Create an incident

An incident describes a specific occurrence of indicators or observables affecting your organization or environment.

An incident records a specific occurrence of indicators of compromise or observables affecting your organization or your system. An incident includes context information about the event such as start and end times, affected assets and resources, impact and seriousness assessment, any known threat actors and targeted victims involved, TTPs, related indicators and observables, and so on.

An incident leverages other STIX objects such as threat actor, indicator, observable, TTP, and course of action.

Create an incident

There are two ways of creating an incident :

• In the top navigation bar of a graph, click , and then Incident.

• In the side navigation bar of the Dashboard, click , and then Incident.

If you create an incident from a graph, double-click its icon to access its details page.

If you create an incident from the Dashboard, its details page is displayed automatically.

Fill in the incident's details as follows:

Define the general options

1. In the Title field, assign the new indicator entity a clear and descriptive name.
   The name you specify here appears on the entity detail pane, in the header section.

2. In the Analysis field, enter non-structured information such as additional context, references, links, and so on.
   This is where you tell the story of the entity, and where you describe the entity with as much relevant detail as possible.

3. From the Status drop-down menu, select an option to indicate the current status the incident is in.

4. From the Categories drop-down menu, select one or more entries, as applicable, to describe the type of incident and the type of action or artifact that caused it.
   

5. In the Confidence, select assign an estimated level of confidence to assess the accuracy and trustworthiness of the entity information.

6. From the Intended effects drop-down menu, select one or more entries, as applicable, to describe what you reasonably assume to be the goal of the incident actions.
   Intended effects range from personal advantage, to theft, to money laundering, fraud or extortion.
   They all damage the target victim or system.

7. From the Security compromise drop-down menu, select an option to report whether the incident compromised security.

8. From the Discovery methods drop-down menu, select an option to report how the incident was detected.

Define the characteristics

This section breaks down the main components of the incident in a structured, standardized, and consistent way.

• Time coordinates: sets a timeline and a timeframe for the incident.

• Reporter: identifies the source that notified the incident.

• Coordinator: identifies the individual, team, organization, entity or solution responsible for managing, containing, and responding to the incident.

• Responder: identifies the individual, team, organization, entity or solution performing responsive or reactive tasks and procedures to defuse the incident.

• Contact: identifies the individual, team, organization, entity or solution acting as a point of contact and a source of information about the incident.

• Affected asset: identifies and categorizes the assets and resources the incident targeted.

• Impact: assesses, quantifies, and qualifies the impact and the damage the incident caused.

• Victim: identifies the individual, team, organization, entity or artifact the incident targeted and attacked.

Under Characteristics, click Characteristic, and then select an option from the drop-down menu to display additional fields in the editor, where you can enter specific details about the selected item in a structured way.

Draw a timeline with Time Coordinates

Select the Time Coordinates option to draw a timeline marking crucial events in the incident history.

1. Use the First malicious action drop-down menu calendar to select a date and time for the initial/first occurrence of a malicious action.
   A malicious action is any unauthorized attempt to access the targeted assets.
   For example, probing, port scans, the beginning of a brute-force attack or a DDoS attack.

2. From the Time first malicious action precision drop-down menu, select an option to provide an estimation of how accurate the time estimation is: from second (dead-on accurate) to year (inaccurate).

3. Use the Initial compromise drop-down menu calendar to select a date and time for the occurrence of the initial action that compromised the targeted system, assets, resources or organization.
   It records the point in time when a security attribute of the targeted assets was compromised for the first time.
   For example: confidentiality, integrity, availability.

4. From the Time initial compromise precision drop-down menu, select an option to provide an estimation of how accurate the time estimation is: from second (dead-on accurate) to year (inaccurate).

5. Use the First data exfiltration drop-down menu calendar to select a date and time for the initial/first occurrence of an unauthorized data grab from the targeted system, assets, resources or organization.

6. From the Time first data exfiltration precision drop-down menu, select an option to provide an estimation of how accurate the time estimation is: from second (dead-on accurate) to year (inaccurate).

7. Use the Incident discovery drop-down menu calendar to select a date and time marking the moment when the incident was detected and discovered.

8. From the Time incident discovery precision drop-down menu, select an option to provide an estimation of how accurate the time estimation is: from second (dead-on accurate) to year (inaccurate).

9. Use the Incident opened drop-down menu calendar to select a date and time marking the moment when the incident was officially opened.

10. From the Time incident opened precision drop-down menu, select an option to provide an estimation of how accurate the time estimation is: from second (dead-on accurate) to year (inaccurate).

11. Use the Containment achieved drop-down menu calendar to select a date and time marking the moment when the incident was contained and kept under control.

