Create a campaign

A campaign is a series of planned actions that aim to achieve a specific goal. A campaign involves elements such as threat actors who apply and carry out TTPs (Techniques, Tactics and Procedures) to attack targeted victims, and to achieve a malicious result.

A campaign is used to detail instances of a threat actor targeting a victim or an exploit target over a period of time by applying a series of attack patterns and malicious behaviors.
Indicators, observables, sightings, and incidents help identify specific attack patterns and TTPs that define the threat actor’s intentions and goals.

Create a campaign

There are two ways of creating a campaign :

• In the top navigation bar of a graph, click , and then Campaign.

• In the side navigation bar of the Dashboard, click , and then Campaign.

If you create a campaign from a graph, double-click its icon to access its details page.

If you create a campaign from the Dashboard, its details page is displayed automatically.

Fill in the campaign's details as follows:

1. Define the general options:

   1. In the Title field, enter a name for the new campaign.

   2. In the Analysis field, enter non-structured information such as additional context, references, links.

   3. In the Confidence field, select an estimated level of confidence for the entity data.

   4. In the Intended effects field, select one or more options to define goals that threat actors are aiming to achieve.

   5. In the Status field, select: On-going — for active campaigns, Historic — for past campaigns, or Future — for future campaigns. For more information, see the STIX Campaign status vocab.

   6. In the Name field, enter one or more aliases for the campaign.

2. Optional - manually add observables:

   For more information on observables, see About observables.

   
   

   If you manually create an entity in the entity editor, and add observables with a type or value that matches the criteria of an existing observable ignore rule, these observables may not be accessible after saving the entity.

   1. In the Observables section, click Observable.

   2. In the Type field, select an observable type that describes the type of information that you will store in the observable.
      For example, a bank account number, a payment card number, an IP address, a domain name, or a city name.

   3. In the Value(s) field, enter the value of the observable. The value and its format should match the specified observable type.
      Insert one value entry per line.
      If you enter multiple values on one line, use a comma (,) as a separator.
      Example: 75.23.125.231, ipwnu.biz , Kansas City, [email protected] , Alvin Slocombe.

   4. In the Maliciousness field, select a maliciousness confidence level that represents the likelihood the potential threat may or may not damage your organization.
      This option corresponds to the value that is set under Data configuration > Rules > Observable > > Action > Mark as malicious > Confidence .

   5. Click Save.

3. Add relations:
   

   1. In the Relationships view, click Relationship.

   2. From the drop-down menu select the option corresponding to the relationship you want to create.
      The following options are available:

      Option	Incoming/Outgoing	Description
      Associated campaigns	Outgoing relationship	Relates the campaign to the selected campaign(s) on the Search an entity dialog.
      Attributions	Outgoing relationship	Relates the campaign to the selected threat-actor(s) on the Search an entity dialog.
      Related incidents	Outgoing relationship	Relates the campaign to the selected incident(s) on the Search an entity dialog.
      Related TTPs	Outgoing relationship	Relates the campaign to the selected TTP(s) on the Search an entity dialog.
      Indicator Related campaigns	Incoming relationship	Relates the selected indicator(s) on the Search an entity dialog to the campaign.
      Report Campaigns	Incoming relationship	Relates the selected report(s) on the Search an entity dialog to the campaign.
      Threat actor Associated campaigns	Incoming relationship	Relates the selected threat-actor(s) on the Search an entity dialog to the campaign.
      Sighting Campaign	Incoming relationship	Relates the selected sighting(s) on the Search an entity dialog to the campaign.

   3. In the Search an entity dialog, click the checkbox(es) to select one or more entities that you can relate to the current one.

      You can refine search results by specifying a search string in the filter input field.
      Alternatively, click to select one or more quick filter options such as:

      • Entity

      • Source

      • TLP

      • Date

      • Datasets

   4. Click Select.

4. Add metadata information
   

   1. In the Estimated observed time field, enter the date when the entity was first observed/detected.
      It corresponds to the date and time when the threat was detected, recorded, and reported for the first time.
      Usually, Estimated observed time can be either the same as Estimated threat start time, or it can mark a point in time after Estimated threat start time. It can also be after the Estimated threat end time if the threat ended before it was observed.

   2. In the Estimated threat start time field, enter the estimated date the threat activity started, based on observation, reports and other intelligence.
      It corresponds to the date and time when the threat was detected, recorded, and reported for the first time as an active/in-progress event.
      The Estimated threat start time can be either the same as Estimated observed time, or it can mark a point in time before Estimated observed time.

   3. If the threat is no longer active, go to the Estimated threat end time field, and enter the estimated end time of the threat activity, based on observation, reports, and other intelligence.

   4. Go to the Half life section.

      Half-life represents the amount of time it takes for a threat to lose half its intelligence value.
      It corresponds to the number of days it takes for the malicious potential of a threat to decay by 50%.

