Search by link name
Search observables by their link name to look up observed IOCs based on the function they have in a broader threat context, such as targeted victim, affected asset, malicious infrastructure, and so on.
You can use link names to search for specific observables, based on the type of relationship they have with their parent entity.
The type of relationship between an observable and and entity adds context, and it can help understand the function of the observable within the broader threat landscape it belongs to.
For example, a relationship can help identify an observable as a victim, and affected asset, a vulnerability, or as a component of the threat actor's malicious infrastructure.
Let's assume that an analyst is investigating a threat scenario where a threat actor exploits the CVE-2017-8793 vulnerability to gain access to the targeted victim’s assets.
The analyst may want to search the Intelligence Center for any exploit target entities containing observables that are related to the parent exploit target because they represent a vulnerability.
To search for an observable representing a vulnerability:
In the side navigation bar click the search icon .
In the search input field enter your search query:
data.type:exploit-target AND \extracts.kind:domain AND \meta.bundled_extracts.link_types:vulnerability OR \extracts.instance_meta.link_types:vulnerability OR \extracts_nested.instance_meta.link_types:vulnerabilityPress ENTER to start the search.
In the search query example:
meta.bundled_extracts.link_types is the JSON path pointing to the JSON field in the entity data structure that holds the link name value defining the relationship between entities and the corresponding bundled observables.
extracts.instance_meta.link_types is the JSON path pointing to the JSON field in the entity data structure that holds the link name value defining the relationship between entities and non-embedded observables.
extracts_nested.instance_meta.link_types is the JSON path pointing to the JSON field in the entity data structure that holds the link name value defining the relationship between entities and the corresponding embedded observables.
vulnerability is the link name value defining the the type of entity-observable relationship you are looking for.
If the link name value search string contains multiple words separated by spaces, wrap the search string in double quotes (example: "my multiple word search string").
The Intelligence Center search functionality uses the Elasticsearch query syntax.
The following table maps the link name values you can enter in a search query to the corresponding options displayed in the GUI (campaign entities have no link names to define relationships with observables):
|
Search input value |
GUI option |
Entity |
|
parameter |
Parameter |
Course of action |
|
affected |
Affected |
Exploit target |
|
configuration |
Configuration |
Exploit target |
|
vulnerability |
Vulnerability |
Exploit target |
|
weakness |
Weakness |
Exploit target |
|
affected-asset |
Affected asset |
Incident |
|
related |
Related |
Incident |
|
observed |
Observable |
Indicator |
|
sighted |
Sighted |
Indicator |
|
test-mechanism |
Test mechanism |
Indicator |
|
malicious-infrastructure |
Malicious infrastructure |
TTP |
|
targeted-victim |
Targeted victim |
TTP |
|
observable |
Observable |
Report |
|
identity |
Identity |
Threat actor |