12. From the Time containment achieved precision drop-down menu, select an option to provide an estimation of how accurate the time estimation is: from second (dead-on accurate) to year (inaccurate).

13. Use the Restoration achieved drop-down menu calendar to select a date and time marking the moment when the assets and resources the incident targeted were restored and brought back to normal operation.

14. From the Time restoration achieved precision drop-down menu, select an option to provide an estimation of how accurate the time estimation is: from second (dead-on accurate) to year (inaccurate).

15. Use the Incident reported drop-down menu calendar to select a date and time marking the moment when the incident was officially recorded, registered, or logged.

16. From the Time incident reported precision drop-down menu, select an option to provide an estimation of how accurate the time estimation is: from second (dead-on accurate) to year (inaccurate).

17. Use the Incident closed drop-down menu calendar to select a date and time marking the moment when the incident was officially closed.

18. From the Time incident closed precision drop-down menu, select an option to provide an estimation of how accurate the time estimation is: from second (dead-on accurate) to year (inaccurate).

Specify an incident reporter

Select the Reporter option to add details about the individual, the organization, or the resources related to the incident reporter’s identity.
The Reporter editor is based on the CIQ standard and its specifications.
The Customer Information Quality specification aims at providing an open and standard data model to accurately and consistently describe a party such as an individual or an organization, as well as attributes like roles and relationships.

There are no mandatory fields.

1. In the Name field, specify the name of the incident reporter.
   The reporter is the individual, team, organization, entity, system or mechanism that officially registers and communicates the occurrence of the incident.

2. From the Roles drop-down menu, select one or more options to specify the incident reporter’s role.
   The role defines the function of the reporter concerning information tasks such as authoring, editing, updating, handling, and processing.

3. In the Description field, enter a short, free-form description to provide additional context or extra details.

4. In the Specification section, you can define additional information related to the reporter such as payment account details, identities of individuals or organizations, and email addresses.

5. Click Fields.

6. From the drop-down menu select an option to describe the reporter in detail:
   

   • Account

   • Person

   • Organization

   • Electronic address

Account

1. In the Account type field, define the type of financial/payment account.
   Example: bank, online

2. In the Account status, field define the current status of the account.
   Example: active, blocked

3. From the Account specification drop-down menu, select one or more options to add further details about the account in the input fields in a structured way.

4. Click Add or More to insert a new empty row below the current one, which you can populate with additional details.
   
   

   Field	Description
   Account ID	The account number. Example: NL30INGB0123456789.
   Issuing Authority	The financial institution that issues the account. Example: ABC Bank.
   Account Type	The type of account. Example: debit or savings.
   Account Branch	The local branch office or the retail location of the bank responsible for issuing the account. Example: Utrecht center.
   Issuing Country Name	The name of country where the account was issued. Example: The Netherlands .

Person

1. From the Person name drop-down menu, select one or more options to add further details about the person or individual in the input fields in a structured way.

2. Click Add or More to insert a new empty row below the current one, which you can populate with additional details.
   
   

   Field	Description
   Preceding Title	Example: His, Her
   Title	Example: Rogueness, Excellence, Pandit, Sheikh
   First Name	Example: Peter
   Middle Name	Example: Brandon
   Last Name	Example: Quill
   OtherName Name	Example: Guardian of the Galaxy
   Alias Name	Example: Star-Lord
   Generation Identifier	Example: Jr., Sr., The Younger, The Elder, XXVIII
   Degree	Example: BSc Ethical Hacking

Organization

1. From the Organization name drop-down menu, select one or more options to add further details about the organization in the input fields in a structured way.

2. Click Add or More to insert a new empty row below the current one, which you can populate with additional details.
   
   

   Field	Description
   Name Only	The name the organization is commonly referred to. Example: Wey-Yu
   Type Only	The entity definition of the organization. Example: Inc, LLC, Ltd
   Full Name	The full name of the organization. Example: Weyland-Yutani Corporation, Inc.

Electronic address

1. From the Electronic address drop-down menu, select one or more options to add email service providers and email addresses in the input fields in a structured way.
   The key corresponds to the service provider, for example Google, Yahoo, Skype, ICQ, and so on.
   The associated value needs to be a valid format for the selected service provider, for example:

   • Google: [email protected].

   • Yahoo: [email protected].

   • Skype: ${skype_username}*.

Specify an incident coordinator

Select the Coordinator option to add details about the individual, the organization, or the resources related to the incident coordinator’s identity.
The Incident coordinator editor is based on the CIQ standard and its specifications.
The Customer Information Quality specification aims at providing an open and standard data model to accurately and consistently describe a party such as an individual or an organization, as well as attributes like roles and relationships.

