Indicator#

Indicators:

  • are fingerprints that potentially malicious actors leave behind in a targeted system or environment.

    They act as red flags to point out anomalous or unusual activity or behavior.

  • help identify specific observable patterns

  • build context for investigations

Create an indicator by selecting:

  • In the side navigation bar + Create > Indicator.

Or:

  • (Requires Beta: Intelligence creation on the graph)

    In the top navigation bar of a graph, select + and then Indicator to create a draft entity.

  • Double-click to open the newly created draft entity to edit it.

Then, Configure this indicator.

Configure#

The following sections the fields and options available.

Note

Required fields are marked with an asterisk (*).

General#

Field

EIQ JSON field

Description

Title*

data.title

Descriptive title for this entity. See Titles and aliases.

Analysis

data.description

Long description of indicator. Use this to contain unstructured information about this indicator.

Types*

data.types

See Indicator subtypes

Confidence

data.confidence

Confidence in the accuracy and trustworthiness of the information contained by this entity. Analogous to ConfidenceType.

Possible values from Enumerated values: High Medium low.

Likely Impact

data.likely_impact

Describes the severity of the likely impact this indicator has in a given context.

Possible values from Enumerated values: High Medium low.

Characteristics#

Characteristics are properties on an entity that provide context for the intelligence indicated by this object.

The following are characteristics available for indicators:

Characteristics: Time window#

The Time window characteristic allows you to specify a start time and end time for the indicated threat. Analogous to ValidTimeType.

You can specify more than one time window.

Tip

This may overlap with estimated threat start time and estimated threat end time properties for an indicator, which are used for calculating the half-life of an entity.

You may want to use estimated threat time properties instead.

These fields are available:

Field

EIQ JSON field

Description

Time window

data.valid_time_positions[]

Each time window characteristic on an indicator is an item in the data.valid_time_positions list. E.g.:

"valid_time_positions": [
  {
    "end": "2023-03-02T00:00:00+00:00",
    "end_precision": "second",
    "start": "2023-03-01T00:00:00+00:00",
    "start_precision": "year",
    "type": "valid-time"
  }
]

Start time

data.valid_time_positions.start

Start of time window.

Start precision

data.valid_time_positions.start_precision

Date and time precision of start of time window.

End time

data.valid_time_positions.end

End of time window.

End precision

data.valid_time_positions.end_precision

Date and time precision of end of time window.

Characteristics: Sighting#

Use the sighting characteristic to indicate that this indicator entity has been sighted as least once.

You can only add one sighting characteristic per indicator entity.

Field

EIQ JSON field

Description

Sighted

data.sightings_count

Adds 1 to sightings_count.

Characteristics: Test mechanism#

Test mechanisms allow you to embed detection rules and other detection mechanisms into an indicator, which in turn can be sent out for use in a separate an intrusion detection system or similar. Analogous to TestMechanismType.

Test mechanisms are set in the entity’s data.test_mechanisms[] field.

To start setting up a test mechanism, first select one of the following Type values:

Field

EIQ JSON field

Description

Type*

Various. See individual sections.

Available options:

Then, fill out the fields as described their respective sections below.

Test mechanisms: Snort#

Snort test mechanisms allow you to attach Snort rules to indicator entities. Analogous to SnortTestMechanismType.

These fields are available:

Field

EIQ JSON field

Description

Efficacy*

data.test_mechanisms[].efficacy

Describes how effective this test mechanism is at detecting threats. Possible values from Enumerated values: High Medium low.

Product name

data.test_mechanisms[].product_name

Name of product Snort detection rules are used with. Specify a CPE name, if available.

Version

data.test_mechanisms[].version

Version of product specified in Product name.

Signature (rule)*

data.test_mechanisms[].rules[]

One or more Snort rules.

Event filters

data.test_mechanisms[].event_filters[]

One or more event filters. See Snort Manual: Event Filtering.

Select +More to add event filters.

Rate filters

data.test_mechanisms[].rate_filters[]

One or more rate filters. See Snort Manual: Rate Filtering.

Select +More to add rate filters.

Event suppressions

data.test_mechanisms[].event_suppressions[]

One or more event suppressions. See Snort Manual: Event Suppression.

Producer

data.test_mechanisms[].producer

See Test mechanism: Producer.
Test mechanisms: YARA#

YARA test mechanisms. Analogous to YaraTestMechanismType.

These fields are available:

Field

EIQ JSON field

Description

Efficacy*

data.test_mechanisms[].efficacy

Describes how effective this test mechanism is at detecting threats. Possible values from Enumerated values: High Medium low.

Signature (rule)*

data.test_mechanisms[].rules[]

One or more Snort rules.

Producer

data.test_mechanisms[].producer

See Test mechanism: Producer.
Test mechanisms: Generic#

Generic test mechanisms. Analogous to GenericTestMechanismType)

These fields are available:

Field

EIQ JSON field

Description

Efficacy*

data.test_mechanisms[].efficacy

Describes how effective this test mechanism is at detecting threats. Possible values from Enumerated values: High Medium low.

Description

data.test_mechanisms[].description

Text description for this test mechanism.

Subtype*

data.test_mechanisms[].generic_test_mechsnism_type

Select one of the following sub-types:

Specification

data.test_mechanisms[].specification.value

A detection mechanism written for the selected Subtype.

Producer

data.test_mechanisms[].producer

See Test mechanism: Producer.

Observables#

You can create one or more new observables and link it to the currently open entity by selecting + Observable under the Observables section.

Note

If an observable you create here matches an observable rule with an ignore action, it does not appear when the you publish the entity.

