STIX 1.2#

In EclecticIQ Intelligence Center entities represent standard STIX objects that are used to model, structure, and define different types of cyber threat information.

EclecticIQ Intelligence Center transforms and maps ingested data to logical models called entities. An entity is a distinct information unit that models and represents a specific concept.

For example, indicators, observables, sightings, and relationships are all described as entities in EclecticIQ Intelligence Center. This approach makes it easier to handle and to manipulate data chunks during an analysis or an investigation.

Entity access control#

To manage intelligence dissemination, you can control access to entity data.

This ensures that the target audience receives the correct information, the publisher keeps control of the content they are distributing, and it avoids sharing sensitive information.

Define access control with data sources#

Define user access control to entities through entity data sources and entity TLP color codes:

  • Entity data sources limit access to entities to the user groups and to the members of the user groups that are granted access. To define group-level or user-level access to entity data sources, click Settings > User management > Groups > ${group_name} > More > Edit > Allowed sources > Source.

  • TLP color codes limit access to entities to the user groups and to the members of the user groups that are granted access by assigning them a specific TLP color clearance. To define group-level or user-level access to through TLP, click Settings > User management > Groups > ${group_name} > More > Edit > Allowed sources > Source.

Entity types#

Entity type



A campaign is a series of planned actions that aim to achieve a specific goal. A campaign groups a set of related threat actors, TTPs, and incidents that share a common intent or goal.

Course of action

A course of action details a set of clear, specific recommendations and measures to mitigate an incident, to address affected exploit targets, and to effectively respond to a cyber threat.

Exploit target

An exploit target is a vulnerability or a weakness in software, hardware, systems, or networks that a threat actor can leverage and take advantage of to intrude or to carry out an attack.


An incident describes a specific occurrence of one or more indicators affecting an organization.

It includes information on threat actors, tools or skills, time frames, techniques, as well as impact assessment and the recommended response course of action.


An occurrence or a signal that an incident may have occurred or may be in progress.

For more information, see the definition provided in the Cybersecurity Information Sharing Act of 2015 (CISA).


A detailed account, as a result of an investigation or an analysis, of an incident, an exploited target or vulnerability, or a series of attacks by one or more malicious actors.

A report weaves related pieces of threat intelligence together into a consistent and logical narrative. It adds background and context that help clarify the outcome of a security breach or the dynamics of a cyber attack.

The purpose of a report is to provide actionable information to prevent or to respond to a threat.


A sighting records a discrete instance of an observed indicator of compromise inside your environment.

For example, a sighting can record the occurrence of a malicious IP address at a specific date and time within the organization or in its infrastructure.

Threat actor

An individual or a group carrying out or planning to execute malicious activities.

Threat actors include information such as individual or group identity, suspected motivation, and suspected intended effects.


Tactics, Techniques, and Procedures; also referred to as Tools, Techniques, and Procedures.

TTPs describe the behavior of cyber adversaries.

The definitions below are extracts from the Joint Publication 1-02, Department of Defense Dictionary of Military and Associated Terms, 8 November 2010, as amended through 15 February 2016.

  • Tactics: describe the employment and ordered arrangement of forces in relation to each other.

  • Techniques: are non-prescriptive ways or methods used to perform missions, functions, or tasks.

  • Procedures: are standard, detailed steps that prescribe how to perform specific tasks.


A package is a wrapper containing one or more STIX objects such as indicators, threat actors, TTPs, and so on.

When EclecticIQ Intelligence Center ingests packages, it extracts the STIX objects and it converts them to its internal JSON data model.

The package container is not stored in EclecticIQ Intelligence Center.