About relationships

Relationships provide context to an entity either by associating it with other entities (for example, a threat actor uses a particular TTP behavior) or by indicating that it is a property of another entity (for example, an observable is part of the context defining an indicator).

Possible relationships

The Intelligence Center does not include all STIX 1.2. Based on the experience of EclecticIQ' own analysts, the Intelligence Center models relationships according to the way an attack normally develops and is mapped. This facilitates a predictably walkable kill chain with low ambiguity and high granularity. The diagram below indicates which relationships are recommended in EclecticIQ Intelligence Center.



images/download/attachments/82475126/EIQ_Data_Model.jpg

Relationship direction

Relationships can be incoming or outgoing. If an exploit target refers to a course of action, then the exploit target has an outgoing relationship with that course of action. Correspondingly, the course of action has an incoming relationship with the exploit target. An arrow in the graph indicates the direction of the relationship.

images/download/attachments/82475126/Outgoing-incoming.png

Relationship names

When you add a relationship to an entity, you can give it a name. Give relationships an informative name that says something about their nature, for example CoA-1-Suggests-Exploit-Target-1.

STIX 1.2 and EclecticIQ Intelligence Center differ in their use of the term Relationship type. Whereas STIX 1.2 uses it to specify how one entity relates to another–either through association or composition–EclecticIQ Intelligence Center uses it to specify a relationship's name.