Content criteria tool#

You can create entity rules that conditionally match entities using content criteria.

To get started with content criteria for entity rules:

  1. Create or edit an entity rule.

  2. In the Criteria selection section, select + Criteria.

  3. From the drop-down menu, select Content criteria

This brings up the complex content criteria tool.

Complex content criteria tool#

The complex content criteria tool allows you to add conditional content-based matches to your entity rules.

The Content criteria must evaluate to “true” to generate a match for the entity rule.

  • You can only have one Content criteria per entity rule.

  • Conditions are evaluated as “true” or “false”.

  • Groups are AND or OR groups of conditions.

    • AND groups must have all conditions for the group to evaluate to “true”.

    • OR groups just need one condition to be “true” for the group to evaluate to “true”.

Field name

Description

Path*

JSON path for an entity’s field to evaluate.

Note

Known issue: In 2.13.0 and earlier, predefined items in this drop-down list may not work.

Instead, manually enter JSON paths for your content criteria.

MATCHES/DOESN’T MATCH

  • MATCHES: Condition evaluates to true if an entity has a Path whose value is equal to Value.

  • DOESN’T MATCH: Condition evaluates to true if an entity has a Path whose value is not equal to Value.

Value*

Enter a value to evaluate.
Groups of conditions.

JSON paths in content criteria#

You can specify entity attributes in a simplified JSON path syntax. When typing JSON paths manually here:

  • Omit data when accessing members of the data field. For example, to access the data.title field, enter only title.

  • To access all other fields, use raw, followed by the path to the field. For example, to access the tlp_color field in an entity, enter: raw.meta.tlp_color

  • omit [] characters when manually entering paths.

You can also select one or more of the following predefined paths:

Pre-defined path

JSON path

Entity type

Information source, Identity

information_source.identity.name

All

Information source, References

information_source.references[]

All

Title

title

All

Affected assets, Properties affected

affected_assets[].nature_of_security_effect_properties_affected

Incident

Observables

observable

Indicator

Sightings

sightings

Indicator

Raw events

raw_events

Sightings

Security control, Identity

security_control.identity.name

Sightings

Security control, References

security_control.references[]

Sightings

Resources, Infrastructure

resources.infrastructure.type

TTP

Resources, Persona

resources.persona

TTP

Tip

Examples using raw

raw. prefix

Custom root field

Targeted entity data

raw.tags

tags

Enables accessing entity tag field values through searching, filtering, and rules.

raw.extracts.kind

extracts.kind

Enables accessing observable type field values through searching, filtering, and rules.

Tip

You can select one or more predefined JSON paths from the available options, or you can enter custom, user-defined JSON paths by typing them in the input field.

  • If you manually type user-defined JSON paths, they must be valid JSON paths pointing to existing fields in the entity JSON structure.

  • If you enter invalid JSON paths or valid JSON paths pointing to non-existing fields, they are silently ignored.

Tip

To examine the JSON data structure of an entity:

  • Open the entity detail pane and click the JSON tab.

Alternatively:

  • In the open entity detail pane, click the menu icon More, and from the drop-down menu select Export > JSON to download and save the entity in JSON format.

Value

The regex syntax this field accepts is the Elasticsearch regular expression syntax.

The main peculiarities of the Elasticsearch DSL query syntax are:

  • Anchors – ^ and $ – are implied at the beginning and at the end of the regex.

    Do not include them in the regex pattern input.

  • If you insert explicit anchor characters in the value input field, they are interpreted as literal values.

  • Escape special characters:

    ( . ? + | { } [ ] ( ) " \ / )

    To escape a special character, prepend a backslash \ to it.

    Example: \{ \}

    Note

    At the moment, Elasticsearch regular expression syntax optional operators are not supported.

    Note

    Although the regex syntax used in the UI of the Intelligence Center is that of ElasticSearch, the regex syntax used by EclecticIQ Intelligence Center’s ingestion engine is Python regex. In the vast majority of cases this does not lead to conflicts, but if your discovery rule is not working the way you want it to, this may be the reason.

    Here are two differences that commonly cause problems:

    • ElasticSearch searches for whole strings, while Python searches everywhere in a string. For example,

      • Input: Cert-BUND

      • Pattern: ert

      • ES result:

      • Python: will match

    • ElasticSearch regex syntax requires you to leave out anchors, whereas Python regex syntax requires you to include them.

    If you are experiencing problems in this area, contact Customer Support for help in writing the discovery rule you want.