There are no mandatory fields.

1. In the Name field, specify the name of the incident coordinator.
   The coordinator is the individual, team, organization, entity, system or mechanism that officially handles, manages, and orchestrates tasks and efforts to mitigate and contain the incident.

2. From the Roles drop-down menu, select one or more options to specify the incident coordinator’s role.
   The role defines the function of the coordinator concerning information tasks such as authoring, editing, updating, handling, and processing.

3. In the Description field, enter enter a short, free-form description to provide additional context or extra details.

4. In the Specification section, you can define additional information related to the incident coordinator such as payment account details, identities of individuals or organizations, and email addresses.

5. Click Fields.

6. From the drop-down menu select an option to describe the incident coordinator in detail:
   

   • Account

   • Person

   • Organization

   • Electronic address

Account

1. In the Account type field, define the type of financial/payment account.
   Example: bank, online

2. In the Account status, field define the current status of the account.
   Example: active, blocked

3. From the Account specification drop-down menu, select one or more options to add further details about the account in the input fields in a structured way.

4. Click Add or More to insert a new empty row below the current one, which you can populate with additional details.
   
   

   Field	Description
   Account ID	The account number. Example: NL30INGB0123456789.
   Issuing Authority	The financial institution that issues the account. Example: ABC Bank.
   Account Type	The type of account. Example: debit or savings.
   Account Branch	The local branch office or the retail location of the bank responsible for issuing the account. Example: Utrecht center.
   Issuing Country Name	The name of country where the account was issued. Example: The Netherlands .

Person

1. From the Person name drop-down menu, select one or more options to add further details about the person or individual in the input fields in a structured way.

2. Click Add or More to insert a new empty row below the current one, which you can populate with additional details.
   
   

   Field	Description
   Preceding Title	Example: His, Her
   Title	Example: Rogueness, Excellence, Pandit, Sheikh
   First Name	Example: Peter
   Middle Name	Example: Brandon
   Last Name	Example: Quill
   OtherName Name	Example: Guardian of the Galaxy
   Alias Name	Example: Star-Lord
   Generation Identifier	Example: Jr., Sr., The Younger, The Elder, XXVIII
   Degree	Example: BSc Ethical Hacking

Organization

1. From the Organization name drop-down menu, select one or more options to add further details about the organization in the input fields in a structured way.

2. Click Add or More to insert a new empty row below the current one, which you can populate with additional details.
   
   

   Field	Description
   Name Only	The name the organization is commonly referred to. Example: Wey-Yu
   Type Only	The entity definition of the organization. Example: Inc, LLC, Ltd
   Full Name	The full name of the organization. Example: Weyland-Yutani Corporation, Inc.

Electronic address

1. From the Electronic address drop-down menu, select one or more options to add email service providers and email addresses in the input fields in a structured way.
   The key corresponds to the service provider, for example Google, Yahoo, Skype, ICQ, and so on.
   The associated value needs to be a valid format for the selected service provider, for example:

   • Google: [email protected].

   • Yahoo: [email protected].

   • Skype: ${skype_username}*.

Specify an incident responder

Select the Responder option to add details about the individual, the organization, or the resources related to the incident responder’s identity.
The Incident responder editor is based on the CIQ standard and its specifications.
The Customer Information Quality specification aims at providing an open and standard data model to accurately and consistently describe a party such as an individual or an organization, as well as attributes like roles and relationships.

There are no mandatory fields.

1. In the Name field, specify the name of the incident responder.
   The responder is the individual, team, organization, entity, system or mechanism that immediately takes action to react to the incident.

2. From the Roles drop-down menu, select one or more options to specify the incident responder’s role.
   The role defines the function of the responder concerning information tasks such as authoring, editing, updating, handling, and processing.

3. In the Description field, enter enter a short, free-form description to provide additional context or extra details.

4. In the Specification section, you can define additional information related to the incident responder such as payment account details, identities of individuals or organizations, and email addresses.

5. Click Fields.

6. From the drop-down menu select an option to describe the incident responder in detail:
   

   • Account

   • Person

   • Organization

   • Electronic address

Account

1. In the Account type field, define the type of financial/payment account.
   Example: bank, online

2. In the Account status, field define the current status of the account.
   Example: active, blocked

3. From the Account specification drop-down menu, select one or more options to add further details about the account in the input fields in a structured way.

4. Click Add or More to insert a new empty row below the current one, which you can populate with additional details.
   
   

   Field	Description
   Account ID	The account number. Example: NL30INGB0123456789.
   Issuing Authority	The financial institution that issues the account. Example: ABC Bank.
   Account Type	The type of account. Example: debit or savings.
   Account Branch	The local branch office or the retail location of the bank responsible for issuing the account. Example: Utrecht center.
   Issuing Country Name	The name of country where the account was issued. Example: The Netherlands .

