Metadata information

To add metadata information to reports, do the following:

  1. In the Estimated observed time field, enter the date when the entity was first observed/detected.
    It corresponds to the date and time when the threat was detected, recorded, and reported for the first time.
    Usually, Estimated observed time can be either the same as Estimated threat start time, or it can mark a point in time after Estimated threat start time. It can also be after the Estimated threat end time if the threat ended before it was observed.

  2. In the Estimated threat start time field, enter the estimated date the threat activity started, based on observation, reports and other intelligence.
    It corresponds to the date and time when the threat was detected, recorded, and reported for the first time as an active/in-progress event.
    The Estimated threat start time can be either the same as Estimated observed time, or it can mark a point in time before Estimated observed time.

  3. If the threat is no longer active, go to the Estimated threat end time field, and enter the estimated end time of the threat activity, based on observation, reports, and other intelligence.

  4. Go to the Half life section.

    Half-life represents the amount of time it takes for a threat to lose half its intelligence value.
    It corresponds to the number of days it takes for the malicious potential of a threat to decay by 50%.

  5. Select the Use default value option to assign the entity the predefined half-life value.
    You can assign default half-life values to each entity type in the /etc/eclecticiq/platform_settings.py file.
    Integer values represent the number of days.
    settings.py (sourced from EIQ platform-backend)

    Author

    Rutger Prins

    Commit

    17a58f9f930d83ee862b731813ff472ea3994a37

    Timestamp

    February, 14, 2022 11:59 AM

    Full path

    eiq/platform/settings.py

    Title

    [SNYK] Upgrade packages and ignore issues with no upgrade path

    Description

    **Upgrade packages:**<br> `ipython==7.16.0` => `ipython==7.16.3` == no risk <br> `cairosvg==2.4.2`=> `cairosvg==2.5.2` == no risk <br> `jinja2==2.10.1` => `jinja2==2.11.3` == no risk<br> `pillow==7.2.0` => `pillow==8.3.2` == no risk <br> `pygments==2.6.1` => `pygments==2.7.4` == no risk <br> <br> **Snyk Ignore:** <br> _Removed issues that no longer affect our product._<br> Increase ignore time for following issues:<br> snyk:lic:pip:html2text:GPL-3.0 - can't be applied for 2.9<br> SNYK-PYTHON-PIP-609855 - can't upgrade PIP due to incompatibility with credential escaping<br> SNYK-PYTHON-PIP-1278135 - can't upgrade PIP due to incompatibility with credential escaping<br> SNYK-PYTHON-DATEPARSER-1063229 - no fix available<br> SNYK-PYTHON-CELERY-2314953 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2329135 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331905 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331907 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331901 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2397241 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-CRYPTOGRAPHY-1070544 - can't apply fix risk accepted SNYK-PYTHON-PYSAML2-1063038 - can't apply fix risk accepted SNYK-PYTHON-PYSAML2-1063039 - can't apply fix risk accepted See merge request engineering/platform-backend!6465

    # Default values
    HALF_LIFE = {
    "campaign": 1000,
    "course-of-action": 182,
    "eclecticiq-sighting": 182,
    "exploit-target": 182,
    "incident": 182,
    "indicator": 30,
    "report": 182,
    "threat-actor": 1000,
    "ttp": 720,
  6. Select the Override value option to override the default half-life value for the entity, and to set a custom one.
    Enter an integer to represent the number of days it takes the entity to lose half its intelligence value.

  7. In the Tags section, click Add tags to associate one or more tags with the entity .
    Tags enable structuring and categorizing entities based on criteria such as confidence and attack stage.
    Tags improve findability, and they offer quick reference pointers to place entities in a broader cyber threat context.

  8. Click Source, and select the source of the threat information you are using to create the new entity.
    The options available are the names of existing assigned user groups in the Intelligence Center.

  9. Go to the Source reliability section.
    Use this option to flag the entity with a predefined reliability value to help other users assess how trustworthy the entity data source is.

  10. Select the Inherit from source option to assign the entity the same reliability value as the corresponding original data source.

  11. Select the Custom override option to override the default source reliability value for the entity, and to set a custom one.
    From the drop-down menu select, select an option to flag the entity data source reliability level.

  12. Values in this menu have the same meaning as the first character in the two-character Admiralty System code.
    Example: B - Usually reliable