Incident#

An incident records a specific occurrence of indicators of compromise or observables affecting your organization or your system. An incident includes context information about the event such as start and end times, affected assets and resources, impact and seriousness assessment, any known threat actors and targeted victims involved, TTPs, related indicators and observables, and so on.

Create an incident by selecting:

  • In the side navigation bar + Create > Incident.

Or:

  • (Requires Beta: Intelligence creation on the graph)

    In the top navigation bar of a graph, select + and then Incident to create a draft entity.

  • Double-click to open the newly created draft entity to edit it.

Then, Configure this entity.

Configure#

The following sections the fields and options available.

Note

Required fields are marked with an asterisk (*).

General#

Field

EIQ JSON field

Description

Title*

data.title

Descriptive title for this entity. See Titles and aliases.

Analysis

data.description

Long description.

Status

data.status

Status of incident. Analogous to IncidentStatusVocab-1.0.

Possible options:

  • New

  • Open

  • Stalled

  • Containment Achieved

  • Restoration Achieved

  • Incident Reported

  • Closed

  • Rejected

  • Deleted

Categories*

data.categories[]

Category of incident. Analogous to IncidentCategoryVocab-1.0.

Possible values:

  • Exercise/Network Defense Testing

  • Unauthorized Access

  • Denial of Service

  • Malicious Code

  • Improper Usage

  • Scans/Probes/Attempted Access

  • Investigation

Confidence

data.confidence

Confidence in the accuracy and trustworthiness of the information contained by this entity. Analogous to ConfidenceType.

Possible values from Enumerated values: High Medium low.

Intended effects*

data.intended_effects

See Intended effects.

Security compromise

data.security_compromise

Describes the security compromise involved in this incident. Analogous to SecurityCompromiseVocab-1.0

Possible values:

  • Yes

  • Suspected

  • No

  • Unknown

Discovery methods*

data.discovery_methods[]

Describes how the incident was discovered. Analogous to DiscoveryMethodVocab-2.0.

Characteristics#

Characteristics are properties on an entity that provide context for the intelligence indicated by this object.

The following are characteristics available this entity:

Characteristics: Time coordinates#

Add various date and time properties to this entity. Analogous to TimeType.

Field

EIQ JSON field

Description

First malicious action

data.time_first_malicious_action

Date and time malicious action was first detected.

Time first malicious action precision

data.time_first_malicious_action_precision

See Date and time precision.

Initial compromise

data.time_initial_compromise

Date and time initial compromise was detected.

Time initial compromise precision

data.time_initial_compromise_precision

See Date and time precision.

First data exfiltration

data.time_first_data_exfiltration

Date and time data exfiltration was first detected.

Time first data exfiltration precision

data.time_first_data_exfiltration_precision

See Date and time precision.

Incident discovery

data.time_incident_discovery

Date and time this incident was discovered.

Time incident discovery precision

data.time_incident_discovery_precision

See Date and time precision.

Incident opened

data.time_incident_opened

Date and time this incident was first opened.

Time incident opened precision

data.time_incident_opened_precision

See Date and time precision.

Containment achieved

data.time_containment_achieved

Date and time incident was contained.

Time containment achieved precision

data.time_containment_achieved_precision

See Date and time precision.

Restoration achieved

data.time_restoration_achieved

Date and time assets affected by incident were restored.

Time restoration achieved precision

data.time_restoration_achieved_precision

See Date and time precision.

Incident reported

data.time_incident_reported

Date and time incident was reported

Time incident reported precision

data.time_incident_reported_precision

See Date and time precision.

Incident closed

data.time_incident_closed

Date and time this incident was closed.

Time incident closed precision

data.time_incident_closed_precision

See Date and time precision.

Characteristics: Reporter#

Add a reporter. Analogous to InformationSourceType.

Field

EIQ JSON field

Description

Name*

data.reporter.identity.name

Name of this information source.

Also creates a name observable when this entity is published.

Specification

data.reporter.identity.specification_xml

See Identity specification.

