Entities: Common properties#

Titles and aliases#

All entities have a Title field that is displayed whereever they appear in EclecticIQ Intelligence Center UI.

An entity can also have an Alias. If an entity has an alias, the alias is displayed instead of the title when the entity is displayed.

To set an alias for an entity:

  1. Select published entity to open it.

  2. Select the title of the entity.

  3. In the drop-down that appears, select Edit.

  4. Type an alias for the entity, and press enter.

These are set in EIQ JSON with the following fields:

Field

EIQ JSON field

Title

data.title

Alias

meta.title

Time values#

Time values are represented as ISO8601-formatted text. E.g. 2017-11-30T10:04:07.890853+00:00

EclecticIQ Intelligence Center UI will typically allow you to select a date from the calendar, or type in a YYYY-MM-DD HH:MM value.

Select date and using the UI.

Select date and using the UI.#

Date and time precision#

Some fields allow you to specify a precision for date and time values. Selecting a precision allows you to describe how accurate the recipient of intelligence should expect the specified date and time value should be. Analogous to DateTimePrecisionEnum.

Possible values for precision:

  • year

  • month

  • day

  • hour

  • minute

  • second

For example, time windows have start and start_precision properties. A start_precision of minute means that the value of start is accurate up to the specified minute.

Half-life#

Half-life is the amount of time it takes for a threat to lose half its intelligence value, in days.

Default half-life value#

You can change the default half-life values of entities by modifying the following section in platform_settings.py and restarting IC services:

HALF_LIFE = {
    "campaign": 1000,
    "course-of-action": 182,
    "eclecticiq-sighting": 182,
    "exploit-target": 182,
    "incident": 182,
    "indicator": 30,
    "report": 182,
    "threat-actor": 1000,
    "ttp": 720,
}

Half-life relevancy#

Represents the intelligence value of this entity relative to its age, or if the threat has already ended.

Used in filters and searches on EclecticIQ Intelligence Center.

See:

Enumerated values: High Medium low#

A list of values that describe the state of the property that it is applied to. Analogous to HighMediumLowVocab.

Possible values:

  • High

  • Medium

  • Low

  • None

  • Unknown

Intended effects#

A list of values that describe the intended effect of a property. Analogous to IntendedEffectVocab.

Possible values:

  • Advantage

  • Advantage - Economic

  • Advantage - Military

  • Advantage - Political

  • Theft

  • Theft - Intellectual Property

  • Theft - Credential Theft

  • Theft - Identity Theft

  • Theft - Theft of Proprietary Information

  • Account Takeover

  • Brand Damage

  • Competitive Advantage

  • Degradation of Service

  • Denial and Deception

  • Destruction

  • Disruption

  • Embarrassment

  • Exposure

  • Extortion

  • Fraud

  • Harassment

  • ICS Control

  • Traffic Diversion

  • Unauthorized Access

Malware types#

A list of values that describe the type of malware identified. Analogous to MalwareTypeVocab-1.0.

Possible values:

  • Automated Transfer Scripts

  • Adware

  • Dialer

  • Bot

  • Bot - Credential Theft

  • Bot - DDoS

  • Bot - Loader

  • Bot - Spam

  • DoS / DDoS

  • DoS / DDoS - Participatory

  • DoS / DDoS - Script

  • DoS / DDoS - Stress Test Tools

  • Exploit Kits

  • POS / ATM Malware

  • Ransomware

  • Remote Access Trojan

  • Rogue Antivirus

  • Rootkit

Infrastructure types#

List of values that describe the type of infrastructure identified. Analogous to AttackerInfrastructureTypeVocab-1.0.

Possible values:

  • Anonymization

  • Anonymization - Proxy

  • Anonymization - TOR Network

  • Anonymization - VPN

  • Communications

  • Communications - Blogs

  • Communications - Forums

  • Communications - Internet Relay Chat

  • Communications - Micro-Blogs

  • Communications - Mobile Communications

  • Communications - Social Networks

  • Communications - User-Generated Content Websites

  • Domain Registration

  • Domain Registration - Dynamic DNS Services

  • Domain Registration - Legitimate Domain Registration Services

  • Domain Registration - Malicious Domain Registrars

  • Domain Registration - Top-Level Domain Registrars

  • Hosting

  • Hosting - Bulletproof / Rogue Hosting

  • Hosting - Cloud Hosting

  • Hosting - Compromised Server

  • Hosting - Fast Flux Botnet Hosting

  • Hosting - Legitimate Hosting

  • Electronic Payment Methods

Aggregation override#

When an entity refers to multiple sources, multiple values for an attribute are aggregated into one resulting value:

  • Source reliability, TLP, and half-life values depending on the a configuration settings.

  • Multiple values for these attributes are aggregated to produce a resulting value.

  • This aggregated value is applied to update the entity attributes.

Aggregation override affects the following entity attributes:

  • Source reliability

  • Half-life

  • TLP