Exploit target#

An exploit target represents a vulnerability or a weakness in a software or hardware product or system, in a network, or in a configuration that enables a threat actor to use it as an entry point to access your assets and resources, and eventually to take control over them. Like a window that is left open upon leaving the house, it is a security hole in your ecosystem or infrastructure that malicious actors can leverage to get in and pursue their objectives.

Create an exploit target by selecting:

  • In the side navigation bar + Create > Exploit target.

Or:

  • (Requires Beta: Intelligence creation on the graph)

    In the top navigation bar of a graph, select + and then Exploit target to create a draft entity.

  • Double-click to open the newly created draft entity to edit it.

Then, Configure this entity.

Configure#

The following sections the fields and options available.

Note

Required fields are marked with an asterisk (*).

General#

Field

EIQ JSON field

Description

Title*

data.title

Descriptive title for this entity. See Titles and aliases.

Analysis

data.description

Long description.

Characteristics#

Characteristics are properties on an entity that provide context for the intelligence indicated by this object.

The following are characteristics available for this entity:

Characteristics: Vulnerability#

Add one or more vulnerabilities to attach to this entity. Analogous to VulnerabilityType

Field

EIQ JSON field

Description

Title

data.vulnerabilities[].title

Title for this vulnerability.

Is known

data.vulnerabilities[].is_known

Select this if the vulnerability is known, i.e. not a 0-day vulnerability.

Is publicly acknowledged

data.vulnerabilities[].is_publicly_acknowledged

Select this if the vulnerability has been publicly acknowledged by the software vendor for the affected software product.

Description

data.vulnerabilities[].description

Description of vulnerability.

Source

data.vulnerabilities[].source

Source of vulnerability.

Discovered date/time

data.vulnerabilities[].discovered_datetime

Date and time this vulnerability is discovered.

Discovered date/time precision

data.vulnerabilities[].discovered_datetime_precision

See Date and time precision.

Published date/time

data.vulnerabilities[].published_datetime

Date and time this vulnerability is published.

Published date/time precision

data.vulnerabilities[].published_datetime_precision

See Date and time precision.

CVE-ID

data.vulnerabilities[].cve_id

CVE ID.

Must conform to the format CVE-YYYY-NNNN. E.g. CVE-2021-3855.

Also creates a new cve observable with the vulnerability link name when this entity is published.

OSVDB-ID

data.vulnerabilities[].title

(Deprecated) Open Sourced Vulnerability Database (OSVDB) ID.

In addition, you can set the following vulnerability properties:

Vulnerability: CVSS Score#

Set the CVSS score for this vulnerability. Analogous to CVSSVectorType.

Field

EIQ JSON field

Description

Overall score

data.vulnerabilities[].cvss_score.overall_score

Overall CVSS score. Calculated using the NVD CVSSv2 calculator.

Must be in format \d\.\d. E.g. 8.8.

Base score

data.vulnerabilities[].cvss_score.base_score

Base CVSS score.

Must be in format \d\.\d. E.g. 8.8.

Base vector

data.vulnerabilities[].cvss_score.base_vector

Base metrics.

Must be in format AV:<score>/AC:<score>/Au:<score>/C:<score>/I:<score>/A:<score>.

Temporal score

data.vulnerabilities[].cvss_score.temporal_score

Temporal CVSS score

Must be in format \d\.\d. E.g. 8.8.

Temporal vector

data.vulnerabilities[].cvss_score.temporal_vector

Temporal metrics

Must be in format E:<score>/RL:<score>/RC:<score>.

Environmental score

data.vulnerabilities[].cvss_score.environmental_score

Environmental CVSS score

Must be in format \d\.\d. E.g. 8.8.

Environmental vector

data.vulnerabilities[].cvss_score.environmental_vector

Environmental metrics

Must be in format CDP:<score>/TD:<score>/CR:<score>/IR:<score>/AR:<score>

Vulnerability: Affected software#

Describe the software product affected by this vulnerability. All values here are used to construct the XML object set in data.vulnerabilities[].affected_software[].properties_xml. Analogous to AffectedSoftwareType.

Properties set here are also used to create a product: <Product>|<Version>|<Update> observable with the affected link name, when this entity is published.

Set values for the following fields:

  • Product: Name of software product affected.

  • Edition: Edition of software.

  • Language: Language used in software.

  • Update: Is the software up to date?

  • Vendor: Vendor name for software.

  • Version: Version of software.

  • Device manufacturer: Manufacturer of device running affected software.

  • Device model: Model of device running affected software.

  • Device serial number: Serial number of device running affected software.

  • Device firmware version: Firmware version running on device.

  • Device system os: OS running on device.

Vulnerability: References#

Field

EIQ JSON field

Description

References

data.vulnerabilities[].references[]

Enter one or more URLs.

Characteristics: Weakness#

Add one or more weaknesses. Analogous to WeaknessType.