Person

1. From the Person name drop-down menu, select one or more options to add further details about the person or individual in the input fields in a structured way.

2. Click Add or More to insert a new empty row below the current one, which you can populate with additional details.
   
   

   Field	Description
   Preceding Title	Example: His, Her
   Title	Example: Rogueness, Excellence, Pandit, Sheikh
   First Name	Example: Peter
   Middle Name	Example: Brandon
   Last Name	Example: Quill
   OtherName Name	Example: Guardian of the Galaxy
   Alias Name	Example: Star-Lord
   Generation Identifier	Example: Jr., Sr., The Younger, The Elder, XXVIII
   Degree	Example: BSc Ethical Hacking

Organization

1. From the Organization name drop-down menu, select one or more options to add further details about the organization in the input fields in a structured way.

2. Click Add or More to insert a new empty row below the current one, which you can populate with additional details.
   
   

   Field	Description
   Name Only	The name the organization is commonly referred to. Example: Wey-Yu
   Type Only	The entity definition of the organization. Example: Inc, LLC, Ltd
   Full Name	The full name of the organization. Example: Weyland-Yutani Corporation, Inc.

Electronic address

1. From the Electronic address drop-down menu, select one or more options to add email service providers and email addresses in the input fields in a structured way.
   The key corresponds to the service provider, for example Google, Yahoo, Skype, ICQ, and so on.
   The associated value needs to be a valid format for the selected service provider, for example:

   • Google: [email protected].

   • Yahoo: [email protected].

   • Skype: ${skype_username}*.

Specify an incident contact

Select the Contact option to add details about the individual, the organization, or the resources related to the incident contact’s identity.
The Incident contact editor is based on the CIQ standard and its specifications.
The Customer Information Quality specification aims at providing an open and standard data model to accurately and consistently describe a party such as an individual or an organization, as well as attributes like roles and relationships.

There are no mandatory fields.

1. In the Name field, specify the name of the incident contact.
   The contact is the individual, team, organization, entity, system or mechanism that acts as the official point of contact liasing with the different parties involved in the incident response.

2. From the Roles drop-down menu, select one or more options to specify the incident contact’s role.
   The role defines the function of the contact concerning information tasks such as authoring, editing, updating, handling, and processing.

3. In the Description field, enter a short, free-form description to provide additional context or extra details.

4. In the Specification section, you can define additional information related to the incident contact such as payment account details, identities of individuals or organizations, and email addresses.

5. Click Fields.

6. From the drop-down menu select an option to describe the incident responder in detail:
   

   • Account

   • Person

   • Organization

   • Electronic address

Account

1. In the Account type field, define the type of financial/payment account.
   Example: bank, online

2. In the Account status, field define the current status of the account.
   Example: active, blocked

3. From the Account specification drop-down menu, select one or more options to add further details about the account in the input fields in a structured way.

4. Click Add or More to insert a new empty row below the current one, which you can populate with additional details.
   
   

   Field	Description
   Account ID	The account number. Example: NL30INGB0123456789.
   Issuing Authority	The financial institution that issues the account. Example: ABC Bank.
   Account Type	The type of account. Example: debit or savings.
   Account Branch	The local branch office or the retail location of the bank responsible for issuing the account. Example: Utrecht center.
   Issuing Country Name	The name of country where the account was issued. Example: The Netherlands .

Person

1. From the Person name drop-down menu, select one or more options to add further details about the person or individual in the input fields in a structured way.

2. Click Add or More to insert a new empty row below the current one, which you can populate with additional details.
   
   

   Field	Description
   Preceding Title	Example: His, Her
   Title	Example: Rogueness, Excellence, Pandit, Sheikh
   First Name	Example: Peter
   Middle Name	Example: Brandon
   Last Name	Example: Quill
   OtherName Name	Example: Guardian of the Galaxy
   Alias Name	Example: Star-Lord
   Generation Identifier	Example: Jr., Sr., The Younger, The Elder, XXVIII
   Degree	Example: BSc Ethical Hacking

Organization

1. From the Organization name drop-down menu, select one or more options to add further details about the organization in the input fields in a structured way.

2. Click Add or More to insert a new empty row below the current one, which you can populate with additional details.
   
   

   Field	Description
   Name Only	The name the organization is commonly referred to. Example: Wey-Yu
   Type Only	The entity definition of the organization. Example: Inc, LLC, Ltd
   Full Name	The full name of the organization. Example: Weyland-Yutani Corporation, Inc.