Roles*

data.reporter.roles[]

Role of this information source. Analogous to InformationSourceRoleVocab-1.0.

Possible values:

  • Initial Author

  • Content Enhancer/Refiner

  • Aggregator

  • Transformer/Translator

Description

data.reporter.description

Description of this information source.

Characteristics: Coordinator#

Add one or more coordinator. Analogous to InformationSourceType.

Field

EIQ JSON field

Description

Name*

data.coordinators[].identity.name

Name of this information source.

Also creates a name observable when this entity is published.

Specification

data.coordinators[].identity.specification_xml

See Identity specification.

Roles*

data.coordinators[].roles[]

Role of this information source. Analogous to InformationSourceRoleVocab-1.0.

Possible values:

  • Initial Author

  • Content Enhancer/Refiner

  • Aggregator

  • Transformer/Translator

Description

data.coordinators[].description

Description of this information source.

Characteristics: Responder#

Add one or more responder. Analogous to InformationSourceType.

Field

EIQ JSON field

Description

Name*

data.responders[].identity.name

Name of this information source.

Also creates a name observable when this entity is published.

Specification

data.responders[].identity.specification_xml

See Identity specification.

Roles*

data.responders[].roles[]

Role of this information source. Analogous to InformationSourceRoleVocab-1.0.

Possible values:

  • Initial Author

  • Content Enhancer/Refiner

  • Aggregator

  • Transformer/Translator

Description

data.responders[].description

Description of this information source.

Characteristics: Contact#

Add one or more contact. Analogous to InformationSourceType.

Field

EIQ JSON field

Description

Name*

data.contacts[].identity.name

Name of this information source.

Also creates a name observable when this entity is published.

Specification

data.contacts[].identity.specification_xml

See Identity specification.

Roles*

data.contacts[].roles[]

Role of this information source. Analogous to InformationSourceRoleVocab-1.0.

Possible values:

  • Initial Author

  • Content Enhancer/Refiner

  • Aggregator

  • Transformer/Translator

Description

data.contacts[].description

Description of this information source.

Characteristics: Affected asset#

Add one or more affected assets to this incident. Analogous to AffectedAssetType.

Field

EIQ JSON field

Description

Description*

data.affected_assets[].description

Description of this affected asset.

Asset type*

data.affected_assets[].identity.specification_xml

See Identity specification.

Ownership class*

data.affected_assets[].identity.specification_xml

OwnershipClassVocab-1.0.

Management class*

data.affected_assets[].identity.specification_xml

ManagementClassVocab-1.0.

Location class*

data.affected_assets[].identity.specification_xml

LocationClassVocab-1.0.

Business function or role

data.affected_assets[].business_function_or_role

Describes the business function or role of this affected asset.

Properties Affected

data.affected_assets[].nature_of_security_effect_properties_affected[]

See Affected assets: Properties affected.

Affected assets: Properties affected#

Add one or more properties affected. Analogous to PropertyAffectedType

Field

EIQ JSON field

Description

Property

data.affected_assets[].nature_of_security_effect_properties_affected[].property

LossPropertyVocab-1.0.

Type of availability loss

data.affected_assets[].nature_of_security_effect_properties_affected[].type_of_availability_loss

AvailabilityLossTypeVocab-1.1.1.

Duration of availability loss

data.affected_assets[].nature_of_security_effect_properties_affected[].duration_of_availability_loss

LossDurationVocab-1.0.

Non public data compromised

data.affected_assets[].nature_of_security_effect_properties_affected[].non_public_data_compromised

SecurityCompromiseVocab-1.0.

Description of effect

data.affected_assets[].nature_of_security_effect_properties_affected[].description_of_effect

Description of how this property was affected.

Characteristics: Impact#

Add impact details to this incident Analogous to ImpactAssessmentType.

Field

EIQ JSON field

Description

Effects

data.impact_assessment.effects[]

Select one or more effects for this incident. Analogous to EffectsType.

Uses Intended effects.

Set the following additional properties:

Impact: Direct impact summary#

DirectImpactSummaryType.

