Entity rule actions#
Action |
Description |
---|---|
Add tags |
Select one or more tags to add to an entity that matches this rule. |
Remove tags |
Select one or more tags to remove from an entity that matches this rule. |
Add to dataset |
Select one or more datasets. When an entity matches this rule, it is added to these datasets. |
Set alias |
Sets an alias for entities that match this rule. See Actions: Set alias. |
Override TLP |
Select a TLP value to set for entities that match this rule. |
Merge similar |
Select one entity. Entities that are similar to this selected entity will be merged into a single entity. Entities are similiar if they have:
Note When you set Merge similar as an action for an entity rule, you cannot set other actions for that rule. Caution
|
Convert entity |
Save#
Once done:
Actions: Set alias#
The Set alias rule uses named capturing groups and backreferences to automatically assign entities title aliases based on specified data pattern regexes, variable names, and formatting templates for the title aliases.
Aliases help identify entities that are known by different names, depending on the data provider referencing them.
First, define the named groups in the entity title.
You insert named groups in the title alias by referencing them with the variables that represent them:
The
(?P<name>regex)
expressions in Title parsing pattern define data patterns for matching text strings in the title.You can reference matches in the alias using the corresponding variable names between chevron brackets (< >).
The
name
variable accepts alphanumeric characters. It must start with a letter.
The regex must comply with Python syntax.
Then, define a format template for the title alias.
You insert named groups in template by referencing them with the variables that represent them:
The Alias formatting template field accepts a string to set a formatting template for the title alias, where you include the previously defined named group variables as needed.
The template variable names must exactly match the corresponding named group variables they reference.
The formatting string must comply with Python syntax.
Example
Let’s assume we want to set an alias for the following entity title:
*VxVault reporting on Malware Malware.Win32.Sample with name sample found at URL http://malicious.com/double-click-me.exe (104.31.72.46)*
First, let’s isolate the named groups in the title that we want to reuse in the title alias by setting Title parsing pattern to:
*VxVault reporting on Malware (?P<malware>[^\s]+) with name sample found at URL (?P<url>[^\s]+) \ ((?P<ip>[\d\.]+)\)*
Then, let’s define a format template for the title alias that includes the named groups by referencing the corresponding variables by setting Alias formatting template to
*malware={malware}, url={url}, ip={ip}*
When the rule runs, it produces the resulting title alias:
*malware=Malware.Win32.Sample, url=http://malicious.com/double-click-me.exe, ip=104.31.72.46*
Actions: Convert entity#
Use the Convert entity action to convert:
TTP (deprecated) to:
See Convert TTPs for mapping and restrictions.
General conversion notes#
The following sections describe how the Convert entity action works with TTP and Threat Actor entities.
Conversion retains data#
When a TTP or Threat Actor is converted to the selected target entity type, it retains most of its data.
Additionally:
Original entity is preserved in
original_eiqjson1_entity
.The
id
,data
, andmeta
JSON fields of the original entity are preserved in theoriginal_eiqjson1_entity
field of the resulting converted entity.This field is:
only visible in the UI when viewing the raw JSON of the resulting target entity.
indexed. Content from the original entity is available through searches on EclecticIQ Intelligence Center.
Original entity is available as a version.
You can find the original entity in the VERSIONS tab of the resulting entity when viewing it in the entity builder.
Conversion updates direct references#
Converting entities also affects components that directly reference those entities. EclecticIQ Intelligence Center updates these components on entity conversion:
New entity inherits relations.
When an entity is converted to the target entity type, the resulting entity inherits its relations.
These inherited relations will take on a new type depending on conversion.
See Relationships.
Tasks reference the new entities.
Tasks (or tickets) can contain a list of Entities. Tasks that reference a converted entity in these lists are updated to contain the resulting entity.
Static datasets are updated.
Static datasets that contain the original entity are updated to contain the resulting entity.
Note: Dynamic datasets must have their search queries manually updated to include the resulting entities.
(Optional) Manually update indirect references#
When you convert an entity from one type to another entity type, EclecticIQ Intelligence Center only updates components that directly reference the original entity.
It does not update components that indirectly reference the original entities, such as through search query expressions or rule criteria. These must be manually updated to target the results of the conversion.
Tip
For example, when converting a TTP entity to an Attack Pattern entity, a dynamic dataset that targets TTP entities with the search query expression:
data.type:"ttp"
should be updated or replaced with the following expression to target Attack Pattern entities instead:
data.type:"attack-pattern"
The following is a list of components that should be manually reviewed for indirect reference and updated:
Dynamic datasets: Update Search query expression to target new entity types.
Rules: Update the Entity types criteria to target new entity types.
Retention policies: Update Actions > Entity types to target new entity types.
Graphs: Refresh graph to display results of conversion.
Exposure: Update Exposure > Settings to target new entity types.
Outgoing feeds: Outgoing feeds may contain transport-specific configuration that targets the original entity type(s).
They may also contain paths specific to the original entity type(s) in Anonymization > Skip paths, which need to be updated to include paths in the resulting entities instead.
Only one target entity type per conversion#
Entities can only be converted to one target entity type per conversion.
You also cannot convert the same entity more than once. Once converted, the original entity is replaced with a new entity with the selected target entity type, preventing multiple conversions.
If you need to convert a given entity to multiple entity types, you must either:
Manually create new entities, or
Create copies of that entity, each with a different characteristic that matches the target entity type, then create and run rule(s) that match these copies and run the corresponding conversion action.
Convert TTPs#
This section contains information specific to converting TTPs with this entity rule action.
TTP must contain required characteristics#
The TTP must contain the correct Characteristic field for the target entity type, otherwise the conversion is skipped.
TTPs with no characteristics, or only the Exploit characteristic, are skipped during conversion.
The following table shows the characteristics required for each target entity type:
Target entity type |
Required source TTP property |
EIQ JSON path of TTP property |
---|---|---|
Attack Pattern |
Characteristics > Behavior > Attack Pattern |
|
Malware |
Characteristics > Behavior > Malware |
|
Malware family |
Characteristics > Behavior > Malware |
|
Tool |
Characteristics > Resources > Tool |
|
Infrastructure |
Characteristics > Resources > Infrastructure |
|
Identity |
Characteristics > Targeted Victim |
|
Cannot convert to TTP or Threat Actor from other entities#
You cannot convert entities back into TTPs or Threat Actor entities.
General mapping#
When an entity is converted, the converted entity:
Drops all Characteristics fields that are not Characteristics > Resources > Infrastructure.
id
,data
, andmeta
fields from the original entity is retained in theoriginal_eiqjson1_entity
of the converted entity.Retains data from the relevant characteristic.
For all conversions, modifies these fields:
EclecticIQ JSON field
Description
data.title
Title is retained. If the existing title contains a prefix like
<Entity Type>:
and original entity has an existing Characteristics property for the target entity type, this prefix is removed on conversion.data.intended_effects[]
Each item is prefixed with
intended_effects:
and added to tags (meta.tags[]
).