" button). Then import both Add Attribute and_or Tag to Associated Indicators - Adder.pbx and Add Attribute and_or Tag to Associated Indicators - Trigger.pbx. Now, we need to setup the playbook.
To do this:
- Open the "Add Attribute and_or Tag to Associated Indicators - Adder" playbook
- Turn the Playbook on using the "Status" toggle in the top right-hand corner of the Playbook screen.
- Once the Playbook is active, there will be a blue information icon in the top right which will allow you to copy the URL which can be used to trigger this playbook. Copy the URL.
- Now, open the "Add Attribute and_or Tag to Associated Indicators - Trigger" playbook and select the "Set Variable 1" app. You will see that the "metadataAddingPlaybookTrigger" variable is blank.
- Add a new "metadataAddingPlaybookTrigger" parameter whose value is the link you copied from the other Playbook.
- Delete the old "metadataAddingPlaybookTrigger" parameter.
- Turn this playbook on and you are ready to go!
As always, if you would like to expand the functionality of this playbook, feel free to hack it and modify it to fit your use-case! Also, if you have any questions or run into any problems with either of these Playbooks, please raise an issue in Github.