Electronic address

1. From the Electronic address drop-down menu, select one or more options to add email service providers and email addresses in the input fields in a structured way.
   The key corresponds to the service provider, for example Google, Yahoo, Skype, ICQ, and so on.
   The associated value needs to be a valid format for the selected service provider, for example:

   • Google: [email protected].

   • Yahoo: [email protected].

   • Skype: ${skype_username}*.

Specify the assets affected by the incident

Select the Affected asset option to add details about the affected assets and resources the incident targeted/is targeting.

1. In the Description field, enter a short description to provide additional context or extra details about the impacted assets.

2. From the Asset type drop-down menu, select an option to specify the type of asset the incident impacted.

3. From the Ownership class drop-down menu, select an option to define the owner of the affected assets.

4. From the Management class drop-down menu, select an option to identify the individual, team, group or entity responsible for managing the affected assets.

5. From the Location class drop-down menu, select an option to define the place where the affected assets reside.

6. In the Business function or role: enter a short description of the tasks or processes the affected assets perform.
   Example: Customer support ticketing workflow manager, Indexing server and service

7. Select the Properties affected option to specify which security attributes the incident compromised.

8. From the Property drop-down menu, select an option to specify which security attribute the incident compromised.

9. From the Type of availability loss drop-down menu, select an option to specify how exactly the incident compromised asset and/or resource availability.

10. From the Duration of availability loss drop-down menu, select an option to provide an estimation of how long the availability loss is likely to last as a consequence of the incident.

11. From the Non public data compromised drop-down menu, select an option to indicate if the security breach compromised assets and/or resources that were until the incident occurrence undisclosed and not publicly accessible.

12. In the Description of effect field, enter a short description of the effects resulting from the security attributes being compromised.
    Example: Security breach exfiltrated sensitive data and blocked automated order processing.

13. Click Add or More to insert new rows or input fields, as necessary, where you can enter additional information on other affected property items.

Define the impact of the incident

Select the Impact option to add details about the effects and the consequences of the damage resulting from the incident.

1. From the Effects drop-down menu, select one or more options to specify which type of assets or resources the incident impacted and damaged.

2. Go to the Direct impact summary section, which assesses the immediate damage that is a direct consequence of the incident.

   1. From the Asset losses drop-down menu, select an option to estimate the extent of the damage the incident caused.

   2. From the Business mission disruption drop-down menu, select an option to estimate how much the incident affected the smooth flow of business.

   3. From the Response and recovery costs drop-down menu, select an option to estimate the necessary costs to respond to, contain, and recover from the incident.

3. Go to the Indirect impact summary section, which assesses the damage that occurred as a side effect in the chain of events related to the incident.

   1. From the Loss of competitive advantage drop-down menu, select an option to indicate if the incident compromised the ability of the organization to remain competitive on the market.

   2. From the Brand and market damage drop-down menu, select an option to indicate if the incident produced a negative effect on brand perception and market position.

   3. From the Increased operating costs drop-down menu, select an option to indicate if the incident made normal business operations more expensive.

   4. From the Legal and regulatory costs drop-down menu, select an option to indicate if the incident brought in costs related to legal services.

   5. From the Impact qualification drop-down menu, select an option to estimate the severity of the consequences the incident caused.

4. Go to the Total loss estimation section, which provides an estimate of the financial damage the incident caused.

   1. In the Initial reported field, enter a temporary estimate following the discovery and notification of the incident.

   2. In the Amount field, enter a numerical value to indicate the currency amount.

   3. Use a dot (.) as a decimal separator.
      Example: 3141.59.

   4. In the Currency field, enter the currency code in ISO 4217 format.
      Example: EUR, JPY, GBP.

   5. In the Actual field, enter an accurate estimate following an inventory of the affected assets and resources, as well as collateral damage.

   6. In the Amount field, enter a numerical value to indicate the currency amount.
      Use a dot (.) as a decimal separator.
      Example: 3141.59.

   7. In the Currency field, enter the currency code in ISO 4217 format.
      Example: EUR, JPY, GBP.

Define the victim of the incident

Select the Victim option to add details about the individual, the organization, or the resources related to the targeted victim’s identity.
The Victim editor is based on the CIQ standard and its specifications.
The Customer Information Quality specification aims at providing an open and standard data model to accurately and consistently describe a party such as an individual or an organization, as well as attributes like roles and relationships.

There are no mandatory fields.

1. In the Name field, specify the name of the victim the incident targeted/is targeting.

2. In the Specification section, you can define additional information related to the targeted victim such as affected payment account details, identities of individuals or organizations, and email addresses.