Field

EIQ JSON field

Description

Asset losses

data.impact_assessment.direct_impact_summary_asset_losses

ImpactRatingVocab-1.0.

Business mission disruption

data.impact_assessment.direct_impact_summary_business_mission_disruption

ImpactRatingVocab-1.0.

Response and recovery costs

data.impact_assessment.direct_impact_summary_response_and_recovery_costs

ImpactRatingVocab-1.0.

Impact: Indirect impact summary#

Field

EIQ JSON field

Description

Loss of competitive advantage

data.impact_assessment.indirect_impact_summary_loss_of_competitive_advantage

SecurityCompromiseVocab-1.0.

Brand and market damage

data.impact_assessment.indirect_impact_summary_brand_and_market_damage

SecurityCompromiseVocab-1.0.

Increased operating costs

data.impact_assessment.indirect_impact_summary_increased_operating_costs

SecurityCompromiseVocab-1.0.

Legal and regulatory costs

data.impact_assessment.indirect_impact_summary_legal_and_regulatory_costs

SecurityCompromiseVocab-1.0.

Impact qualification

data.impact_assessment.impact_qualification

ImpactQualificationVocab-1.0.

Impact: Total loss estimation#

Initial reported

Field

EIQ JSON field

Description

Amount

data.impact_assessment.total_loss_estimation_initial_reported_amount

Initially reported total loss estimation.

Currency

data.impact_assessment.total_loss_estimation_initial_reported_iso_currency_code

Currency used for reported total loss estimation.

Actual

Field

EIQ JSON field

Description

Amount

data.impact_assessment.total_loss_estimation_actual_amount

Actual total loss estimation.

Currency

data.impact_assessment.total_loss_estimation_actual_iso_currency_code

Currency used for actual total loss estimation.

Characteristics: Victim#

Add one or more victims of this incident. Analogous to InformationSourceType.

Field

EIQ JSON field

Description

Name*

data.victims[].identity.name

Name of this information source.

Also creates a name observable when this entity is published.

Specification

data.victims[].identity.specification_xml

See Identity specification.

Observables#

You can create one or more new observables and link it to the currently open entity by selecting + Observable under the Observables section.

Note

If an observable you create here matches an observable rule with an ignore action, it does not appear when the you publish the entity.

In the Add observable view that appears, fill out these fields:

Field

EIQ JSON field

Description

Type*

extracts[].kind

See Observable types

Link name*

See Observable link names

See Observable link names

Values(s)*

extracts[].value

Enter one or more values. One observable is created per value.

Values must be comma-separated, or newline-separated, but not both.

Maliciousness*

See Observable maliciousness

See Observable maliciousness

Relations#

Add relationships to this entity by selecting + Relationship.

  1. From the drop-down menu select the option corresponding to the relationship you want to create:

    • Related indicators

    • Leveraged TTPs

    • Attributed threat actors

    • Related incidents

    • Courses of action requested

    • Courses of action taken

    • Campaign Right arrow Related incidents

    • Course of action Right arrow Related incidents

    • Report Right arrow Incidents

    • Sighting Right arrow Incident

  2. After selecting an option, the Search an entity dialog appears. Select one or more entities to relate to the current entity.

    Note

    You can narrow down the displayed entities by entering a search query, or by using the filter Filter.

  3. Select Select to add the selected entities as relations.

Once a relationship is added to this entity, you can:

  • Assign MITRE ATT&CK IDs by selecting + under the MITRE ATT&CK IDs column.

  • Set a Relationship type

    • Enter a custom relationship type by typing in the empty field and pressing ENTER to save.

    • Select one of these options:

      • Indicates malware

      • Is associated campaign to

      • I don’t know

      • Could be anything

Meta#

The Meta section contains configuration options that allow you to attach descriptive data to the entity.

Field

EIQ JSON field

Description

Estimated threat start time

meta.estimated_threat_start_time

Estimated start of threat. See Time values.

Estimated threat end time

meta.estimated_threat_end_time

Estimated end of threat. See Time values.

