Manage existing observables and entities#

Existing observables#

Observables that already exist in EclecticIQ Intelligence Center are marked with a red copy Copy symbol on the right of the item. This means that the observable:

  • Already exists on EclecticIQ Intelligence Center.

  • May have existing relationships with other entities there.

The number displayed at the bottom-right corner of the icon tells you how many observables of the same name already exist on EclecticIQ Intelligence Center.

For example, when a copy icon with a “2” Copy is displayed for an observable, two observables with the same name already exist on EclecticIQ Intelligence Center.

Existing observables.

Existing observables.#

You should:

  • Check the relationships that exist for this observable in your IC instance.

  • Check EclecticIQ Intelligence Center to see if the entity you want to create does not already exist. For more information, see Existing entities.

If an observable already exists on EclecticIQ Intelligence Center, ingesting that observable:

  • Does not create a new observable.

  • Adds a relationship between the existing observable and the new entity you’ve created.

  • Does not overwrite existing relationships with other entities on the IC.

However, if (a) the observable already exists on EclecticIQ Intelligence Center, but (b) the observable you want to ingest is set to a different type than the observable that already exists on EclecticIQ Intelligence Center, then a new observable is created.

That observable:

  • Shares the same name as the existing observable on EclecticIQ Intelligence Center.

  • Inherits the new type.

  • Maintains its own relationships. It does not share the same relationships as the existing observable on EclecticIQ Intelligence Center.

For example, we may ingest the observable 61.204.119.188 as a URI, but find that we have an IPv4 observable also named 61.204.119.188 that already exists on EclecticIQ Intelligence Center. After ingesting the new observable, we have two observables on EclecticIQ Intelligence Center that share the same name, but are assigned different types and have different sets of relationships.

Resulting entity relations.

Resulting entity relations.#

Existing entities#

The browser extension:

  • Does not check if an entity already exists.

  • Does not overwrite entities that already exists on EclecticIQ Intelligence Center.

When adding creating an entity using the browser extension, you should:

  • Search EclecticIQ Intelligence Center for similar entities.

  • If the entity you want to create already exists, find a different and meaningful way to describe the group of observables you want to add with the browser extension.

All entities on EclecticIQ Intelligence Center are assigned a UUID (Universally Unique Identifier). So, entities added through the browser extension are treated as new and unique, even if they are otherwise identical to an existing entity on EclecticIQ Intelligence Center.

In the image below, we have two identical entities that EclecticIQ Intelligence Center treats as distinct:

Browser extensions creates entities with unique IDs.

Browser extensions creates entities with unique IDs.#