3. Click Fields.

4. From the drop-down menu select an option to describe the targeted victim in detail:
   

   • Account

   • Person

   • Organization

   • Electronic address

Account

1. In the Account type field, define the type of financial/payment account.
   Example: bank, online

2. In the Account status, field define the current status of the account.
   Example: active, blocked

3. From the Account specification drop-down menu, select one or more options to add further details about the account in the input fields in a structured way.

4. Click Add or More to insert a new empty row below the current one, which you can populate with additional details.
   
   

   Field	Description
   Account ID	The account number. Example: NL30INGB0123456789.
   Issuing Authority	The financial institution that issues the account. Example: ABC Bank.
   Account Type	The type of account. Example: debit or savings.
   Account Branch	The local branch office or the retail location of the bank responsible for issuing the account. Example: Utrecht center.
   Issuing Country Name	The name of country where the account was issued. Example: The Netherlands .

Person

1. From the Person name drop-down menu, select one or more options to add further details about the person or individual in the input fields in a structured way.

2. Click Add or More to insert a new empty row below the current one, which you can populate with additional details.
   
   

   Field	Description
   Preceding Title	Example: His, Her
   Title	Example: Rogueness, Excellence, Pandit, Sheikh
   First Name	Example: Peter
   Middle Name	Example: Brandon
   Last Name	Example: Quill
   OtherName Name	Example: Guardian of the Galaxy
   Alias Name	Example: Star-Lord
   Generation Identifier	Example: Jr., Sr., The Younger, The Elder, XXVIII
   Degree	Example: BSc Ethical Hacking

Organization

1. From the Organization name drop-down menu, select one or more options to add further details about the organization in the input fields in a structured way.

2. Click Add or More to insert a new empty row below the current one, which you can populate with additional details.
   
   

   Field	Description
   Name Only	The name the organization is commonly referred to. Example: Wey-Yu
   Type Only	The entity definition of the organization. Example: Inc, LLC, Ltd
   Full Name	The full name of the organization. Example: Weyland-Yutani Corporation, Inc.

Electronic address

1. From the Electronic address drop-down menu, select one or more options to add email service providers and email addresses in the input fields in a structured way.
   The key corresponds to the service provider, for example Google, Yahoo, Skype, ICQ, and so on.
   The associated value needs to be a valid format for the selected service provider, for example:

   • Google: [email protected].

   • Yahoo: [email protected].

   • Skype: ${skype_username}*.

Add observables

Observables are discrete pieces of information that represent properties, attributes, actions, and events.
They record a distinct piece of information, such as: an IP address, a hash, name of a country, name of a city, name of an organization, or the name of an individual; or an event such as the creation of a registry value, or a file deletion or modification.

They are atomic: the information they hold is complete and meaningful, but it cannot be split into smaller components without losing meaning and intelligence value.
They are factual: they record facts with no additional context or background.

You can relate observables with entities to provide context.
If observables are detected in a specific context, or if they are sighted within the organization, they become indicators and sightings, respectively.

1. In the Create incident view, go to the Observables section, and click Observable.
   The Add observable pane opens.

2. From the Type drop-down menu, select an observable type that describes the type of information you are storing in the observable.
   For example, a bank account number, a payment card number, an IP address, a domain name, a country or city name, and so on.

3. From the Link name drop-down menu, select an option to define the type of relationship existing between the observable and the parent entity.

   Setting link names to define relationships adds intelligence value by describing how entities and observables are related.
   This information provides additional context, and it helps understand how a specific resource is used, or the purpose it serves for a potential attacker.
   For example, it can clarify that an observable describes a vulnerability or a weakness related to its parent entity.

   Therefore, observables with a Link name value are in general more relevant and more valuable than observables without a Link name value.

   Link name options vary, based on the relationship the observable has with the specific entity type it belongs to.
   The supported entity-observable relationship link names for the incident entity are:

   • Affected asset: the observable related to the incident represents an affected, impacted resource or asset type.

   • Related: the observable is more generically related to the incident.

   You can modify and update the link name value at any time to reflect changes in the entity-observable relationship:

   1. In the top navigation bar, click Intelligence > All intelligence, and then Browse.

   2. Click the Observables tab.

   3. If the section is populated with observables, each of them has a Link name column.

   4. Click the Link name drop-down for the observable whose relationship link name you want to update, and then select one of the available options.
      If the Link name drop-down has no options, the selected the entity-observable relationship is undefined.

4. In the Value(s) field, enter the value of the observable.
   The value and its format should match the specified observable type (kind).
   If you specify multiple values, enter one value per line.
   If you enter multiple values on one line, use a comma (,) as a separator.
   Example: 75.23.125.231, ipwnu.biz, Kansas City, [email protected], Alvin Slocombe.

