About Entities

In EclecticIQ Intelligence Center, entities represent the standard STIX objects that are used to model, structure, and define different types of cyber threat information.

The Intelligence Center transforms and maps ingested data to logical models called entities.
An entity is a distinct data unit that models and represents a specific concept.
This approach makes it easier to handle and manipulate data chunks during an analysis or an investigation.

Entity access control

You can control access to entity data to manage intelligence dissemination.
This ensures that the target audience receives the correct information, the publisher keeps control of the content they are distributing, and it avoids sharing sensitive information.

Define access control to entities through entity data sources and entity TLP color code values:

  • Entity data sources limit entity data access to the user groups and their members that are granted access.
    To define group-level or user-level access to entity data sources, click > User management > Groups > ${group_name} > > Edit > Allowed sources > Source .

  • TLP color code values limit entity data access to the user groups and their members are that granted access by assigning them a specific TLP color clearance.

  • To define group-level or user-level access to through TLP, click > User management > Groups > ${group_name} > > Edit > Allowed sources.

Entity types

Entity type



A campaign is a series of planned actions that aim to achieve a specific goal.
A campaign groups a set of related threat actors, TTPs, and incidents that share a common intent or goal.

Course of action

A course of action details a set of clear, specific recommendations and measures to mitigate an incident, address affected exploit targets, and effectively respond to a cyber threat.

Exploit target

An exploit target is a vulnerability or a weakness in software, hardware, systems, or networks that a threat actor can leverage and take advantage of to intrude or carry out an attack.


An incident describes a specific occurrence of one or more indicators affecting an organization.
It includes information on threat actors, tools or skills, time frames, techniques, as well as impact assessment and the recommended response course of action.


An occurrence or a sign that an incident may have occurred or may be in progress.

For more information, see the definition provided in the Cybersecurity Information Sharing Act of 2015 (CISA).


A detailed account, as a result of an investigation or an analysis, of an Indicator Of Compromise (IOC), a threat, a campaign or other threat activity

A report tells a story about a piece of threat intelligence by providing background, context, and by pulling threads together to weave a clear and meaningful description of a security breach, a cyber attack, or a series of attacks.


A sighting records a discrete instance of an observed indicator of compromise inside your environment.
For example, a sighting could be a record of the occurrence of a malicious IP address at a specific date and time.

Threat actor

An individual or a group carrying out or planning to execute malicious activities.
Threat actors include information such as: individual or group identity, suspected motivation, and suspected intended effect.


Tactics, Techniques, and Procedures, also referred to as Tools, Techniques, and Procedures.

TTPs describe the behavior of cyber adversaries:

  • Tactics: describe the employment and ordered arrangement of forces in relation to each other.

  • Techniques: are non-prescriptive ways or methods used to perform missions, functions, or tasks.

  • Procedures: are standard, detailed steps that prescribe how to perform specific tasks.

The above definitions are taken from the Joint Publication 1-02, Department of Defense Dictionary of Military and Associated Terms, 8 November 2010 , as amended through 15 February 2016.


A package is a wrapper containing one or more STIX objects such as indicators, threat actors, TTPs, and so on.
When the Intelligence Center ingests packages, it extracts the STIX objects and it converts them to its internal JSON data model.

The package container is not stored in the Intelligence Center.

In the EclecticIQ Intelligence Center you can create the following entity types: