Incident#
An incident records a specific occurrence of indicators of compromise or observables affecting your organization or your system. An incident includes context information about the event such as start and end times, affected assets and resources, impact and seriousness assessment, any known threat actors and targeted victims involved, TTPs, related indicators and observables, and so on.
Create an incident by selecting:
In the side navigation bar + Create > Incident.
Or:
(Requires Beta: Intelligence creation on the graph)
In the top navigation bar of a graph, select + and then Incident to create a draft entity.
Double-click to open the newly created draft entity to edit it.
Then, Configure this entity.
Configure#
The following sections the fields and options available.
Note
Required fields are marked with an asterisk (*).
General#
Field |
EIQ JSON field |
Description |
---|---|---|
Title* |
|
Descriptive title for this entity. See Titles and aliases. |
Analysis |
|
Long description. |
Status |
|
Status of incident. Analogous to IncidentStatusVocab-1.0. Possible options:
|
Categories* |
|
Category of incident. Analogous to IncidentCategoryVocab-1.0. Possible values:
|
Confidence |
|
Confidence in the accuracy and trustworthiness of the information contained by this entity. Analogous to ConfidenceType. Possible values from Enumerated values: High Medium low. |
Intended effects* |
|
See Intended effects. |
Security compromise |
|
Describes the security compromise involved in this incident. Analogous to SecurityCompromiseVocab-1.0 Possible values:
|
Discovery methods* |
|
Describes how the incident was discovered. Analogous to DiscoveryMethodVocab-2.0. |
Characteristics#
Characteristics are properties on an entity that provide context for the intelligence indicated by this object.
The following are characteristics available this entity:
Characteristics: Time coordinates#
Add various date and time properties to this entity. Analogous to TimeType.
Field |
EIQ JSON field |
Description |
---|---|---|
First malicious action |
|
Date and time malicious action was first detected. |
Time first malicious action precision |
|
|
Initial compromise |
|
Date and time initial compromise was detected. |
Time initial compromise precision |
|
|
First data exfiltration |
|
Date and time data exfiltration was first detected. |
Time first data exfiltration precision |
|
|
Incident discovery |
|
Date and time this incident was discovered. |
Time incident discovery precision |
|
|
Incident opened |
|
Date and time this incident was first opened. |
Time incident opened precision |
|
|
Containment achieved |
|
Date and time incident was contained. |
Time containment achieved precision |
|
|
Restoration achieved |
|
Date and time assets affected by incident were restored. |
Time restoration achieved precision |
|
|
Incident reported |
|
Date and time incident was reported |
Time incident reported precision |
|
|
Incident closed |
|
Date and time this incident was closed. |
Time incident closed precision |
|
Characteristics: Reporter#
Add a reporter. Analogous to InformationSourceType.
Field |
EIQ JSON field |
Description |
---|---|---|
Name* |
|
Name of this information source. Also creates a |
Specification |
|
|
Roles* |
|
Role of this information source. Analogous to InformationSourceRoleVocab-1.0. Possible values:
|
Description |
|
Description of this information source. |
Characteristics: Coordinator#
Add one or more coordinator. Analogous to InformationSourceType.
Field |
EIQ JSON field |
Description |
---|---|---|
Name* |
|
Name of this information source. Also creates a |
Specification |
|
|
Roles* |
|
Role of this information source. Analogous to InformationSourceRoleVocab-1.0. Possible values:
|
Description |
|
Description of this information source. |
Characteristics: Responder#
Add one or more responder. Analogous to InformationSourceType.
Field |
EIQ JSON field |
Description |
---|---|---|
Name* |
|
Name of this information source. Also creates a |
Specification |
|
|
Roles* |
|
Role of this information source. Analogous to InformationSourceRoleVocab-1.0. Possible values:
|
Description |
|
Description of this information source. |
Characteristics: Contact#
Add one or more contact. Analogous to InformationSourceType.
Field |
EIQ JSON field |
Description |
---|---|---|
Name* |
|
Name of this information source. Also creates a |
Specification |
|
|
Roles* |
|
Role of this information source. Analogous to InformationSourceRoleVocab-1.0. Possible values:
|
Description |
|
Description of this information source. |
Characteristics: Affected asset#
Add one or more affected assets to this incident. Analogous to AffectedAssetType.
Field |
EIQ JSON field |
Description |
---|---|---|
Description* |
|
Description of this affected asset. |
Asset type* |
|
|
Ownership class* |
|
|
Management class* |
|
|
Location class* |
|
|
Business function or role |
|
Describes the business function or role of this affected asset. |
Properties Affected |
|
Affected assets: Properties affected#
Add one or more properties affected. Analogous to PropertyAffectedType
Field |
EIQ JSON field |
Description |
---|---|---|
Property |
|
|
Type of availability loss |
|
|
Duration of availability loss |
|
|
Non public data compromised |
|
|
Description of effect |
|
Description of how this property was affected. |
Characteristics: Impact#
Add impact details to this incident Analogous to ImpactAssessmentType.
