Current ThreatQ Version Filter
 

Descriptions Pane

THREATQ REQUIRED PERMISSIONS

Default ThreatQ Role: Administrative, Maintenance, or Primary Contributor
Custom Role - Action Permissions: Objects & Context - Individual Object Context & Actions - Descriptions

The Descriptions pane displays descriptions associated with a system object. The first description listed is the object's primary description and is identified with a white star on an orange background.

Descriptions Pane

Primary Descriptions

For all new and existing system objects, one description is labeled as the primary description. In the object details page and object preview panel, this primary description is listed first and identified with a white star on an orange background as well as a hover tooltip that displays the Primary Description label.

STIX exports include an object's primary description only. If an object has multiple descriptions, only the primary description is included in the STIX export.

After upgrading to ThreatQ v5.28, the first description added to an object is designated as the primary description by default. For existing objects, the oldest description is the primary description. For objects with multiple descriptions, you can change which description is the primary description.

Description Header and Body

Each description consists of a header and a body. The description header lists the description source's TLP label, source name, last modified timestamp, feed update setting, as well as Edit and Delete options. The Protect from feed updates checkbox allows you to specify whether the description is updated when you ingest a description change from the integration source.  This checkbox is not displayed for descriptions with internal sources since these description do not come from feeds and cannot be updated by feeds.

The Descriptions pane truncates description source names that are over thirty characters long. You can view the full source name by hovering on the truncated version.

The description body can include text, tables, and images.

Description Guidelines

  • An object can only have one primary description and one description per source.
  • ThreatQ System Descriptions:
    • When you create an object and do not specify a source for the object, the description is assigned a source of ThreatQ System.
    • If a description's source is ThreatQ System, the Protect from feed updates option is not displayed.
    • If present, an object's ThreatQ System description is the first description listed in the Descriptions pane.
  • If TLP functionality is enabled, you can view/update the TLP labels associated with description sources.
  • When an existing indicator which already has a description is consumed with a new description with a different source, the new description is added. However, if the source is already associated with an existing object description and the description is not protected from feed updates, the ingested description updates the existing one.

    Example - New Description and Source
      Description Source
    Original International threat actor Domain Tools
    Ingested Threat actor active in Belarus Emerging Threats
    New Example - New Description and Source

    Example - New Description, Same Source, Protect from feed updates Unchecked

      Description Source
    Original International threat actor Domain Tools
    Ingested Threat actor active in Belarus Domain Tools
    New Example - New Description, Same Source

Tips and Tricks

  • Images:
    • Image alignment - Images in an object's description are displayed in the PDF report for the object as left aligned regardless of the alignment you select in the Description pane.
    • Image captions - Add your image captions after you select your image alignment. If you change alignment after adding a caption, the caption is removed and must be added again.
    • Image text alternatives - If you add an image text alternative to an image, it is available for use by screen reading tools but is only displayed on screen if the image fails to load. It is not displayed when you hover on the image.
    • Resize an image - The resize image option allows you to adjust your image to 25%, 50%, or 75% of the size of the Description field. Or, you can return your image to its original size.
  • Formatting:
    • Add a line above or below - When you click an image, the arrow icons located on the bottom left and top right corners allow you to insert a line above (top right arrow) or below (bottom left arrow) the image.
    • Paste rows into an existing table - To paste rows into an existing table, insert a blank row in the table, click in the first cell of the blank row, and then paste the additional rows.
    • Resize the Description field - Click and drag the right corner to resize the Description field.
    • Text formatting - To apply the HTML <pre> tag to text, click the heading field and select the Formatted option.
  • Navigation:
    • The Add Description and Edit Description windows include an expand view option in the upper right corner. Click this option to access a full page view which reduces the need for scrolling when adding or updating a description. Click the minimize view option to return to the original window size.

Adding a Description to an Object

  1. Locate the Description pane on the object details page.
  2. Click the Add option.
    Add Description Modal
  3. From the Add Description window, populate the following fields:
    • Source - Required field.  Click the Source field to select the description's source from the dropdown list. Or, click the Add new source option to create a new source for the description.  The source name cannot exceed 255 characters in length.

      If you type the name of a source already associated with one of the object's descriptions, ThreatQ returns the following error: A description with this source already exists. 
      You must enter or select a different source before you can add the description.

    • Description - Enter the object description. See the Tips and Tricks section for more information on your description options.
    • Mark as primary description - Since an object's first description is its primary description by default, this field is not displayed when you add the first description to an object. For subsequent descriptions, you can check this box to select the description as the object's primary description.
  4. Click the Save button.
  5. To view the new description, expand the Descriptions pane.
  6. Optional step. To prevent feed updates from updating the description, click the Protect from feed updates checkbox. If this box is unchecked, the following rules apply when an existing indicator with description is consumed with a new description:
    • If the new description has a different source, then the new description is added to the object.
    • If the new description has the same source, then the existing description is updated.

    The Protect from feed updates field is not displayed for descriptions with a source of ThreatQ System.

Updating the Description of an Object

  1. Locate the Description pane on the object details page.
  2. Locate the description you want to update.
  3. Click the Edit option for the description to add/update the object description's text, tables, or images.  You can also use check the Mark as primary description box to identify a new Primary Description.
  4. Enter your changes and click the Save button.

Deleting a Description

  1. Locate the Description pane on the object details page.
  2. Locate the description you want to delete.
  3. Click the Delete option for the description.
    The Are You Sure? window prompts you to confirm the deletion. If you are deleting a primary description, the Are You Sure? window also indicates that the oldest description will become the new primary description.
  4. Click the Delete Description button.