Course of Action#

Tip

This entity is analogous to these STIX objects:

A course of action details a set of clear, specific recommendations and measures to mitigate an incident, address affected exploit targets, and effectively respond to a cyber threat.

The goal of a course of action can be preventing the potential occurrence of an incident, correcting a vulnerability so that it cannot be exploited, mitigating the consequences of an attack, or defeating an adversary.

Regardless of the goal, a course of action suggests the recommended actions to take in order to achieve the intended effect.

Create a course of action by selecting:

In the side navigation bar + Create > Course of action.

Or:

(Requires EclecticIQ Labs: Intelligence creation on the graph)

In the top navigation bar of a graph, select + and then Course of action to create a draft entity.
Double-click to open the newly created draft entity to edit it.

Then, Configure this entity.

Configure#

The following sections the fields and options available.

Note

Required fields are marked with an asterisk (*).

General#

Field	EIQ JSON field	Description
Title*	`data.title`	Descriptive title for this entity. See Titles and aliases.
Analysis	`data.description`	Long description of course of action.
Confidence	`data.confidence`	See Confidence scale: High Medium low.

Characteristics#

Characteristics are properties on an entity that provide context for the intelligence indicated by this object.

The following are characteristics available for courses of action:

Characteristics: Type
Characteristics: Stage
Characteristics: Objective
Characteristics: Impact
Characteristics: Cost
Characteristics: Efficacy

Characteristics: Type#

Field	EIQ JSON field	Description
Type	`data.coa_type`	Type of course of action. Analogous to CourseOfActionTypeVocab-1.0 Available options: Perimeter Blocking Internal Blocking Redirection Redirection (Honey Pot) Hardening Patching Eradication Rebuilding Training Monitoring Physical Access Restrictions Logical Access Restrictions Public Disclosure Diplomatic Actions Policy Actions Other

Field

EIQ JSON field

Description

Type

data.coa_type

Type of course of action. Analogous to CourseOfActionTypeVocab-1.0

Available options:

Perimeter Blocking
Internal Blocking
Redirection
Redirection (Honey Pot)
Hardening
Patching
Eradication
Rebuilding
Training
Monitoring
Physical Access Restrictions
Logical Access Restrictions
Public Disclosure
Diplomatic Actions
Policy Actions
Other

Characteristics: Stage#

Field	EIQ JSON field	Description
Stage	`data.stage`	Stage of course of action. Analogous to COAStageVocab-1.0 Available options: Remedy Response

Field

EIQ JSON field

Description

Stage

data.stage

Stage of course of action. Analogous to COAStageVocab-1.0

Available options:

Remedy
Response

Characteristics: Objective#

Describes the objective of this course of action. Analogous to ObjectiveType

Field	EIQ JSON field	Description
Description	`data.objective.description`	Describes objective.
Applicability confidence	`data.objective.applicability_confidence`	A confidence value. See Confidence scale: High Medium low.

Characteristics: Impact#

Describes the impact of this course of action.

Field	EIQ JSON field	Description
Impact value*	`data.impact.value`	See Confidence scale: High Medium low.
Confidence	`data.impact.confidence.value`	A confidence value. See Confidence scale: High Medium low.
Description	`data.impact.description`	Description of impact.

Characteristics: Cost#

Describes the cost of this course of action.

Field	EIQ JSON field	Description
Cost value*	`data.cost.value`	See Confidence scale: High Medium low.
Confidence	`data.cost.confidence.value`	A confidence value. See Confidence scale: High Medium low.
Description	`data.cost.description`	Description of cost.

Characteristics: Efficacy#

Describes the efficacy of this course of action.

Field	EIQ JSON field	Description
Efficacy value*	`data.efficacy.value`	See Confidence scale: High Medium low.
Confidence	`data.efficacy.confidence.value`	A confidence value. See Confidence scale: High Medium low.
Description	`data.efficacy.description`	Description of efficacy.

Observables#

You can create one or more new observables and link it to the currently open entity by selecting + Observable under the Observables section.

Note

If an observable you create here matches an observable rule with an ignore action, it does not appear when the you publish the entity.

In the Add observable view that appears, fill out these fields:

Field	EIQ JSON field	Description
Type*	`extracts[].kind`	See Observable types
Link name*	See Observable link types	See Observable link types
Values(s)*	`extracts[].value`	Enter one or more values. One observable is created per value. Values must be comma-separated, or newline-separated, but not both.
Maliciousness*	See Observable maliciousness	See Observable maliciousness

Relationships#

Add relationships to this entity by selecting + Add relationship.

See Relationships.

Meta#

The Meta section contains configuration options that allow you to attach descriptive data to the entity.

Field	EIQ JSON field	Description
Estimated threat start time	`meta.estimated_threat_start_time`	Estimated start of threat. See Time values.
Estimated threat end time	`meta.estimated_threat_end_time`	Estimated end of threat. See Time values.
Estimated observed time	`meta.estimated_observed_time`	Estimated time threat was observed. See Time values.
Half-life	`meta.half_life`	See Half-life. Select one of these options: Use default value: When selected, half-life for this entity is set to 720 days. Override value: Set a custom value for half-life, in number of days.
Tags	`meta.tags[]` and `meta.taxonomy_paths[]`	See tags and taxonomies.
Source*	`sources[]`	Select one source.
Source reliability	`meta.source_reliability`	See source reliability. Options: Inherit from source: This entity inherits source reliability from Source. Custom override: Set a source reliability value for just this entity.

Information source#

Field	EIQ JSON field	Description
Description	`data.information_source.description`	Description of information source.
Identity	`data.information_source.identity`	Name of this information source
Roles	`data.information_source.roles[]`	One or more information source roles. Possible values: Initial Author Content Enhancer/Refiner Aggregator Transformer/Translator
References	`data.information_source.references[]`	One or more URLs.

Data marking#

Descriptive metadata for entity.

Field	EIQ JSON field	Description
TLP	`meta.tlp_color`	Set a TLP color for this entity.
Terms of use	`data.handling[].marking_structures[]`	Free text field allowing you to attach terms of use to an entity. Analogous to TermsOfUseMarkingStructureType.
Simple	`data.handling[].marking_structures[]`	Free text field for attaching any text to an entity. Analogous to SimpleMarkingStructureType.

Workflow#

Use options here to apply workflow options to this entity.

Field	Description
Add to dataset	Select this option to add this entity to one or more datasets on Publish.
Manually enrich	Run one or more enrichers on this entity on Publish.

Save and publish#

Tip

For more information, see Draft and published entities.

Select Publish to create this entity, and make it available under + Create > Production > Published.

For more publishing options, select More and then one of these options:

Publish and new: Publish this entity, and start creating a new entity.
Publish and duplicate: Publish this entity, and start creating a new entity using all the values set for this entity.

Select Save draft to save this entity as a draft, and make it available under + Create > Production > Drafts. You must publish an entity to use it elsewhere on EclecticIQ Intelligence Center.

For more options while saving as a draft, select More and then one of these options:

Publish and new: Save this entity as a draft, and start creating a new entity.
Publish and duplicate: Save this entity as a draft, and start creating a new entity using all the values set for this draft entity.