Create entity rules#

Note

Required fields are marked with an asterisk (*).

A rule must be Enabled for it to take effect. See Manage entity rules.

Create a discovery rule#

Note

Required fields are marked with an asterisk (*).

Start creating a rule:

  1. From the left navigation, select Data configuration Data configuration icon > Rules > Entity.

  2. Select +.

OR

  • From the left navigation, select + Create > Rules Rules > Entity rule

Configure the rule#

In the Create entity rule view, fill out the following fields:

Rule name*

Name of rule.

Description

Short description. Should contain context and information on what this rule does.

Enabled

Select this to enable the rule immediately after saving.

Set criteria#

Set the Criteria selection section, select at one or more criteria that this rule will match.

Your rule runs only if an entity meets all the criteria set here.

  • Select + Criteria to add a criterion to the rule.

  • Select the x to the right of an existing criterion to remove it from the rule.

The following is a table of available criteria:

Criteria

Description

Entity types

Select one or more entity types that this rule runs against.

Content criteria

See Content criteria tool

Sources

Select one or more sources. This rule runs against entities that belong to these sources.

TLPs

Select one or more TLPs. This rule runs against entities that have at least one of these TLPs assigned.

Set actions#

Set the Actions section, select at one or more actions that the rule performs when it matches an entity.

  • Select + Action to add an action to the rule.

  • Select the x to the right of an existing action to remove it from the rule.

The following table describes the available actions:

Action

Description

Add tags

Select one or more tags to add to an entity that matches this rule.

Remove tags

Select one or more tags to remove from an entity that matches this rule.

Add to dataset

Select one or more datasets. When an entity matches this rule, it is added to these datasets.

Set alias

Sets an alias for entities that match this rule.

See Actions: Set alias.

Override TLP

Select a TLP value to set for entities that match this rule.

Merge similar

Select one entity. Entities that are similar to this selected entity will be merged into a single entity.

Entities are similiar if they have:

  • Identical title, descriptio, and other STIX data fields.

  • Different STIX ID.

  • Different timestamps.

Note

When you set Merge similar as an action for an entity rule, you cannot set other actions for that rule.

Caution

  • Use entity merging with caution: it is not possible to undo a merge action.

  • All merged entities disappear: they are not indexed, and therefore they are not searchable through the GUI.

  • They persist in the main data storage (PostgreSQL): to search these entities, run a SQL query in EclecticIQ Intelligence Center PostgreSQL database.

Save#

Once done:

  • Select Save to save this rule.

  • Select Save Drop-down menu arrow > Save and new to save this rule and start creating a new rule.

  • Select Save Drop-down menu arrow > Save and duplicate to save this rule and start creating a new rule using settings from this rule.

Actions: Set alias#

The Set alias rule uses named capturing groups and backreferences to automatically assign entities title aliases based on specified data pattern regexes, variable names, and formatting templates for the title aliases.

Aliases help identify entities that are known by different names, depending on the data provider referencing them.

First, define the named groups in the entity title.

You insert named groups in the title alias by referencing them with the variables that represent them:

  • The (?P<name>regex) expressions in Title parsing pattern define data patterns for matching text strings in the title.

  • You can reference matches in the alias using the corresponding variable names between chevron brackets (< >).

  • The name variable accepts alphanumeric characters. It must start with a letter.

  • The regex must comply with Python syntax.

Then, define a format template for the title alias.

You insert named groups in template by referencing them with the variables that represent them:

  • The Alias formatting template field accepts a string to set a formatting template for the title alias, where you include the previously defined named group variables as needed.

  • The template variable names must exactly match the corresponding named group variables they reference.

  • The formatting string must comply with Python syntax.

Example

Let’s assume we want to set an alias for the following entity title:

*VxVault reporting on Malware Malware.Win32.Sample with name sample found at URL http://malicious.com/double-click-me.exe (104.31.72.46)*

  1. First, let’s isolate the named groups in the title that we want to reuse in the title alias by setting Title parsing pattern to:

    *VxVault reporting on Malware (?P<malware>[^\s]+) with name sample found at URL (?P<url>[^\s]+) \ ((?P<ip>[\d\.]+)\)*

  2. Then, let’s define a format template for the title alias that includes the named groups by referencing the corresponding variables by setting Alias formatting template to

    *malware={malware}, url={url}, ip={ip}*

When the rule runs, it produces the resulting title alias:

*malware=Malware.Win32.Sample, url=http://malicious.com/double-click-me.exe, ip=104.31.72.46*