5. From the Maliciousness drop-down menu, select a maliciousness confidence level to assess the likelihood the potential threat may or may not damage the organization.
   This option corresponds to the value that is set under Confidence in observable rules.

6. To store your changes, click Save; to discard them, click Cancel.

Add relationships

1. In the Relationships view, click Relationship.

2. From the drop-down menu select the option corresponding to the relationship you want to create.
   The following options are available:

   Option	Incoming/Outgoing	Description
   Associated campaigns	Outgoing relationship	Relates the campaign to the selected campaign(s) on the Search an entity dialog.
   Attributions	Outgoing relationship	Relates the campaign to the selected threat-actor(s) on the Search an entity dialog.
   Related incidents	Outgoing relationship	Relates the campaign to the selected incident(s) on the Search an entity dialog.
   Related TTPs	Outgoing relationship	Relates the campaign to the selected TTP(s) on the Search an entity dialog.
   Indicator Related campaigns	Incoming relationship	Relates the selected indicator(s) on the Search an entity dialog to the campaign.
   Report Campaigns	Incoming relationship	Relates the selected report(s) on the Search an entity dialog to the campaign.
   Threat actor Associated campaigns	Incoming relationship	Relates the selected threat-actor(s) on the Search an entity dialog to the campaign.
   Sighting Campaign	Incoming relationship	Relates the selected sighting(s) on the Search an entity dialog to the campaign.

3. In the Search an entity dialog, click the checkbox(es) to select one or more entities that you can relate to the current one.

   You can refine search results by specifying a search string in the filter input field.
   Alternatively, click to select one or more quick filter options such as:

   • Entity

   • Source

   • TLP

   • Date

   • Datasets

4. Click Select.

From the Relationship type, you can select the name of entity relationship you added.
You can also type in your own relationship name in the empty input field.

When you assign a relationship a predefined or a custom name, it is visible in the graph view.

The arrow orientation, either or , indicates that the relationship is either incoming — from the related entity to the current one — or outgoing — from the current entity to the related one.

• To remove a relationship type name, go to the relationship type you want to remove, and click  .
  The relationship type name is removed.

• To remove a relationship, go to the row of the relationship you want to remove, and click .
  The row and the corresponding relationship are removed.

Add metadata information

1. In the Estimated observed time field, enter the date when the entity was first observed/detected.
   It corresponds to the date and time when the threat was detected, recorded, and reported for the first time.
   Usually, Estimated observed time can be either the same as Estimated threat start time, or it can mark a point in time after Estimated threat start time. It can also be after the Estimated threat end time if the threat ended before it was observed.

2. In the Estimated threat start time field, enter the estimated date the threat activity started, based on observation, reports and other intelligence.
   It corresponds to the date and time when the threat was detected, recorded, and reported for the first time as an active/in-progress event.
   The Estimated threat start time can be either the same as Estimated observed time, or it can mark a point in time before Estimated observed time.

3. If the threat is no longer active, go to the Estimated threat end time field, and enter the estimated end time of the threat activity, based on observation, reports, and other intelligence.

4. Go to the Half life section.

   Half-life represents the amount of time it takes for a threat to lose half its intelligence value.
   It corresponds to the number of days it takes for the malicious potential of a threat to decay by 50%.

5. Select the Use default value option to assign the entity the predefined half-life value.
   You can assign default half-life values to each entity type in the /etc/eclecticiq/platform_settings.py file.
   Integer values represent the number of days.
   settings.py (sourced from EIQ platform-backend)

   Author	Rutger Prins
   Commit	17a58f9f930d83ee862b731813ff472ea3994a37
   Timestamp	February, 14, 2022 11:59 AM
   Full path	eiq/platform/settings.py
   Title	[SNYK] Upgrade packages and ignore issues with no upgrade path
   Description	**Upgrade packages:**<br> `ipython==7.16.0` => `ipython==7.16.3` == no risk <br> `cairosvg==2.4.2`=> `cairosvg==2.5.2` == no risk <br> `jinja2==2.10.1` => `jinja2==2.11.3` == no risk<br> `pillow==7.2.0` => `pillow==8.3.2` == no risk <br> `pygments==2.6.1` => `pygments==2.7.4` == no risk <br> <br> **Snyk Ignore:** <br> _Removed issues that no longer affect our product._<br> Increase ignore time for following issues:<br> snyk:lic:pip:html2text:GPL-3.0 - can't be applied for 2.9<br> SNYK-PYTHON-PIP-609855 - can't upgrade PIP due to incompatibility with credential escaping<br> SNYK-PYTHON-PIP-1278135 - can't upgrade PIP due to incompatibility with credential escaping<br> SNYK-PYTHON-DATEPARSER-1063229 - no fix available<br> SNYK-PYTHON-CELERY-2314953 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2329135 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331905 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331907 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331901 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2397241 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-CRYPTOGRAPHY-1070544 - can't apply fix risk accepted SNYK-PYTHON-PYSAML2-1063038 - can't apply fix risk accepted SNYK-PYTHON-PYSAML2-1063039 - can't apply fix risk accepted See merge request engineering/platform-backend!6465

