Report#

A report wraps around different pieces of threat intelligence to weave a common story into a consistent narrative.

During an analysis or an investigation, you may use a number of sources to gather many bits of information. Reports allow you to structure and to organize your research, and publish it.

Tip

You can add rich text content to reports. See Create content in reports.

Create a report by selecting:

  • In the side navigation bar + Create > Report.

Or:

  • (Requires Beta: Intelligence creation on the graph)

    In the top navigation bar of a graph, select + and then Report to create a draft entity.

  • Double-click to open the newly created draft entity to edit it.

Then, Configure this entity.

Configure#

The following sections the fields and options available.

Note

Required fields are marked with an asterisk (*).

General#

Field

EIQ JSON field

Description

Title*

data.title

Descriptive title for this entity. See Titles and aliases.

Summary

data.short_description

Summary of this report. You can add rich text here. See Rich text editor.

Analysis*

data.description

Main body of this report. You can add rich text here. See Rich text editor.

Recommendations*

data.description

Select + Section > Recommendations to add a “Recommendations” section to the Description field of this report. Appends the content set here to data.description.

You can add rich text here. See Rich text editor.

Intents#

Add one or more report intents.

Field

EIQ JSON field

Description

Intents*

data.types[]

One or more report intents. Analogous to ReportIntentVocab-1.0.

Possible values:

  • Collective Threat Intelligence

  • Threat Report

  • Indicators

  • Indicators - Phishing

  • Indicators - Watchlist

  • Indicators - Malware Artifacts

  • Indicators - Network Activity

  • Indicators - Endpoint Characteristics

  • Campaign Characterization

  • Threat Actor Characterization

  • Exploit Characterization

  • Attack Pattern Characterization

  • Malware Characterization

  • TTP - Infrastructure

  • TTP - Tools

  • Courses of Action

  • Incident

  • Observations

  • Observations - Email

  • Malware Samples

Observables#

You can create one or more new observables and link it to the currently open entity by selecting + Observable under the Observables section.

Note

If an observable you create here matches an observable rule with an ignore action, it does not appear when the you publish the entity.

In the Add observable view that appears, fill out these fields:

Field

EIQ JSON field

Description

Type*

extracts[].kind

See Observable types

Link name*

See Observable link names

See Observable link names

Values(s)*

extracts[].value

Enter one or more values. One observable is created per value.

Values must be comma-separated, or newline-separated, but not both.

Maliciousness*

See Observable maliciousness

See Observable maliciousness

Relations#

Add relationships to this entity by selecting + Relationship.

  1. From the drop-down menu select the option corresponding to the relationship you want to create:

    • Indicators

    • TTPs

    • Exploit targets

    • Incidents

    • Courses of action

    • Campaigns

    • Threat actors

    • Related reports

    • Sighting Right arrow Report

  2. After selecting an option, the Search an entity dialog appears. Select one or more entities to relate to the current entity.

    Note

    You can narrow down the displayed entities by entering a search query, or by using the filter Filter.

  3. Select Select to add the selected entities as relations.

Once a relationship is added to this entity, you can:

  • Assign MITRE ATT&CK IDs by selecting + under the MITRE ATT&CK IDs column.

  • Set a Relationship type

    • Enter a custom relationship type by typing in the empty field and pressing ENTER to save.

    • Select one of these options:

      • Indicates malware

      • Is associated campaign to

      • I don’t know

      • Could be anything

Meta#

The Meta section contains configuration options that allow you to attach descriptive data to the entity.

Field

EIQ JSON field

Description

Estimated threat start time

meta.estimated_threat_start_time

Estimated start of threat. See Time values.

Estimated threat end time

meta.estimated_threat_end_time

Estimated end of threat. See Time values.

Estimated observed time

meta.estimated_observed_time

Estimated time threat was observed. See Time values.

Half-life

meta.half_life

See Half-life.

Select one of these options:

  • Use default value: When selected, half-life for this entity is set to 720 days.

  • Override value: Set a custom value for half-life, in number of days.

Tags

meta.tags[] and meta.taxonomy_paths[]

See tags and taxonomies.

Source*

sources[]

Select one source.

Source reliability

meta.source_reliability

See source reliability.

Options:

  • Inherit from source: This entity inherits source reliability from Source.

