Group Attributes
Attributes are key/value data sets that can be added to any Group. This type of metadata provides an excellent way to organize, categorize, and integrate Groups into an organization’s analytic workflow.
Endpoint: /api/v3/groupAttributes
Endpoint Options
Available Fields
Send the following request to retrieve a list of available fields, including each field’s name, description, and accepted data type, that can be included in the body of a POST or PUT request to the /v3/groupAttributes endpoint:
OPTIONS /v3/groupAttributes
Hint
To include read-only fields in the response, append ?show=readonly to the end of the request URL.
Alternatively, refer to the following table for a list of available fields that can be included in the body of a POST or PUT request to the /v3/groupAttributes endpoint.
Field |
Description |
Type |
Required for Creation? |
Updatable? |
|---|---|---|---|---|
default |
Indicates whether the Attribute is the default Attribute of its type for the Group to which it is added (this field applies to certain Attribute and data types only) |
Boolean |
FALSE |
TRUE |
groupId |
The ID of the Group to which the Attribute is added |
Integer |
TRUE |
FALSE |
pinned |
Indicates whether the Attribute is to be displayed as a Pinned Attribute on the Details screen for the Group to which the Attribute is added |
Boolean |
FALSE |
TRUE |
securityLabels |
A list of Security Labels applied to the Attribute |
TRUE |
FALSE |
|
source |
The Attribute’s source |
String |
FALSE |
TRUE |
type [1] |
The Attribute’s type |
String |
TRUE |
FALSE |
value |
The Attribute’s value |
String |
TRUE |
TRUE |
Include Additional Fields in Responses
When creating, retrieving, or updating data, you can use the fields query parameter to include additional fields in the API response that are not included by default.
Send the following request to retrieve a list of fields you can include in responses returned from the /v3/groupAttributes endpoint:
OPTIONS /v3/groupAttributes/fields
Filter Results
When retrieving data, you can use the tql query parameter to filter results with ThreatConnect Query Language (TQL).
Send the following request to retrieve a list of valid TQL parameters you can use when including the tql query parameter in a request to the /v3/groupAttributes endpoint:
OPTIONS /v3/groupAttributes/tql
Create Group Attributes
The following example illustrates the basic format for creating a Group Attribute:
POST /v3/groupAttributes
{
"groupId": 12345,
"type": "Attribute type goes here",
"value": "Attribute value goes here"
}
For example, the following request will create an Attribute and add it to the Group whose ID is 20:
POST /v3/groupAttributes
{
"groupId": 20,
"source": "Phase of Intrusion",
"type": "Additional Analysis and Context",
"value": "This is a very dangerous adversary."
}
JSON Response
{
"data": {
"id": 10,
"dateAdded": "2021-11-09T14:42:13Z",
"type": "Additional Analysis and Context",
"value": "This is a very dangerous adversary.",
"source": "Phase of Intrusion",
"createdBy": {
"id": 3,
"userName": "11112222333344445555",
"firstName": "John",
"lastName": "Smith",
"pseudonym": "jsmithAPI",
"owner": "Demo Organization"
},
"lastModified": "2021-11-09T14:42:13Z",
"pinned": false,
"default": false
},
"message": "Created",
"status": "Success"
}
Refer to the Available Fields section for a list of available fields that can be included in the body of a POST request to the /v3/groupAttributes endpoint.
Hint
Group Attributes can also be created and added to a Group when creating the Group. See the “Create Groups” section of Groups for more information.
Retrieve Group Attributes
The following section describes how to retrieve Group Attributes via the /v3/groupAttributes endpoint. In addition to the methods described in this section, you can send the following request to retrieve Attributes added to a specific Group: GET /v3/groups/{groupId}?fields=attributes.