   5. Select the Use default value option to assign the entity the predefined half-life value.
      You can assign default half-life values to each entity type in the /etc/eclecticiq/platform_settings.py file.
      Integer values represent the number of days.
      settings.py (sourced from EIQ platform-backend)

      Author	Rutger Prins
      Commit	17a58f9f930d83ee862b731813ff472ea3994a37
      Timestamp	February, 14, 2022 11:59 AM
      Full path	eiq/platform/settings.py
      Title	[SNYK] Upgrade packages and ignore issues with no upgrade path
      Description	**Upgrade packages:**<br> `ipython==7.16.0` => `ipython==7.16.3` == no risk <br> `cairosvg==2.4.2`=> `cairosvg==2.5.2` == no risk <br> `jinja2==2.10.1` => `jinja2==2.11.3` == no risk<br> `pillow==7.2.0` => `pillow==8.3.2` == no risk <br> `pygments==2.6.1` => `pygments==2.7.4` == no risk <br> <br> **Snyk Ignore:** <br> _Removed issues that no longer affect our product._<br> Increase ignore time for following issues:<br> snyk:lic:pip:html2text:GPL-3.0 - can't be applied for 2.9<br> SNYK-PYTHON-PIP-609855 - can't upgrade PIP due to incompatibility with credential escaping<br> SNYK-PYTHON-PIP-1278135 - can't upgrade PIP due to incompatibility with credential escaping<br> SNYK-PYTHON-DATEPARSER-1063229 - no fix available<br> SNYK-PYTHON-CELERY-2314953 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2329135 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331905 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331907 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331901 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2397241 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-CRYPTOGRAPHY-1070544 - can't apply fix risk accepted SNYK-PYTHON-PYSAML2-1063038 - can't apply fix risk accepted SNYK-PYTHON-PYSAML2-1063039 - can't apply fix risk accepted See merge request engineering/platform-backend!6465

      # Default values

      HALF_LIFE = {

      "campaign": 1000,

      "course-of-action": 182,

      "eclecticiq-sighting": 182,

      "exploit-target": 182,

      "incident": 182,

      "indicator": 30,

      "report": 182,

      "threat-actor": 1000,

      "ttp": 720,

   6. Select the Override value option to override the default half-life value for the entity, and to set a custom one.
      Enter an integer to represent the number of days it takes the entity to lose half its intelligence value.

   7. In the Tags section, click Add tags to associate one or more tags with the entity .
      Tags enable structuring and categorizing entities based on criteria such as confidence and attack stage.
      Tags improve findability, and they offer quick reference pointers to place entities in a broader cyber threat context.

   8. Click Source, and select the source of the threat information you are using to create the new entity.
      The options available are the names of existing assigned user groups in the Intelligence Center.

   9. Go to the Source reliability section.
      Use this option to flag the entity with a predefined reliability value to help other users assess how trustworthy the entity data source is.

   10. Select the Inherit from source option to assign the entity the same reliability value as the corresponding original data source.

   11. Select the Custom override option to override the default source reliability value for the entity, and to set a custom one.
       From the drop-down menu select, select an option to flag the entity data source reliability level.

   12. Values in this menu have the same meaning as the first character in the two-character Admiralty System code.
       Example: B - Usually reliable

5. Add information source details:
   

   1. In the Description field, provide context and details to qualify the information source.
      For example, enter a job role, or the function of an institution.

   2. In the Identity field, enter the name of the information source.
      For example, an individual’s name or the official name of an entity such as an organization or government agency.

   3. In the Roles field, one or more options to define how the information source contributed to the information in the campaign.

   4. In the References filed, enter a URL pointing to relevant reference information on the campaign, if available.

      • The field takes only URLs as input.

      • Enter one URL per field.

      • To confirm the current input and to display a new input field, press ENTER.

6. Define Data marking and usage:

   1. In the TLP field, select the TLP color code you want to use to filter enrichment data.
      You can choose to override the TLP color by selecting Not set in the Override TLP drop-down.
      TLP provides an intuitive reference to assess how sensitive a piece of information is, focusing in particular on how serious it is, and whom it should or should not be shared with.

   2. In the Terms of use field, enter any legal notes about fair use of the information about the entity.

7. Define a workflow:

   • Add to dataset: select this checkbox to include the campaign to one or more existing datasets.
     In the Dataset field, select the datasets you would like to add to the entity.

   • Manually enrich: select this checkbox to manually enrich the entity.

8. Save and publish
   

   • Click Save draft to store your changes without publishing the entity.

   • Click Publish to release the new version of the entity that includes your changes.

   • Click Cancel to discard the changes.

See also

• About Entities

• Draft and published entities

• Create a campaign

• Create a course of action

• Create an exploit target

• Create an incident

• Create an indicator

• Create a report

• Create a sighting

• Create a threat actor

• Create a TTP