Create a report

A report wraps around different pieces of threat intelligence to weave a common story into a consistent narrative.

During an analysis or an investigation, analysts use a number of sources to gather many bits of information.
They sift through the data to separate the wheat from the chaff, and then they start connecting the dots to gain a broader perspective and add meaning to the data.

By exploring entity relationships and by gaining extra context through enrichment, they can weave a solid narrative to accurately and objectively describe the threat scenario under investigation.

Intel reports provide a suitable format to structure and to organize this type of content: analysts can include their analysis of the threat scenario, make mitigation recommendations, as well as include links to entities, observables, and relationships in the Intelligence Center. They can also add relevant attachments such as samples or PDF documents. Moreover, they can specify metadata such as the time ranges defining the start and end time of the observed threat, and the time of observation. Last but not least, tags help organize and categorize the intelligence.

Intel reports give their intended recipients a rich and sharp picture of the cyber threat landscape they may need to act on.
They can follow links to further explore the reported threat relationships with other potentially malicious elements such as campaigns, C2 infrastructure, or threat actors.

Intel reports implement microdata to add machine-readable semantic relevance to the content. Analysts can leverage microdata to reference any entities, relationships, and observables they include in the reports.

Analysts can publish reports in HTML format through outgoing feeds using any of the supported transport types.
When they choose to make reports available by email, the HTML reports are attached to the email messages before sending them to the intended recipients.

About content

When the Intelligence Center ingests unstructured content — either through an incoming feed or a manual file upload — to produce a report entity, the original unstructured source is attached in its original format to the resulting report entity. In this way, when analysts modify or update the the resulting report entity, they can always refer back to the original information.

Create a report


Required fields are marked with an asterisk ( * ).

There are two ways of creating a report :

  • In the top navigation bar of a graph, click , and then Report.

  • In the side navigation bar of the Dashboard, click , and then Report.

If you create a report from a graph, double-click its icon to access its details page.

If you create a report from the Dashboard, its details page is displayed automatically.

Fill in the report's details as follows:

  1. Assign the new report entity a clear and descriptive Title. The title appears also in the entity detail pane header section.

  2. In the Summary field, write a short summary to highlight the main points and/or the core concepts discussed in the report.

  3. In the Analysis field, write a story to clearly communicate the core message of the report.
    Organize your information to set the stage (background details and context), unfold the timeframe of the events the report describes, and introduce the characters such as threat actors, targeted victims, as well as any malicious sidekicks such as (money) mules.
    These are the foundations shaping the threat scenario under analysis.

  4. Click Section to add another content section to the report, such as a Recommendations field.

  5. In the Recommendations field, formulate a set of recommendations to reduce risk and to mitigate possible or likely damage.
    You can make recommendations on areas such as prevention, detection, and response.

    • Proceed to describe motives and intentions, behaviors, strategies, tactics, and techniques. Include any relevant details about resources and infrastructure, be it a C2 server or targeted assets.
      In short, this is where analysts use their story-telling skills to make their point to the stakeholders who will read the report and who may or may not decide to (re)act on the basis of the intelligence value of the report.

    • When you position the cursor inside the Summary, Analysis or Recommendations field, a rich text editor becomes available to help you format content:
      You can format text, create ordered/numbered and unordered/bulleted lists, undo and redo actions, as well as insert relationships, observables, and references.

  6. From the Intents drop-down menu, select one or more options to define the main purpose of the report, that is, the main item(s) discussed in the report, and the main topic(s) it focuses on.

  7. Use the Attachment section to drag and drop relevant files to the upload area.
    Alternatively, click anywhere in the upload area, browse to the location where the file you want to upload is stored, and then select it.

    • To remove an uploaded file from the attachment list, click Remove file.
      The attachment is instantly removed, without prompting you to confirm the action.

When you publish the report, any inserted relationships, observables and references are indexed and made searchable.
You can click these links to open the detail pane of the selected relationship or observable, or to follow a link to a reference.