Retrieve All Group Attributes
Send the following request to retrieve data for all Group Attributes:
GET /v3/groupAttributes
JSON Response
{
"data": [
{
"id": 10,
"dateAdded": "2023-03-29T14:42:13Z",
"type": "Aliases",
"value": "APT28, Fancy Bear, Threat Group-4127, TG-4127",
"createdBy": {
"id": 3,
"userName": "11112222333344445555",
"firstName": "John",
"lastName": "Smith",
"pseudonym": "jsmithAPI",
"owner": "Demo Organization"
},
"lastModified": "2023-03-29T14:42:13Z",
"settings": {
"associable": true,
"pinnedByDefault": true,
"message": "Enter the Group's aliases."
},
"pinned": true,
"default": true
},
{
"id": 9,
"dateAdded": "2023-03-28T15:56:46Z",
"type": "Source",
"value": "https://examplesite.com",
"createdBy": {
"id": 1,
"userName": "[email protected]",
"firstName": "John",
"lastName": "Smith",
"pseudonym": "jsmith",
"owner": "Demo Organization"
},
"lastModified": "2023-03-28T15:56:46Z",
"pinned": true,
"default": true
},
{
"id": 8,
"dateAdded": "2023-03-08T15:55:59Z",
"type": "Description",
"value": "This malware is written in a new programming language and has the potential of targeting millions of routers and IOT devices.",
"source": "Internal analysis",
"createdBy": {
"id": 1,
"userName": "[email protected]",
"firstName": "John",
"lastName": "Smith",
"pseudonym": "jsmith",
"owner": "Demo Organization"
},
"lastModified": "2023-03-08T15:55:59Z",
"pinned": false,
"default": true
},
{...}
],
"status": "Success"
}
Note
If an Attribute Type is configured as a default, pinned, or association Attribute Type, then the settings field will be included in the response for Attributes of that Attribute Type.
Retrieve a Specific Group Attribute
Send a request in the following format to retrieve data for a specific Group Attribute:
GET /v3/groupAttributes/{groupAttributeId}
For example, the following request will retrieve data for the Group Attribute whose ID is 7:
GET /v3/groupAttributes/7
JSON Response
{
"data": {
"id": 7,
"dateAdded": "2023-03-08T15:55:59Z",
"type": "Description",
"value": "This Incident is related to a recent ransomware attack.",
"createdBy": {
"id": 1,
"userName": "[email protected]",
"firstName": "John",
"lastName": "Smith",
"pseudonym": "jsmith",
"owner": "Demo Organization"
},
"lastModified": "2023-03-08T15:55:59Z",
"pinned": false,
"default": true
},
"status": "Success"
}
Update Group Attributes
The following example illustrates the basic format for updating a Group Attribute:
PUT /v3/groupAttributes/{groupAttributeId}
{
{updatedField}: {updatedValue}
}
For example, the following request will update the value of the Group Attribute whose ID is 10 and and add a source to the Attribute:
PUT /v3/groupAttributes/10
{
"source": "CAL",
"value": "APT28, IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127"
}
JSON Response
{
"data": {
"id": 10,
"dateAdded": "2023-03-29T14:42:13Z",
"type": "Aliases",
"value": "APT28, IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127",
"source": "CAL",
"createdBy": {
"id": 3,
"userName": "11112222333344445555",
"firstName": "John",
"lastName": "Smith",
"pseudonym": "jsmithAPI",
"owner": "Demo Organization"
},
"lastModified": "2023-03-30T07:16:29Z",
"settings": {
"associable": true,
"pinnedByDefault": true,
"message": "Enter any aliases for the Group object."
},
"pinned": true,
"default": true
},
"message": "Updated",
"status": "Success"
}
Refer to the Available Fields section for a list of available fields that can be included in the body of a PUT request to the /v3/groupAttributes endpoint.
Delete Group Attributes
Send a request in the following format to delete a Group Attribute:
DELETE /v3/groupAttributes/{groupAttributeId}
For example, the following request will delete the Group Attribute whose ID is 10:
DELETE /v3/groupAttributes/10
JSON Response
{
"message": "Deleted",
"status": "Success"
}
Hint
You can also remove Group Attributes from a Group by using the mode field on the /v3/groups endpoint. See Update an Object’s Metadata for more information.