Field

EIQ JSON field

Description

Description*

data.vulnerabilities[].weaknesses[].description

Describe this weakness.

CWE-ID

data.vulnerabilities[].weaknesses[].cwe_id

Assign a CWE ID.

Characteristics: Configuration#

Add one or more vulnerable configurations. Analogous to ConfigurationType.

Field

EIQ JSON field

Description

Description*

data.vulnerabilities[].configurations[].description

Describe this vulnerable configuration.

CCE-ID

data.vulnerabilities[].configurations[].cce_id

Assign a CCE ID.

Also creates new cce observable with a configuration link name when this entity is published.

Observables#

You can create one or more new observables and link it to the currently open entity by selecting + Observable under the Observables section.

Note

If an observable you create here matches an observable rule with an ignore action, it does not appear when the you publish the entity.

In the Add observable view that appears, fill out these fields:

Field

EIQ JSON field

Description

Type*

extracts[].kind

See Observable types

Link name*

See Observable link names

See Observable link names

Values(s)*

extracts[].value

Enter one or more values. One observable is created per value.

Values must be comma-separated, or newline-separated, but not both.

Maliciousness*

See Observable maliciousness

See Observable maliciousness

Relations#

Add relationships to this entity by selecting + Relationship.

  1. From the drop-down menu select the option corresponding to the relationship you want to create:

    • Potential courses of action

    • Related exploit targets

    • Course of action Right arrow Related exploit targets

    • Report Right arrow Exploit targets

    • TTP Right arrow Exploit targets

    • Sighting Right arrow Exploit target

  2. After selecting an option, the Search an entity dialog appears. Select one or more entities to relate to the current entity.

    Note

    You can narrow down the displayed entities by entering a search query, or by using the filter Filter.

  3. Select Select to add the selected entities as relations.

Once a relationship is added to this entity, you can:

  • Assign MITRE ATT&CK IDs by selecting + under the MITRE ATT&CK IDs column.

  • Set a Relationship type

    • Enter a custom relationship type by typing in the empty field and pressing ENTER to save.

    • Select one of these options:

      • Indicates malware

      • Is associated campaign to

      • I don’t know

      • Could be anything

Meta#

The Meta section contains configuration options that allow you to attach descriptive data to the entity.

Field

EIQ JSON field

Description

Estimated threat start time

meta.estimated_threat_start_time

Estimated start of threat. See Time values.

Estimated threat end time

meta.estimated_threat_end_time

Estimated end of threat. See Time values.

Estimated observed time

meta.estimated_observed_time

Estimated time threat was observed. See Time values.

Half-life

meta.half_life

See Half-life.

Select one of these options:

  • Use default value: When selected, half-life for this entity is set to 720 days.

  • Override value: Set a custom value for half-life, in number of days.

Tags

meta.tags[] and meta.taxonomy_paths[]

See tags and taxonomies.

Source*

sources[]

Select one source.

Source reliability

meta.source_reliability

See source reliability.

Options:

  • Inherit from source: This entity inherits source reliability from Source.

  • Custom override: Set a source reliability value for just this entity.

Information source#

Field

EIQ JSON field

Description

Description

data.information_source.description

Description of information source.

Identity

data.information_source.identity

Name of this information source

Roles

data.information_source.roles[]

One or more information source roles. Possible values:

  • Initial Author

  • Content Enhancer/Refiner

  • Aggregator

  • Transformer/Translator

References

data.information_source.references[]

One or more URLs.

Data marking#

Descriptive metadata for entity.

Field

EIQ JSON field

Description

TLP

meta.tlp_color

Set a TLP color for this entity.

Terms of use

data.handling[].marking_structures[]

Free text field allowing you to attach terms of use to an entity. Analogous to TermsOfUseMarkingStructureType.

Simple

data.handling[].marking_structures[]

Free text field for attaching any text to an entity. Analogous to SimpleMarkingStructureType.

Workflow#

Use options here to apply workflow options to this entity.

Field

Description

Add to dataset

Select this option to add this entity to one or more datasets on Publish.

Manually enrich

Run one or more enrichers on this entity on Publish.

Save and publish#

Tip

For more information, see Draft and published entities.

Select Publish to create this entity, and make it available under + Create > Production > Published.

For more publishing options, select More Drop-down menu arrow and then one of these options:

  • Publish and new: Publish this entity, and start creating a new entity.

  • Publish and duplicate: Publish this entity, and start creating a new entity using all the values set for this entity.

Select Save draft to save this entity as a draft, and make it available under + Create > Production > Drafts. You must publish an entity to use it elsewhere on EclecticIQ Intelligence Center.

For more options while saving as a draft, select More Drop-down menu arrow and then one of these options:

  • Publish and new: Save this entity as a draft, and start creating a new entity.

  • Publish and duplicate: Save this entity as a draft, and start creating a new entity using all the values set for this draft entity.