Entity rule actions

Action	Description
Add tags	Select one or more tags to add to an entity that matches this rule.
Remove tags	Select one or more tags to remove from an entity that matches this rule.
Add to dataset	Select one or more datasets. When an entity matches this rule, it is added to these datasets.
Set alias	Sets an alias for entities that match this rule. See Actions: Set alias.
Override TLP	Select a TLP value to set for entities that match this rule.
Merge similar	Select one entity. Entities that are similar to this selected entity will be merged into a single entity. Entities are similiar if they have: Identical title, descriptio, and other STIX data fields. Different STIX ID. Different timestamps. Note When you set Merge similar as an action for an entity rule, you cannot set other actions for that rule. Caution Use entity merging with caution: it is not possible to undo a merge action. All merged entities disappear: they are not indexed, and therefore they are not searchable through the GUI. They persist in the main data storage (PostgreSQL): to search these entities, run a SQL query in EclecticIQ Intelligence Center PostgreSQL database.
Convert entity	See Actions: Convert entity.

Save

Once done:

• Select Save to save this rule.

• Select Save > Save and new to save this rule and start creating a new rule.

• Select Save > Save and duplicate to save this rule and start creating a new rule using settings from this rule.

Actions: Set alias

The Set alias rule uses named capturing groups and backreferences to automatically assign entities title aliases based on specified data pattern regexes, variable names, and formatting templates for the title aliases.

Aliases help identify entities that are known by different names, depending on the data provider referencing them.

First, define the named groups in the entity title.

You insert named groups in the title alias by referencing them with the variables that represent them:

• The (?P<name>regex) expressions in Title parsing pattern define data patterns for matching text strings in the title.

• You can reference matches in the alias using the corresponding variable names between chevron brackets (< >).

• The name variable accepts alphanumeric characters. It must start with a letter.

• The regex must comply with Python syntax.

Then, define a format template for the title alias.

You insert named groups in template by referencing them with the variables that represent them:

• The Alias formatting template field accepts a string to set a formatting template for the title alias, where you include the previously defined named group variables as needed.

• The template variable names must exactly match the corresponding named group variables they reference.

• The formatting string must comply with Python syntax.

Example

Let’s assume we want to set an alias for the following entity title:

*VxVault reporting on Malware Malware.Win32.Sample with name sample found at URL http://malicious.com/double-click-me.exe (104.31.72.46)*

1. First, let’s isolate the named groups in the title that we want to reuse in the title alias by setting Title parsing pattern to:

   *VxVault reporting on Malware (?P<malware>[^\s]+) with name sample found at URL (?P<url>[^\s]+) \ ((?P<ip>[\d\.]+)\)*
   

2. Then, let’s define a format template for the title alias that includes the named groups by referencing the corresponding variables by setting Alias formatting template to

   *malware={malware}, url={url}, ip={ip}*
   

When the rule runs, it produces the resulting title alias:

*malware=Malware.Win32.Sample, url=http://malicious.com/double-click-me.exe, ip=104.31.72.46*

Actions: Convert entity

Use the Convert entity action to convert:

• TTP (deprecated) to:

  • Tool

  • Identity

  • Attack pattern

  • Malware

  • Malware family

  • Infrastructure

  See Convert TTPs for mapping and restrictions.

• Threat Actor to Intrusion Set

General conversion notes

The following sections describe how the Convert entity action works with TTP and Threat Actor entities.

Conversion retains data

When a TTP or Threat Actor is converted to the selected target entity type, it retains most of its data.

Additionally:

• Original entity is preserved in original_eiqjson1_entity.

  The id,data, and meta JSON fields of the original entity are preserved in the original_eiqjson1_entity field of the resulting converted entity.

  This field is:

  • only visible in the UI when viewing the raw JSON of the resulting target entity.

  • indexed. Content from the original entity is available through searches on EclecticIQ Intelligence Center.

• Original entity is available as a version.

