Filter entities by source#
You can filter and search for entities based on criteria related to the entity data source(s) such as:
Source name
Source reliability
You can use the search input field, as well as the quick filters available in the following views:
Create + > VIEW PRODUCTION
Filter entities by source name#
An entity can have one or more data sources.
When an entity has multiple sources, redundant copies of the same entity
are deduplicated upon ingestion, but all data source information is
retained.
Data source reliability information is stored in the
sources.source_reliability
JSON field.
You can filter and search for entities based on the name(s) of their data source(s) to retrieve only entities ingested from one or more data sources.
Data sources can be existing incoming feeds and enrichers, as well as existing Intelligence Center user groups.
Use the quick filter#
Click either Entity, Source, TLP, Date, Reliability, or Dataset.
Select the checkbox(es) of the entity data sources you want to obtain results from.
When you enter or select multiple search term values, the Boolean operator between the specified search terms is OR.
View data sources for an entity#
When an entity has more than one data source, a counter is displayed next to the main entity data source name under the Source column.
Click it to view a tooltip with a list of all the data sources the entity refers to.*
Use the search input field#
In the search input field, prepend the following JSON path to the data source name value(s) you want to use as search criteria.
For example,
sources.name
:
Example
/* Searches for all entities whose
data source name value is 'CVE' */
sources.name:CVE
/* Searches for all entities whose
data source name value is either 'CVE', or 'CTI', or 'TAXII' */
sources.name:(CVE CTI TAXII)
To filter and search for entities based on their corresponding data source name(s), you can prepend search queries in the search box with the following JSON fields:
JSON path |
Description |
---|---|
|
Holds the designated name of the entity data source. |
|
Holds the UUID of the entity data source. This value uniquely identifies a data source of an entity. |
|
Holds the type of data source for the entity. Data sources can be existing incoming feeds and enrichers, as well as existing Intelligence Center user groups. |
Example
{
"sources": [
{
"name": "TAXII Stand Samples Cypress",
"source_id": "09d01570-476d-4515-a458-faddb43hse86",
"source_type": "incoming_feed"
},
{
"name": "test.taxiistand.com",
"source_id": "0bd6014d-e0b4-a8d5-83ac-c107fd034855",
"source_type": "incoming_feed"
},
{
"name": "TAXII Stand Samples",
"source_id": "fc602bf6-f653-1234-8dde-b939f2bb13bd",
"source_type": "incoming_feed"
}
]
}
Filter entities by source reliability#
You can filter and search for entities based on the reliability assigned to the corresponding data sources to retrieve only entities ingested from specifically reliable sources.
Data source reliability information is stored in the
sources.source_reliability
JSON field.
Use the quick filter#
Select the checkbox(es) of the entity data source reliability values you want to use as filters.
When you enter or select multiple search term values, the Boolean operator between the specified search terms is OR.
Use the search input field#
In the search input field, prepend the following JSON path to the data source reliability values you want to use as search criteria.
For example,
sources.source_reliability
:
Example
/* Searches for all entities whose
data source name value is 'A' */
sources.source_reliability:A
/* Searches for all entities whose
data source reliability value is either 'A', or 'B', or 'C' */
sources.source_reliability:(A B C)
To filter and search for entities based on data source reliability, you can prepend search queries in the search box with the following JSON fields:
JSON field |
Description |
---|---|
|
Holds the original data source reliability value of the entity when it was ingested or created in EclecticIQ Intelligence Center. It helps assess how trustworthy the data source is deemed to be. |
|
Holds the changed source reliability value that is set to override the previous source reliability value for the entity. If you manually or explicitly set a value for this JSON field, EclecticIQ Intelligence Center interprets it as an override action. |
About user overrides#
User-defined override key/value pairs are stored in the meta
field of an
entity JSON data structure.
Override fields in the meta
field have precedence over:
The corresponding original fields inside
meta
.Their corresponding override fields stored inside the
sources
field of an entity JSON data structure.
Affected parameter |
Source reliability of the entity |
---|---|
Override field |
meta.source_reliability_override |
Superseded field(s) |
|
Description |
Stores the override value a user can manually define when editing an entity in the entity editor or inside the entity detail pane. |