Examine the entity overview#

The default view in the entity detail pane is the Overview tab.

It is divided in stacked areas that structure the available information for the entity:

TLP#

The TLP color code the entity is flagged with.

Click the TLP button to override the current value with a new one.

Title#

The name of the entity, as shown also on the detail pane header section.

Confidence#

it flags the estimated level of confidence to assess the accuracy and trustworthiness of the entity information.

Analysis#

It is a free-text input field to include non-structured information such as additional context, references, links, and so on.

Tags#

Select one or more tags to flag the entity with.

Tags help you structure and categorize entities based on criteria like confidence and attack stage.

Tags improve findability, and they represent quick reference pointers to place entities in a broader cyber threat context.

You can select existing taxonomy tags from the drop-down list, as well as create tags on the fly by typing them in the input field.

You can manage tags and their parent-child relationships under Taxonomy.

  1. Click a tag to display an overview listing all entities sharing the same tag.

  2. To remove a tag from the input field, click the corresponding icon.

  3. To completely clear the Tags field, click the icon on the right-hand side of the field.

MITRE ATT&CK Classifications#

See, MITRE ATTACK.

Estimated time#

Start time#

sets the estimated inception time of the threat activity, based on observation, reports and other intelligence.

If no start date is indicated, you can click the edit button for this field, select a start date, and save it.

End time#

if the threat is no longer active, this field sets the estimated end time of the threat activity, based on observation, reports and other intelligence.

If no start date is indicated, you can click the edit button for this field, select a start date, and save it.

Observed#

defines the point in time when the entity was first observed/detected.

If no start date is indicated, you can click the edit button for this field, select a start date, and save it.

Half life#

Half life is a numeric value representing the amount of time required to decrease the initial threat intelligence value of a malicious entity by 50%.

In other words, it indicates how long it takes for a threat to cut its malicious potential by half.

This value affects relevancy.

Half life relevancy#

Relevancy is a numerical value based on the current time and the estimated start time of the threat. You can use it to sort and filter entities. 0% = low relevancy — 100% = high relevancy. Its value is 100% when the current time (now) is included between the threat start and end times. Otherwise, its value is 0. If the estimated end time is not available, relevancy is calculated using the estimated start time and the half-life value.

This field or value is non-editable.

Source#

Name: The data source of the entity. It can refer to a single source, for example a specific incoming feed, or to more sources grouped together.

You can group sources by intelligence type, for example IP addresses and domains, locations like countries and cities, forums, and so on; or by source type, for example incoming feeds vs. enrichers.

You can configure group sources under Settings > User management > Groups > ${group_name} > Overview > Allowed sources.

Type: Defines the source type, for example a feed or a group.

Reliability: A reliability flag serves as an indication to assess the level of accuracy and trustworthiness of the source the entity originates from Outgoing feeds

Exposure#

Exposed: Exposed entities are ingested and processed. However, their intelligence value is not leveraged to drive follow-up actions.

For example, triggering a detection event in a malware detection application downstream in the system; or a prevention event such as creating a firewall rule; or a community event such as sending a notification message to inform other parties about the possible threat the entity represents.

Exposed entities hold intelligence value that is not consumed.

Detection: If the dot is gray, no follow-up action has been undertaken to respond to the possible threat described in the entity.

If the dot is green, the entity information is used to carry out a follow-up action.

It can be a detection follow-up — for example, it can trigger adjusting the settings of a malware detection application accordingly.

It can be a prevention follow-up — for example, it can instrument a third-party system to block a range of malicious IP addresses or domain names.

Or it can produce a community follow-up — for example, creating and publishing a report to notify other parties about the possible threat the entity represents.

Prevention: If the dot is gray, no follow-up action has been undertaken to respond to the possible threat described in the entity.

If the dot is green, the entity information is used to carry out a follow-up action.

It can be a detection follow-up — for example, it can trigger adjusting the settings of a malware detection application accordingly.

It can be a prevention follow-up — for example, it can instrument a third-party system to block a range of malicious IP addresses or domain names.

Or it can produce a community follow-up — for example, creating and publishing a report to notify other parties about the possible threat the entity represents.

Community: If the dot is gray, no follow-up action has been undertaken to respond to the possible threat described in the entity.

If the dot is green, the entity information is used to carry out a follow-up action.

It can be a detection follow-up — for example, it can trigger adjusting the settings of a malware detection application accordingly.

It can be a prevention follow-up — for example, it can instrument a third-party system to block a range of malicious IP addresses or domain names.

Or it can produce a community follow-up — for example, creating and publishing a report to notify other parties about the possible threat the entity represents.

Sighting: when an organization records a discrete instance of an observed indicator of compromise inside their own environment — for example, an entry in a log file — the malicious item is sighted, and the organization environment is compromised.

Outgoing feeds#

If one or more outgoing feeds are configured for the Intelligence Center, and if the selected entity is included in at least one of them, you can see here how you are relaying entity information.

Datasets#

If the entity belongs to one or more datasets, they are listed here.

Name: the name of the dataset.

Click it to go to the dataset overview, where you can view and interact with the dataset entities and observables.

Entities: the total amount of entities in the dataset.

Workspaces#

If the entity belongs to one or more workspaces, they are listed here.

Name: the name of the workspace.

Click it to go to the workspace overview, where you can view and interact with the workspace contents.

Last changed: indicates the last time a user modified the workspace.

Collaborator: if you are a collaborator of a workspace in the list, the corresponding flag is Yes.

Destination#

Filter for listing only outgoing feeds.

Tasks#

Actionable user tasks associated with the entity are listed here.

You can create tasks and assign them to yourself or to other users to request follow-ups; for example, further investigation or a call to action.

Name: the name identifying the task.

Status: the workflow stage the task is in: Open, In progress, Done, or Canceled.

Assigned to: the designated Intelligence Center user who should carry out the task.

Due date: the deadline for the task to be completed.