  You can find the original entity in the VERSIONS tab of the resulting entity when viewing it in the entity builder.

Conversion updates direct references

Converting entities also affects components that directly reference those entities. EclecticIQ Intelligence Center updates these components on entity conversion:

• New entity inherits relations.

  When an entity is converted to the target entity type, the resulting entity inherits its relations.

  These inherited relations will take on a new type depending on conversion.

  See Relationships.

• Tasks reference the new entities.

  Tasks (or tickets) can contain a list of Entities. Tasks that reference a converted entity in these lists are updated to contain the resulting entity.

• Static datasets are updated.

  Static datasets that contain the original entity are updated to contain the resulting entity.

  Note: Dynamic datasets must have their search queries manually updated to include the resulting entities.

  See (Optional) Manually update indirect references.

(Optional) Manually update indirect references

When you convert an entity from one type to another entity type, EclecticIQ Intelligence Center only updates components that directly reference the original entity.

It does not update components that indirectly reference the original entities, such as through search query expressions or rule criteria. These must be manually updated to target the results of the conversion.

Tip

For example, when converting a TTP entity to an Attack Pattern entity, a dynamic dataset that targets TTP entities with the search query expression:

data.type:"ttp"

should be updated or replaced with the following expression to target Attack Pattern entities instead:

data.type:"attack-pattern"

The following is a list of components that should be manually reviewed for indirect reference and updated:

• Dynamic datasets: Update Search query expression to target new entity types.

• Rules: Update the Entity types criteria to target new entity types.

• Retention policies: Update Actions > Entity types to target new entity types.

• Graphs: Refresh graph to display results of conversion.

• Exposure: Update Exposure > Settings to target new entity types.

• Outgoing feeds: Outgoing feeds may contain transport-specific configuration that targets the original entity type(s).

  They may also contain paths specific to the original entity type(s) in Anonymization > Skip paths, which need to be updated to include paths in the resulting entities instead.

Only one target entity type per conversion

Entities can only be converted to one target entity type per conversion.

You also cannot convert the same entity more than once. Once converted, the original entity is replaced with a new entity with the selected target entity type, preventing multiple conversions.

If you need to convert a given entity to multiple entity types, you must either:

• Manually create new entities, or

• Create copies of that entity, each with a different characteristic that matches the target entity type, then create and run rule(s) that match these copies and run the corresponding conversion action.

Convert TTPs

This section contains information specific to converting TTPs with this entity rule action.

TTP must contain required characteristics

The TTP must contain the correct Characteristic field for the target entity type, otherwise the conversion is skipped.

TTPs with no characteristics, or only the Exploit characteristic, are skipped during conversion.

The following table shows the characteristics required for each target entity type:

Target entity type	Required source TTP property	EIQ JSON path of TTP property
Attack Pattern	Characteristics > Behavior > Attack Pattern	data.behavior.attack_patterns
Malware	Characteristics > Behavior > Malware	data.behavior.malware
Malware family	Characteristics > Behavior > Malware	data.behavior.malware
Tool	Characteristics > Resources > Tool	data.resources.tools
Infrastructure	Characteristics > Resources > Infrastructure	data.resources.infrastructure
Identity	Characteristics > Targeted Victim	data.victim_targeting

Cannot convert to TTP or Threat Actor from other entities

You cannot convert entities back into TTPs or Threat Actor entities.

General mapping

When an entity is converted, the converted entity:

• Drops all Characteristics fields that are not Characteristics > Resources > Infrastructure.

• id, data, and meta fields from the original entity is retained in the original_eiqjson1_entity of the converted entity.

• Retains data from the relevant characteristic.

• For all conversions, modifies these fields:

  EclecticIQ JSON field	Description
  data.title	Title is retained. If the existing title contains a prefix like <Entity Type>: and original entity has an existing Characteristics property for the target entity type, this prefix is removed on conversion.
  data.intended_effects[]	Each item is prefixed with intended_effects: and added to tags (meta.tags[]).