   # Default values

   HALF_LIFE = {

   "campaign": 1000,

   "course-of-action": 182,

   "eclecticiq-sighting": 182,

   "exploit-target": 182,

   "incident": 182,

   "indicator": 30,

   "report": 182,

   "threat-actor": 1000,

   "ttp": 720,

6. Select the Override value option to override the default half-life value for the entity, and to set a custom one.
   Enter an integer to represent the number of days it takes the entity to lose half its intelligence value.

7. In the Tags section, click Add tags to associate one or more tags with the entity .
   Tags enable structuring and categorizing entities based on criteria such as confidence and attack stage.
   Tags improve findability, and they offer quick reference pointers to place entities in a broader cyber threat context.

8. Click Source, and select the source of the threat information you are using to create the new entity.
   The options available are the names of existing assigned user groups in the Intelligence Center.

9. Go to the Source reliability section.
   Use this option to flag the entity with a predefined reliability value to help other users assess how trustworthy the entity data source is.

10. Select the Inherit from source option to assign the entity the same reliability value as the corresponding original data source.

11. Select the Custom override option to override the default source reliability value for the entity, and to set a custom one.
    From the drop-down menu select, select an option to flag the entity data source reliability level.

12. Values in this menu have the same meaning as the first character in the two-character Admiralty System code.
    Example: B - Usually reliable

Add information source details

1. In the Description field, provide context and details to qualify the information source.
   For example, enter a job role, or the function of an institution.

2. In the Identity field, enter the name of the information source.
   For example, an individual’s name or the official name of an entity such as an organization or government agency.

3. From the Roles drop-down menu, select one or more options to define how the information source contributed to the information in the report.

4. In the References field, enter a URL pointing to relevant reference information on the report, if available.
   The field takes only URLs as input. Enter one URL per field.

   • To confirm the current input and to display a new input field, press ENTER.

   • To remove an input field from this section, click the corresponding .

Define sharing and usage

1. From the TLP drop-down menu, select the TLP color code you want to use to filter enrichment data.
   You can choose to override the TLP color by selecting Not set in the Override TLP drop-down menu.
   TLP provides an intuitive reference to assess how sensitive information is, focusing in particular on how serious it is, and whom it should or should not be shared with.

2. In the Terms of use field, enter any legal notes about fair use of the information about the entity.

Define a workflow

1. Select the Add to dataset checkbox to include the campaign to one or more existing datasets.
   From the drop-down menu select the target datasets you want to add the entity to.

2. Select the Manually enrich checkbox to manually enrich the entity with the enricher sources you select from the Enrichers to apply drop-down menu.

Save and publish

To store your changes, click Save; to discard them, click Cancel.
To access additional save options, click the down arrow on the Save button:

• Click Save draft to store your changes without publishing the entity.

• Click Publish to release the new version of the entity that includes your changes.

• Click Cancel to discard the changes.

Save a draft

Drafts are available in the entity editor under Draft entities.

Two additional options are available when saving an entity as a draft:

• Click Save draft and new if you are creating a new entity and have not saved it before. This option saves the current populated form as a draft without publishing it to the Intelligence Center, and creates and opens a new draft form in the editor.

• Click Save draft and duplicate to the current populated form as a draft without publishing it to the Intelligence Center, and create and opens a prepopulated copy of the draft entity in the editor to speed up the creation of a new entity of the same type.

Publish an entity

Published entities are saved to the Intelligence Center.
When the new entity is indexed, it is available in the Intelligence Center, in the entity editor under Published.
Published entities associated with a workspace or included in a dataset are available also through the corresponding workspace and dataset.

Two additional options are available when publishing an entity:

• Click Publish and new if you are creating a new entity and you have not published it before. This option saves the current populated form, publishes it to the Intelligence Center, and creates and opens a new form in the editor.

• Click Publish and duplicate to save the current populated form, publish it to the Intelligence Center, and create and open a prepopulated copy of the newly published entity in the editor to speed up the creation of a new entity of the same type.

See also

• About Entities

• Draft and published entities

• Create a campaign

• Create a course of action

• Create an exploit target

• Create an incident

• Create an indicator

• Create a report

• Create a sighting

• Create a threat actor

• Create a TTP