If you publish reports with attachments through an outgoing feed, attachments are excluded from the feed. Only the report entity without attachments is included in the outgoing feed.

Add observables

To add observables to reports, do the following:

  1. In the Observables section, click Observable.
    The Add observable pane opens.

  2. From the Type drop-down menu, select an observable type that describes the type of information you are storing in the observable.
    For example, a bank account number, a payment card number, an IP address, a domain name, a country or city name, and so on.

  3. From the Link name drop-down menu, select an option to define the type of relationship existing between the observable and the parent entity.

    Setting link names to define relationships adds intelligence value by describing how entities and observables are related.
    This information provides additional context, and it helps understand how a specific resource is used, or the purpose it serves for a potential attacker.
    For example, it can clarify that an observable describes a vulnerability or a weakness related to its parent entity.

    Therefore, observables with a Link name value are in general more relevant and more valuable than observables without a Link name value.

    Link name options vary, based on the relationship the observable has with the specific entity type it belongs to.
    The supported entity-observable relationship link name for the report entity is the Observable related to the report.
    You can modify and update the link name value at any time to reflect changes in the entity-observable relationship:

    1. In the top navigation bar, click Intelligence > All intelligence, and click Browse.

    2. Click the Observables tab.

    3. If the section is populated with observables, each of them has a Link name column.

    4. Click the Link name drop-down menu for the observable whose relationship link name you want to update, and then select one of the available options.
      If the Link name drop-down menu has no options, the selected the entity-observable relationship is undefined.

  4. In the Value(s) field, enter the value of the observable.
    The value and its format should match the specified observable type (kind).
    If you specify multiple values, enter one value per line.
    If you enter multiple values on one line, use a comma (,) as a separator.
    Example: 75.23.125.231, ipwnu.biz, Kansas City, [email protected], Alvin Slocombe.

  5. From the Maliciousness drop-down menu, select a maliciousness confidence level to assess the likelihood the potential threat may or may not damage the organization.
    This option corresponds to the value that is set under Confidence in observable rules.

  6. To store your changes, click Save; to discard them, click Cancel.

When you flag an observable with a maliciousness confidence level, it cannot transition back to being safe or irrelevant. It can only transition to a higher maliciousness confidence level.

You can use the specified observable values to set up automation processes, so that the potential threat that the entity represents can trigger an action in a security system or another device in the toolchain.

For example, if the observable Type is Email, the Link name is Parameter, and the Value(s) are [email protected], [email protected], and [email protected], you can create a rule in the email server to block all incoming messages from the honestpaul-superdeals.com email domain.

Add relationships

To add relationships between a report and entities it may point or be associated to, do the following:

  1. In the Relations section, click Relationship.

  2. From the drop-down menu, select the option corresponding to the relationship you want to create.
    The following options are available:

    Select this option…

    … to create this relationship for the report

    Indicators

    Outgoing relationship — Relates the report to the indicator(s) in the Search an entity dialog.

    TTPs

    Outgoing relationship — Relates the report to the selected TTP(s) in the Search an entity dialog. Recommends carrying out a course of action to respond to the report.

    Exploit targets

    Outgoing relationship — Relates the report to the selected exploit target(s) in the Search an entity dialog.

    Incidents

    Outgoing relationship — Relates the report to the selected incident(s) in the Search an entity dialog.

    Courses of action

    Outgoing relationship — Relates the report to the selected course(s) of action in the Search an entity dialog.

    Campaigns

    Outgoing relationship — Relates the report to the selected campaign(s) in the Search an entity dialog.

    Threat actors

    Outgoing relationship — Relates the report to the selected threat actor(s) in the Search an entity dialog.

    Related reports

    Outgoing relationship — Relates the campaign to the selected report(s) in the Search an entity dialog.

    Sighting Report

    Incoming relationship — Relates the selected sighting(s) in the Search an entity dialog to the report.