Estimated observed time

meta.estimated_observed_time

Estimated time threat was observed. See Time values.

Half-life

meta.half_life

See Half-life.

Select one of these options:

  • Use default value: When selected, half-life for this entity is set to 720 days.

  • Override value: Set a custom value for half-life, in number of days.

Tags

meta.tags[] and meta.taxonomy_paths[]

See tags and taxonomies.

Source*

sources[]

Select one source.

Source reliability

meta.source_reliability

See source reliability.

Options:

  • Inherit from source: This entity inherits source reliability from Source.

  • Custom override: Set a source reliability value for just this entity.

Information source#

Field

EIQ JSON field

Description

Description

data.information_source.description

Description of information source.

Identity

data.information_source.identity

Name of this information source

Roles

data.information_source.roles[]

One or more information source roles. Possible values:

  • Initial Author

  • Content Enhancer/Refiner

  • Aggregator

  • Transformer/Translator

References

data.information_source.references[]

One or more URLs.

Data marking#

Descriptive metadata for entity.

Field

EIQ JSON field

Description

TLP

meta.tlp_color

Set a TLP color for this entity.

Terms of use

data.handling[].marking_structures[]

Free text field allowing you to attach terms of use to an entity. Analogous to TermsOfUseMarkingStructureType.

Simple

data.handling[].marking_structures[]

Free text field for attaching any text to an entity. Analogous to SimpleMarkingStructureType.

Workflow#

Use options here to apply workflow options to this entity.

Field

Description

Add to dataset

Select this option to add this entity to one or more datasets on Publish.

Manually enrich

Run one or more enrichers on this entity on Publish.

Save and publish#

Tip

For more information, see Draft and published entities.

Select Publish to create this entity, and make it available under + Create > Production > Published.

For more publishing options, select More Drop-down menu arrow and then one of these options:

  • Publish and new: Publish this entity, and start creating a new entity.

  • Publish and duplicate: Publish this entity, and start creating a new entity using all the values set for this entity.

Select Save draft to save this entity as a draft, and make it available under + Create > Production > Drafts. You must publish an entity to use it elsewhere on EclecticIQ Intelligence Center.

For more options while saving as a draft, select More Drop-down menu arrow and then one of these options:

  • Publish and new: Save this entity as a draft, and start creating a new entity.

  • Publish and duplicate: Save this entity as a draft, and start creating a new entity using all the values set for this draft entity.

Appendix#

Identity specification#

Add one or more items to Specification to flesh out the identity being described. Content here is used to construct the XML content in the specification_xml field in EIQ JSON. Analogous to STIXCIQIdentity3.0Type as used in IdentityType/ CIQIdentity3.0InstanceType/ CIQ 3.0 Specifications.

Field

Description

Account

Describes a bank account or similar.

Available fields:

  • Account type*: Set an account type. Free text field.

  • Account status*: Set an account status. Free text field.

  • Account specification: Add one or more account specifications.

    For each account specification, set these fields:

    • Type*: One of the following options:

      • Account ID

      • Issuing authority

      • Account type

      • Account branch

      • Issuing country name

    • Value*: Set a value for this account specification.

Person

Add one or more properties describing a person.

  • Type*: Select one of these options:

    • Preceding title

    • Title

    • First name

    • Middle name

    • Last name

    • Other name

    • Alias name

    • Generation identifier

    • Degree

  • Value*: Enter a value for this Type.

Organization

Add one or more properties describing an organization.

  • Type*: Select one of these options:

    • Name only

    • Type only (i.e. “Inc”)

    • Full name

  • Value*: Enter a value for this Type.

Electronic address

Add one or more electronic addresses for this targeted victim.

  • Type*: Select an electronic address type.

  • Value*: Enter the full electronic address.

Each item added to the Specification section creates an observable with the corresponding type:

Specification field

Resulting observable type(s)

Account

  • bank-account

Person

  • person

Organization

  • organization

Electronic address

  • email

  • domain

  • handle