Search by link name

Search observables by their link name to look up observed IOCs based on the function they have in a broader threat context, such as targeted victim, affected asset, malicious infrastructure, and so on.

You can use link names to search for specific observables, based on the type of relationship they have with their parent entity.
The type of relationship between an observable and and entity adds context, and it can help understand the function of the observable within the broader threat landscape it belongs to.
For example, a relationship can help identify an observable as a victim, and affected asset, a vulnerability, or as a component of the threat actor's malicious infrastructure.

Let's assume that an analyst is investigating a threat scenario where a threat actor exploits the CVE-2017-8793 vulnerability to gain access to the targeted victim’s assets.
The analyst may want to search the Intelligence Center for any exploit target entities containing observables that are related to the parent exploit target because they represent a vulnerability.

To search for an observable representing a vulnerability:

  1. In the side navigation bar click the search icon .

  2. In the search input field enter your search query:

    data.type:exploit-target AND \
    extracts.kind:domain AND \
    meta.bundled_extracts.link_types:vulnerability OR \
    extracts.instance_meta.link_types:vulnerability OR \
    extracts_nested.instance_meta.link_types:vulnerability
  3. Press ENTER to start the search.

In the search query example:

  • meta.bundled_extracts.link_types is the JSON path pointing to the JSON field in the entity data structure that holds the link name value defining the relationship between entities and the corresponding bundled observables.

  • extracts.instance_meta.link_types is the JSON path pointing to the JSON field in the entity data structure that holds the link name value defining the relationship between entities and non-embedded observables.

  • extracts_nested.instance_meta.link_types is the JSON path pointing to the JSON field in the entity data structure that holds the link name value defining the relationship between entities and the corresponding embedded observables.

  • vulnerability is the link name value defining the the type of entity-observable relationship you are looking for.

If the link name value search string contains multiple words separated by spaces, wrap the search string in double quotes (example: "my multiple word search string").
The Intelligence Center search functionality uses the Elasticsearch query syntax.

The following table maps the link name values you can enter in a search query to the corresponding options displayed in the GUI (campaign entities have no link names to define relationships with observables):


Search input value

GUI option

Entity

parameter

Parameter

Course of action

affected

Affected

Exploit target

configuration

Configuration

Exploit target

vulnerability

Vulnerability

Exploit target

weakness

Weakness

Exploit target

affected-asset

Affected asset

Incident

related

Related

Incident

observed

Observable

Indicator

sighted

Sighted

Indicator

test-mechanism

Test mechanism

Indicator

malicious-infrastructure

Malicious infrastructure

TTP

targeted-victim

Targeted victim

TTP

observable

Observable

Report

identity

Identity

Threat actor