In the Add observable view that appears, fill out these fields:

Field

EIQ JSON field

Description

Type*

extracts[].kind

See Observable types

Link name*

See Observable link names

See Observable link names

Values(s)*

extracts[].value

Enter one or more values. One observable is created per value.

Values must be comma-separated, or newline-separated, but not both.

Maliciousness*

See Observable maliciousness

See Observable maliciousness

Relations#

Add relationships to this entity by selecting + Relationship.

  1. From the drop-down menu, select the option corresponding to the relationship you want to create:

    • Indicated TTPs

    • Suggested courses of action

    • Related indicators

    • Related campaigns

    • Incident Right arrow Related indicators

    • Report Right arrow Indicators

    • Sighting Right arrow Indicator

  2. After selecting an option, the Search an entity dialog appears. Select one or more entities to relate to the current entity.

    Note

    You can narrow down the displayed entities by entering a search query, or by using the filter Filter.

  3. Select Select to add the selected entities as relations.

Once a relationship is added to this entity, you can:

  • Assign MITRE ATT&CK IDs by selecting + under the MITRE ATT&CK IDs column.

  • Set a Relationship type

    • Enter a custom relationship type by typing in the empty field and pressing ENTER to save.

    • Select one of these options:

      • Indicates malware

      • Is associated campaign to

      • I don’t know

      • Could be anything

Meta#

The Meta section contains configuration options that allow you to attach descriptive data to the entity.

Field

EIQ JSON field

Description

Estimated threat start time

meta.estimated_threat_start_time

Estimated start of threat. See Time values.

Estimated threat end time

meta.estimated_threat_end_time

Estimated end of threat. See Time values.

Estimated observed time

meta.estimated_observed_time

Estimated time threat was observed. See Time values.

Half-life

meta.half_life

See Half-life.

Select one of these options:

  • Use default value: When selected, half-life for this entity is set to 720 days.

  • Override value: Set a custom value for half-life, in number of days.

Tags

meta.tags[] and meta.taxonomy_paths[]

See tags and taxonomies.

Source*

sources[]

Select one source.

Source reliability

meta.source_reliability

See source reliability.

Options:

  • Inherit from source: This entity inherits source reliability from Source.

  • Custom override: Set a source reliability value for just this entity.

Producer#

Field

EIQ JSON field

Description

Description

data.producer.description

Description of producer.

Identity

data.producer.identity

Name of this producer

Roles

data.producer.roles[]

One or more producer roles. Possible values:

  • Initial Author

  • Content Enhancer/Refiner

  • Aggregator

  • Transformer/Translator

References

data.producer.references[]

One or more URLs.

Data marking#

Descriptive metadata for entity.

Field

EIQ JSON field

Description

TLP

meta.tlp_color

Set a TLP color for this entity.

Terms of use

data.handling[].marking_structures[]

Free text field allowing you to attach terms of use to an entity. Analogous to TermsOfUseMarkingStructureType.

Simple

data.handling[].marking_structures[]

Free text field for attaching any text to an entity. Analogous to SimpleMarkingStructureType.

Workflow#

Use options here to apply workflow options to this entity.

Field

Description

Add to dataset

Select this option to add this entity to one or more datasets on Publish.

Manually enrich

Run one or more enrichers on this entity on Publish.

Save and publish#

Tip

For more information, see Draft and published entities.

Select Publish to create this entity, and make it available under + Create > Production > Published.

For more publishing options, select More Drop-down menu arrow and then one of these options:

  • Publish and new: Publish this entity, and start creating a new entity.

  • Publish and duplicate: Publish this entity, and start creating a new entity using all the values set for this entity.

Select Save draft to save this entity as a draft, and make it available under + Create > Production > Drafts. You must publish an entity to use it elsewhere on EclecticIQ Intelligence Center.

For more options while saving as a draft, select More Drop-down menu arrow and then one of these options:

  • Publish and new: Save this entity as a draft, and start creating a new entity.

  • Publish and duplicate: Save this entity as a draft, and start creating a new entity using all the values set for this draft entity.

Appendix#

Indicator subtypes#

The Types field is used to set a subtype for an indicator entity.

Note

This is different from the entity type (i.e. “indicator”), which is set in the entity’s data.type field instead.

This subtype is analogous to IndicatorTypeVocab-1.1 types. Possible values:

  • Malicious E-mail

  • IP Watchlist

  • File Hash Watchlist

  • Domain Watchlist

  • URL Watchlist

  • Malware Artifacts

  • C2

  • Anonymization

  • Exfiltration

  • Host Characteristics

  • Compromised PKI Certificate

  • Login Name

  • IMEI Watchlist

  • IMSI Watchlist

Test mechanism: Producer#

Test mechanisms have a separate Producer component:

Identity

Field

EIQ JSON field

Description

Name

data.test_mechanisms[].producer.identity.name

Name of test mechanism producer.

Time

Field

EIQ JSON field

Description

Start

data.test_mechanisms[].producer.time_start

Start of validity for test mechanism.

Start Precision

data.test_mechanisms[].producer.time_start_precision

Date and time precision of start time.

End

data.test_mechanisms[].producer.time_end

End of validity for test mechanism.

End Precision

data.test_mechanisms[].producer.time_end_precision

Date and time precision of end time.

Received

data.test_mechanisms[].producer.time_received

Date and time when test mechanism was received.

Received Precision

data.test_mechanisms[].producer.time_received_precision

Date and time precision of received time.

References

Field

EIQ JSON field

Description

Reference back URL

data.test_mechanisms[].producer.references[]

One or more URLs.