Data model and EclecticIQ JSON#

EclecticIQ JSON (EIQ JSON) is a JSON representation of EclecticIQ Intelligence Center’s data model. This means that EclecticIQ JSON represents data stored in EclecticIQ Intelligence Center, but its JSON structure is only computed at the time the data is “packed”, or exported.

You can use EclecticIQ JSON to import and export data between EclecticIQ Intelligence Center instances manually or through feeds.

Tip

To programmatically add and retrieve entities from EclecticIQ Intelligence Center, use the REST API v2 instead.

The REST API uses a slightly different object schema from EIQ JSON, but available objects and properties remain the same.

EIQ JSON has the following basic structure:

{
  "content-type": "urn:eclecticiq.com:json:2.0",
  "enrichments": [],
  "entities": [],
  // ...
}

EIQ JSON field

Description

content-type

See EIQ JSON versions and compatibility.

enrichments[]

List of enrichment results. This only appears if an observable (extracts) embedded was enriched, and has at least one result.

If enrichments[].output_extracts[] has at least one item, values here will also appear in the entities[].enrichment_extracts[] field of the parent entity of the enriched observable.

entities[]

List of entities. See EIQ JSON versions and compatibility.

entities_v2[]

List of entities. See EIQ JSON versions and compatibility.

entity_counts

Count of entities by type in entities[].

Example:

"entity_counts": {
"relation": 3,
"threat-actor": 1,
"threat-actor_ref": 2
},

entity_counts_v2

Count of entities by type in entities_v2[].

outgoing_feed_name

How this EIQ JSON package was generated. If manually exported, will be set to "Exported entities".

platform_version

EclecticIQ Intelligence Center version. E.g. 2.14.0

timestamp

Date and time when this JSON package was generated.

EIQ JSON versions and compatibility#

EIQ JSON has two versions:

EIQ JSON version

Content type

Description

EIQ JSON v2

"urn:eclecticiq.com:json:2.0"

EclecticIQ Intelligence Center 3.0 and later.

EIQ JSON v1

"urn:eclecticiq.com:json:1.0"

EclecticIQ Intelligence Center 2.14 and earlier.

When referring to EIQ JSON throughout documentation for 3.0 and newer, we are referring to EIQ JSON v2.

EIQ JSON v2:

  • Contains two new top-level fields: entities_v2[] and entity_counts_v2.

  • entities[] and entities_v2[] are two representations of the same data.

    • entities[] contains entity objects and properties that are compatible with older versions of EclecticIQ Intelligence Center.

      This allows older versions of EclecticIQ Intelligence Center to import and ingest EIQ JSON packages exported from 3.0 and newer. However, each EclecticIQ Intelligence Center version will only process and ingest objects that it supports.

    • If there are no exported entities that are compatible with EclecticIQ Intelligence Center 2.14 and earlier, then entities[] will be empty.

    • entities_v2[] contains entity_v2 objects and properties that are compatible with EclecticIQ Intelligence Center 3.0 and newer only.

  • This allows data exported from EclecticIQ Intelligence Center 3.0 as EIQ JSON to be backward compatible with EclecticIQ Intelligence Center 2.14.x.

    • EclecticIQ Intelligence Center 2.14.x can process EIQ JSON v2. Data in the entities_v2 and entity_counts_v2 fields are dropped.

    • Do not use EIQ JSON v2 to send data from EclecticIQ Intelligence Center 3.0 and newer to 2.13.x or earlier. Upgrade the older EclecticIQ Intelligence Center instance, or send/export the data as STIX 1.2 instead.

Entity compatibility#

Certain entity objects and properties are only compatible with 3.0 and later.

But 3.0 maintains some backward compatibility with 2.14.

The following table lists entity types added in 3.0, and their corresponding compatible entity types in 2.14. When EIQ JSON containing these new entity types are exported from 3.0 and ingested in 2.14, they are automatically converted to 2.14 entity types.

The following table shows entity types introduced in 3.0, and what they are imported as in 2.14.

3.0 entity type

Imported in 2.14 as …

Attack pattern

TTP

Infrastructure

TTP

Malware

TTP

Malware analysis

Not imported

Tools

TTP

Identity

Not imported

Intrusion set

Threat actor

Location

Not imported