Splunk SOAR | Use | Create Entities

The Create Indicator and Create Sighting actions allow you to create an Entities in the EclecticIQ Intelligence Center (EIQ IC).

Export information to EIQ IC

You can have the following information filled in from Splunk SOAR when you create an Indicator entity:

• Indicator Title

• Indicator Description

• Confidence

• Impact

• Tags
  By default, Indicators are created with two tags:

  • Phantom Indicator

  • Automatically created You can add more tags or replace the defaults. Delimit these tags with “,”

Create Observables along with Entities

Use the Type, Maliciousness, and Value fields to create a single Observable connected to the Indicator or Sighting entities you are creating.

To create to multiple Observables while creating an Entity, use the “Observable dictionary” field. List the Value, Type, and Maliciousness per Observable delimited with “,” and delimit Observables with “;”
Examples:

• value1,type1,maliciousness1;value2,type2,maliciousness2;value3,type3,maliciousness3

• 121.11.121.11,ipv4,low;122.12.131.11,ipv4,high

Maliciousness can have the following values:

• Unknown

• Safe

• Low

• Medium

• High