  3. Select an entity.

  4. Go to the bottom-right corner of the pane, and click Select.

  5. From the Relationship type, you can select the name of entity relationship you added.
    You can also type in your own relationship name in the empty input field.

    When you assign a relationship a predefined or a custom name, it is visible in the graph view.

    The arrow orientation, either or , indicates that the relationship is either incoming — from the related entity to the current one — or outgoing — from the current entity to the related one.

    • To remove a relationship type name, go to the relationship type you want to remove, and click  .
      The relationship type name is removed.

    • To remove a relationship, go to the row of the relationship you want to remove, and click .
      The row and the corresponding relationship are removed.


    You cannot undo these actions. They are irreversible.

Add metadata information

To add metadata information to reports, do the following:

  1. In the Estimated observed time field, enter the date when the entity was first observed/detected.
    It corresponds to the date and time when the threat was detected, recorded, and reported for the first time.
    Usually, Estimated observed time can be either the same as Estimated threat start time, or it can mark a point in time after Estimated threat start time. It can also be after the Estimated threat end time if the threat ended before it was observed.

  2. In the Estimated threat start time field, enter the estimated date the threat activity started, based on observation, reports and other intelligence.
    It corresponds to the date and time when the threat was detected, recorded, and reported for the first time as an active/in-progress event.
    The Estimated threat start time can be either the same as Estimated observed time, or it can mark a point in time before Estimated observed time.

  3. If the threat is no longer active, go to the Estimated threat end time field, and enter the estimated end time of the threat activity, based on observation, reports, and other intelligence.

  4. Go to the Half life section.

    Half-life represents the amount of time it takes for a threat to lose half its intelligence value.
    It corresponds to the number of days it takes for the malicious potential of a threat to decay by 50%.

  5. Select the Use default value option to assign the entity the predefined half-life value.
    You can assign default half-life values to each entity type in the /etc/eclecticiq/platform_settings.py file.
    Integer values represent the number of days.
    settings.py (sourced from EIQ platform-backend)

    Author

    Rutger Prins

    Commit

    17a58f9f930d83ee862b731813ff472ea3994a37

    Timestamp

    February, 14, 2022 11:59 AM

    Full path

    eiq/platform/settings.py

    Title

    [SNYK] Upgrade packages and ignore issues with no upgrade path

    Description

    **Upgrade packages:**<br> `ipython==7.16.0` => `ipython==7.16.3` == no risk <br> `cairosvg==2.4.2`=> `cairosvg==2.5.2` == no risk <br> `jinja2==2.10.1` => `jinja2==2.11.3` == no risk<br> `pillow==7.2.0` => `pillow==8.3.2` == no risk <br> `pygments==2.6.1` => `pygments==2.7.4` == no risk <br> <br> **Snyk Ignore:** <br> _Removed issues that no longer affect our product._<br> Increase ignore time for following issues:<br> snyk:lic:pip:html2text:GPL-3.0 - can't be applied for 2.9<br> SNYK-PYTHON-PIP-609855 - can't upgrade PIP due to incompatibility with credential escaping<br> SNYK-PYTHON-PIP-1278135 - can't upgrade PIP due to incompatibility with credential escaping<br> SNYK-PYTHON-DATEPARSER-1063229 - no fix available<br> SNYK-PYTHON-CELERY-2314953 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2329135 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331905 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331907 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2331901 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-PILLOW-2397241 - fix can't be apply due to incompatibility with python 3.6<br> SNYK-PYTHON-CRYPTOGRAPHY-1070544 - can't apply fix risk accepted SNYK-PYTHON-PYSAML2-1063038 - can't apply fix risk accepted SNYK-PYTHON-PYSAML2-1063039 - can't apply fix risk accepted See merge request engineering/platform-backend!6465
    # Default values
    HALF_LIFE = {
    "campaign": 1000,
    "course-of-action": 182,
    "eclecticiq-sighting": 182,
    "exploit-target": 182,
    "incident": 182,
    "indicator": 30,
    "report": 182,
    "threat-actor": 1000,
    "ttp": 720,

  6. Select the Override value option to override the default half-life value for the entity, and to set a custom one.
    Enter an integer to represent the number of days it takes the entity to lose half its intelligence value.