Field |
EIQ JSON field |
Description |
---|---|---|
Effects |
|
Select one or more effects for this incident. Analogous to EffectsType. Uses Intended effects. |
Set the following additional properties:
Impact: Direct impact summary#
Field |
EIQ JSON field |
Description |
---|---|---|
Asset losses |
|
|
Business mission disruption |
|
|
Response and recovery costs |
|
Impact: Indirect impact summary#
Field |
EIQ JSON field |
Description |
---|---|---|
Loss of competitive advantage |
|
|
Brand and market damage |
|
|
Increased operating costs |
|
|
Legal and regulatory costs |
|
|
Impact qualification |
|
Impact: Total loss estimation#
Initial reported
Field |
EIQ JSON field |
Description |
---|---|---|
Amount |
|
Initially reported total loss estimation. |
Currency |
|
Currency used for reported total loss estimation. |
Actual
Field |
EIQ JSON field |
Description |
---|---|---|
Amount |
|
Actual total loss estimation. |
Currency |
|
Currency used for actual total loss estimation. |
Characteristics: Victim#
Add one or more victims of this incident. Analogous to InformationSourceType.
Field |
EIQ JSON field |
Description |
---|---|---|
Name* |
|
Name of this information source. Also creates a |
Specification |
|
Observables#
You can create one or more new observables and link it to the currently open entity by selecting + Observable under the Observables section.
Note
If an observable you create here matches an observable rule with an ignore action, it does not appear when the you publish the entity.
In the Add observable view that appears, fill out these fields:
Field |
EIQ JSON field |
Description |
---|---|---|
Type* |
|
See Observable types |
Link name* |
||
Values(s)* |
|
Enter one or more values. One observable is created per value. Values must be comma-separated, or newline-separated, but not both. |
Maliciousness* |
Relations#
Add relationships to this entity by selecting + Relationship.
From the drop-down menu select the option corresponding to the relationship you want to create:
After selecting an option, the Search an entity dialog appears. Select one or more entities to relate to the current entity.
Note
You can narrow down the displayed entities by entering a search query, or by using the filter .
Select Select to add the selected entities as relations.
Once a relationship is added to this entity, you can:
Assign MITRE ATT&CK IDs by selecting + under the MITRE ATT&CK IDs column.
Set a Relationship type
Enter a custom relationship type by typing in the empty field and pressing ENTER to save.
Select one of these options:
Indicates malware
Is associated campaign to
I don’t know
Could be anything
Meta#
The Meta section contains configuration options that allow you to attach descriptive data to the entity.
Field |
EIQ JSON field |
Description |
---|---|---|
Estimated threat start time |
|
Estimated start of threat. See Time values. |
Estimated threat end time |
|
Estimated end of threat. See Time values. |
Estimated observed time |
|
Estimated time threat was observed. See Time values. |
Half-life |
|
See Half-life. Select one of these options:
|
Tags |
|
See tags and taxonomies. |
Source* |
|
Select one source. |
Source reliability |
|
See source reliability. Options:
|
Information source#
Field |
EIQ JSON field |
Description |
---|---|---|
Description |
|
Description of information source. |
Identity |
|
Name of this information source |
Roles |
|
One or more information source roles. Possible values:
|
References |
|
One or more URLs. |
Data marking#
Descriptive metadata for entity.
Field |
EIQ JSON field |
Description |
---|---|---|
TLP |
|
Set a TLP color for this entity. |
Terms of use |
|
Free text field allowing you to attach terms of use to an entity. Analogous to TermsOfUseMarkingStructureType. |
Simple |
|
Free text field for attaching any text to an entity. Analogous to SimpleMarkingStructureType. |
Workflow#
Use options here to apply workflow options to this entity.
Field |
Description |
---|---|
Add to dataset |
Select this option to add this entity to one or more datasets on Publish. |
Manually enrich |
Run one or more enrichers on this entity on Publish. |
Save and publish#
Tip
For more information, see Draft and published entities.
Select Publish to create this entity, and make it available under + Create > Production > Published.
For more publishing options, select More and then one of these options:
Publish and new: Publish this entity, and start creating a new entity.
Publish and duplicate: Publish this entity, and start creating a new entity using all the values set for this entity.
Select Save draft to save this entity as a draft, and make it available under + Create > Production > Drafts. You must publish an entity to use it elsewhere on EclecticIQ Intelligence Center.
For more options while saving as a draft, select More and then one of these options:
Publish and new: Save this entity as a draft, and start creating a new entity.
Publish and duplicate: Save this entity as a draft, and start creating a new entity using all the values set for this draft entity.
Appendix#
Identity specification#
Add one or more items to Specification
to flesh out the identity being described.
Content here is used to construct the XML
content in the specification_xml
field in EIQ JSON.
Analogous to
STIXCIQIdentity3.0Type
as used in
IdentityType/
CIQIdentity3.0InstanceType/
CIQ 3.0 Specifications.
Field |
Description |
---|---|
Account |
Describes a bank account or similar. Available fields:
|
Person |
Add one or more properties describing a person.
|
Organization |
Add one or more properties describing an organization.
|
Electronic address |
Add one or more electronic addresses for this targeted victim.
|
Each item added to the Specification section creates an observable with the corresponding type:
Specification field |
Resulting observable type(s) |
---|---|
Account |
|
Person |
|
Organization |
|
Electronic address |
|