Filter entities by source

You can filter and search for entities based on criteria related to the entity data source(s) such as:

  • Source name

  • Source reliability

You can use the search input field, as well as the quick filters available in the following views:

  • Search images/download/attachments/86440751/search.svg-x24.png > GO TO SEARCH AND BROWSE > Entities

  • Search images/download/attachments/86440751/search.svg-x24.png > GO TO SEARCH AND BROWSE > Observables

  • Create + > VIEW PRODUCTION

  • Discovery images/download/attachments/86440751/target.svg-x24.png

  • Exposure images/download/attachments/86440751/exposure.svg-x24.png

Filter entities by source name

An entity can have one or more data sources.
When an entity has multiple sources, redundant copies of the same entity are deduplicated upon ingestion, but all data source information is retained.

Data source reliability information is stored in the sources.source_reliability JSON field.

You can filter and search for entities based on the name(s) of their data source(s) to retrieve only entities ingested from one or more data sources.
 Data sources can be existing incoming feeds and enrichers, as well as existing Intelligence Center user groups.

Use the quick filter

  1. In the top-left corner, click images/download/attachments/3604538/filter.PNG .

  2. Click either Entity, Source, TLP, Date, Reliability, or Dataset.

  3. Select the checkbox(es) of the entity data sources you want to obtain results from.

When you enter or select multiple search term values, the Boolean operator between the specified search terms is OR.

View data sources for an entity

When an entity has more than one data source, a counter is displayed next to the main entity data source name under the Source column.
Click it to view a tooltip with a list of all the data sources the entity refers to.

Use the search input field

  1. In the side navigation bar click .

  2. In the search input field, prepend the following JSON path to the data source name value(s) you want to use as search criteria.
    For example, sources.name:

Example:

/* Searches for all entities whose
data source name value is 'CVE' */
 
sources.name:CVE
 
/* Searches for all entities whose
data source name value is either 'CVE', or 'CTI', or 'TAXII' */
 
sources.name:(CVE CTI TAXII)

To filter and search for entities based on their corresponding data source name(s) , you can prepend search queries in the search box with the following JSON fields:

JSON path

Description

sources.name

Holds the designated name of the entity data source.

sources.source_id

Holds the UUID of the entity data source.
This value uniquely identifies a data source of an entity.

sources.source_type

Holds the type of data source for the entity.
Data sources can be existing incoming feeds and enrichers, as well as existing Intelligence Center user groups.

Example


{
"sources": [
{
"name": "TAXII Stand Samples Cypress",
"source_id": "09d01570-476d-4515-a458-faddb43hse86",
"source_type": "incoming_feed"
},
 
{
"name": "test.taxiistand.com",
"source_id": "0bd6014d-e0b4-a8d5-83ac-c107fd034855",
"source_type": "incoming_feed"
},
 
{
"name": "TAXII Stand Samples",
"source_id": "fc602bf6-f653-1234-8dde-b939f2bb13bd",
"source_type": "incoming_feed"
}
]
}

Filter entities by source reliability

You can filter and search for entities based on the reliability assigned to the corresponding data sources to retrieve only entities ingested from specifically reliable sources.
Data source reliability information is stored in the sources.source_reliability JSON field.

Use the quick filter

  1. In the top-left corner, click images/download/attachments/3604538/filter.PNG .

  2. Select the checkbox(es) of the entity data source reliability values you want to use as filters.

When you enter or select multiple search term values, the Boolean operator between the specified search terms is OR.

Use the search input field

  1. In the side navigation bar click .

  2. In the search input field, prepend the following JSON path to the data source reliability values you want to use as search criteria.
    For example, sources.source_reliability:

Example:

/* Searches for all entities whose
data source name value is 'A' */
 
sources.source_reliability:A
 
/* Searches for all entities whose
data source reliability value is either 'A', or 'B', or 'C' */
 
sources.source_reliability:(A B C)

To filter and search for entities based on data source reliability, you can prepend search queries in the search box with the following JSON fields:

JSON field

Description

sources.source_reliability

Holds the original data source reliability value of the entity when it was ingested or created in the Intelligence Center.
It helps assess how trustworthy the data source is deemed to be.

sources.source_reliability_override

Holds the changed source reliability value that is set to override the previous source reliability value for the entity.
If you manually or explicitly set a value for this JSON field, the Intelligence Center interprets it as an override action.

About user overrides

User-defined override key/value pairs are stored in the meta field of an entity JSON data structure.
Override fields in the meta field have precedence over:

  • The corresponding original fields inside meta.

  • Their corresponding override fields stored inside the sources field of an entity JSON data structure.

Affected parameter

Source reliability of the entity

Override field

meta.source_reliability_override

Superseded field(s)

meta.source_reliability

sources.source_reliability

sources.source_reliability_override

Description

Stores the override value a user can manually define when editing an entity in the entity editor or inside the entity detail pane.