  • Custom override: Set a source reliability value for just this entity.

Information source#

Field

EIQ JSON field

Description

Description

data.information_source.description

Description of information source.

Identity

data.information_source.identity

Name of this information source

Roles

data.information_source.roles[]

One or more information source roles. Possible values:

  • Initial Author

  • Content Enhancer/Refiner

  • Aggregator

  • Transformer/Translator

References

data.information_source.references[]

One or more URLs.

Attachment#

Upload one or more attachments for this report.

Drag and drop files into the box here, or select Upload Upload to browse your local filesystem and select files to upload.

Tip

When exported to EIQ JSON, these attachments are base64-encoded and embedded in the attachments[] field of the entity object.

Tip

By default, the maximum size for file attachments is 50MB.

Data marking#

Descriptive metadata for entity.

Field

EIQ JSON field

Description

TLP

meta.tlp_color

Set a TLP color for this entity.

Terms of use

data.handling[].marking_structures[]

Free text field allowing you to attach terms of use to an entity. Analogous to TermsOfUseMarkingStructureType.

Simple

data.handling[].marking_structures[]

Free text field for attaching any text to an entity. Analogous to SimpleMarkingStructureType.

Workflow#

Use options here to apply workflow options to this entity.

Field

Description

Add to dataset

Select this option to add this entity to one or more datasets on Publish.

Manually enrich

Run one or more enrichers on this entity on Publish.

Save and publish#

Tip

For more information, see Draft and published entities.

Select Publish to create this entity, and make it available under + Create > Production > Published.

For more publishing options, select More Drop-down menu arrow and then one of these options:

  • Publish and new: Publish this entity, and start creating a new entity.

  • Publish and duplicate: Publish this entity, and start creating a new entity using all the values set for this entity.

Select Save draft to save this entity as a draft, and make it available under + Create > Production > Drafts. You must publish an entity to use it elsewhere on EclecticIQ Intelligence Center.

For more options while saving as a draft, select More Drop-down menu arrow and then one of these options:

  • Publish and new: Save this entity as a draft, and start creating a new entity.

  • Publish and duplicate: Save this entity as a draft, and start creating a new entity using all the values set for this draft entity.

Create content in reports#

You can create content in reports with the rich text editor, and then publish them.

Rich text editor#

The Summary, Description, and Recommendations fields allow you to create rich content using the rich text editor.

Editor features:

Feature

Description

Insert relationship Insert relationship

Create a relationship to another entity, and insert a link to the selected entity here.

When selected, brings up the Add relationship view.

  1. Fill out these fields:

    • Indicators

    • TTPs

    • Exploit targets

    • Incidents

    • Courses of action

    • Campaigns

    • Threat actors

    • Related reports

    • Sighting Right arrow Report

  2. Then, select one or more entities.

  3. Select Select (n) to finish adding relationships.

Insert observable Insert observable

Create an observable and insert a link to it here.

When selected, brings up the Add observable view.

  1. Fill out these fields:

    • Type*: (extracts[].kind) See Observable types

    • Values(s)*: (extracts[].value) Enter one or more values. One observable is created per value. Values must be comma-separated, or newline-separated, but not both.

    • Maliciousness*: See Observable maliciousness

  2. Select Save to finish adding the observable.

Insert reference Insert reference

Insert an external URL reference.

When selected, brings up the Add link view.

  1. Fill out these fields:

  • Url*: Enter a valid URL.

  • Text: Enter link text.

  1. Select Insert to finish inserting the reference.

Insert image Insert image

Insert an an inline image (max 10MB). When you attempt to insert an image larger than 10MB, you’ll be asked if you want to insert it as an attachment instead.

For more information about exports and inline images, see Export and distribute reports.

Insert table Insert table

Insert a table.

Insert date/time Insert date/time

Insert currnet date and time as plain text.

Select the down arrow Drop-down menu arrow on the right to select a date/time format to use.

Export and distribute reports#

Reports can be exported and distributed, manually or through outgoing feeds.

Inline images are embedded as attachments in the entity. When exported as EIQ JSON, images and attachments are base64 encoded and stored in the data.attachments[] field. In PDF exports, inline images are embedded and displayed.

Attachments and inline images are not supported for STIX 1.2 and STIX 2.1 exports.