  7. In the Tags section, click Add tags to associate one or more tags with the entity .
    Tags enable structuring and categorizing entities based on criteria such as confidence and attack stage.
    Tags improve findability, and they offer quick reference pointers to place entities in a broader cyber threat context.

  8. Click Source, and select the source of the threat information you are using to create the new entity.
    The options available are the names of existing assigned user groups in the Intelligence Center.

  9. Go to the Source reliability section.
    Use this option to flag the entity with a predefined reliability value to help other users assess how trustworthy the entity data source is.

  10. Select the Inherit from source option to assign the entity the same reliability value as the corresponding original data source.

  11. Select the Custom override option to override the default source reliability value for the entity, and to set a custom one.
    From the drop-down menu select, select an option to flag the entity data source reliability level.

  12. Values in this menu have the same meaning as the first character in the two-character Admiralty System code.
    Example: B - Usually reliable

Add information source details

To add details about the source of the information, do the following:

  1. In the Description field, provide context and details to qualify the information source.
    For example, enter a job role, or the function of an institution.

  2. In the Identity field, enter the name of the information source.
    For example, an individual’s name or the official name of an entity such as an organization or government agency.

  3. From the Roles drop-down menu, select one or more options to define how the information source contributed to the information in the report.

  4. In the References field, enter a URL pointing to relevant reference information on the report, if available.
    The field takes only URLs as input. Enter one URL per field.

    • To confirm the current input and to display a new input field, press ENTER.

    • To remove an input field from this section, click the corresponding .

Define sharing and usage

  1. From the TLP drop-down menu, select the TLP color code you want to use to filter enrichment data.
    You can choose to override the TLP color by selecting Not set in the Override TLP drop-down menu.
    TLP provides an intuitive reference to assess how sensitive information is, focusing in particular on how serious it is, and whom it should or should not be shared with.

  2. In the Terms of use field, enter any legal notes about fair use of the information about the entity.

Define a workflow

  1. Select the Add to dataset checkbox to include the campaign to one or more existing datasets.
    From the drop-down menu select the target datasets you want to add the entity to.

  2. Select the Manually enrich checkbox to manually enrich the entity with the enricher sources you select from the Enrichers to apply drop-down menu.

Save and publish

To store your changes, click Save; to discard them, click Cancel.
To access additional save options, click the down arrow on the Save button:

  • Click Save draft to store your changes without publishing the entity.

  • Click Publish to release the new version of the entity that includes your changes.

  • Click Cancel to discard the changes.

Save a draft

Drafts are available in the entity editor under Draft entities.

Two additional options are available when saving an entity as a draft:

  • Click Save draft and new if you are creating a new entity and have not saved it before. This option saves the current populated form as a draft without publishing it to the Intelligence Center, and creates and opens a new draft form in the editor.

  • Click Save draft and duplicate to the current populated form as a draft without publishing it to the Intelligence Center, and create and opens a prepopulated copy of the draft entity in the editor to speed up the creation of a new entity of the same type.

Publish an entity

Published entities are saved to the Intelligence Center.
When the new entity is indexed, it is available in the Intelligence Center, in the entity editor under Published.
Published entities associated with a workspace or included in a dataset are available also through the corresponding workspace and dataset.

Two additional options are available when publishing an entity:

  • Click Publish and new if you are creating a new entity and you have not published it before. This option saves the current populated form, publishes it to the Intelligence Center, and creates and opens a new form in the editor.

  • Click Publish and duplicate to save the current populated form, publish it to the Intelligence Center, and create and open a prepopulated copy of the newly published entity in the editor to speed up the creation of a new entity of the same type.

See also