Incident#

Tip

This entity is analogous to these STIX objects:

An incident records a specific occurrence of indicators of compromise or observables affecting your organization or your system. An incident includes context information about the event such as start and end times, affected assets and resources, impact and seriousness assessment, any known threat actors and targeted victims involved, TTPs, related indicators and observables, and so on.

Create an incident by selecting:

In the side navigation bar + Create > Incident.

Or:

(Requires EclecticIQ Labs: Intelligence creation on the graph)

In the top navigation bar of a graph, select + and then Incident to create a draft entity.
Double-click to open the newly created draft entity to edit it.

Then, Configure this entity.

Configure#

The following sections the fields and options available.

Note

Required fields are marked with an asterisk (*).

General#

Field	EIQ JSON field	Description
Title*	`data.title`	Descriptive title for this entity. See Titles and aliases.
Analysis	`data.description`	Long description.
Status	`data.status`	Status of incident. Analogous to IncidentStatusVocab-1.0. Possible options: New Open Stalled Containment Achieved Restoration Achieved Incident Reported Closed Rejected Deleted
Categories*	`data.categories[]`	Category of incident. Analogous to IncidentCategoryVocab-1.0. Possible values: Exercise/Network Defense Testing Unauthorized Access Denial of Service Malicious Code Improper Usage Scans/Probes/Attempted Access Investigation
Intended effects*	`data.intended_effects`	See Intended effects.
Security compromise	`data.security_compromise`	Describes the security compromise involved in this incident. Analogous to SecurityCompromiseVocab-1.0 Possible values: Yes Suspected No Unknown
Discovery methods*	`data.discovery_methods[]`	Describes how the incident was discovered. Analogous to DiscoveryMethodVocab-2.0.
Confidence	`data.confidence`	See Confidence scale: High Medium low.

Characteristics#

Characteristics are properties on an entity that provide context for the intelligence indicated by this object.

The following are characteristics available this entity:

Characteristics: Time coordinates
Characteristics: Reporter
Characteristics: Coordinator
Characteristics: Responder
Characteristics: Contact
Characteristics: Affected asset
Characteristics: Impact
Characteristics: Victim

Characteristics: Time coordinates#

Add various date and time properties to this entity. Analogous to TimeType.

Field	EIQ JSON field	Description
First malicious action	`data.time_first_malicious_action`	Date and time malicious action was first detected.
Time first malicious action precision	`data.time_first_malicious_action_precision`	See Date and time precision.
Initial compromise	`data.time_initial_compromise`	Date and time initial compromise was detected.
Time initial compromise precision	`data.time_initial_compromise_precision`	See Date and time precision.
First data exfiltration	`data.time_first_data_exfiltration`	Date and time data exfiltration was first detected.
Time first data exfiltration precision	`data.time_first_data_exfiltration_precision`	See Date and time precision.
Incident discovery	`data.time_incident_discovery`	Date and time this incident was discovered.
Time incident discovery precision	`data.time_incident_discovery_precision`	See Date and time precision.
Incident opened	`data.time_incident_opened`	Date and time this incident was first opened.
Time incident opened precision	`data.time_incident_opened_precision`	See Date and time precision.
Containment achieved	`data.time_containment_achieved`	Date and time incident was contained.
Time containment achieved precision	`data.time_containment_achieved_precision`	See Date and time precision.
Restoration achieved	`data.time_restoration_achieved`	Date and time assets affected by incident were restored.
Time restoration achieved precision	`data.time_restoration_achieved_precision`	See Date and time precision.
Incident reported	`data.time_incident_reported`	Date and time incident was reported
Time incident reported precision	`data.time_incident_reported_precision`	See Date and time precision.
Incident closed	`data.time_incident_closed`	Date and time this incident was closed.
Time incident closed precision	`data.time_incident_closed_precision`	See Date and time precision.

Characteristics: Reporter#

Add a reporter. Analogous to InformationSourceType.

Field	EIQ JSON field	Description
Name*	`data.reporter.identity.name`	Name of this information source. Also creates a `name` observable when this entity is published.
Specification	`data.reporter.identity.specification_xml`	See Identity specification.
Roles*	`data.reporter.roles[]`	Role of this information source. Analogous to InformationSourceRoleVocab-1.0. Possible values: Initial Author Content Enhancer/Refiner Aggregator Transformer/Translator
Description	`data.reporter.description`	Description of this information source.

Characteristics: Coordinator#

Add one or more coordinator. Analogous to InformationSourceType.

Field	EIQ JSON field	Description
Name*	`data.coordinators[].identity.name`	Name of this information source. Also creates a `name` observable when this entity is published.
Specification	`data.coordinators[].identity.specification_xml`	See Identity specification.
Roles*	`data.coordinators[].roles[]`	Role of this information source. Analogous to InformationSourceRoleVocab-1.0. Possible values: Initial Author Content Enhancer/Refiner Aggregator Transformer/Translator
Description	`data.coordinators[].description`	Description of this information source.

Characteristics: Responder#

Add one or more responder. Analogous to InformationSourceType.

Field	EIQ JSON field	Description
Name*	`data.responders[].identity.name`	Name of this information source. Also creates a `name` observable when this entity is published.
Specification	`data.responders[].identity.specification_xml`	See Identity specification.
Roles*	`data.responders[].roles[]`	Role of this information source. Analogous to InformationSourceRoleVocab-1.0. Possible values: Initial Author Content Enhancer/Refiner Aggregator Transformer/Translator
Description	`data.responders[].description`	Description of this information source.

Characteristics: Contact#

Add one or more contact. Analogous to InformationSourceType.

Field	EIQ JSON field	Description
Name*	`data.contacts[].identity.name`	Name of this information source. Also creates a `name` observable when this entity is published.
Specification	`data.contacts[].identity.specification_xml`	See Identity specification.
Roles*	`data.contacts[].roles[]`	Role of this information source. Analogous to InformationSourceRoleVocab-1.0. Possible values: Initial Author Content Enhancer/Refiner Aggregator Transformer/Translator
Description	`data.contacts[].description`	Description of this information source.

Characteristics: Affected asset#

Add one or more affected assets to this incident. Analogous to AffectedAssetType.

Field	EIQ JSON field	Description
Description*	`data.affected_assets[].description`	Description of this affected asset.
Asset type*	`data.affected_assets[].identity.specification_xml`	See Identity specification.
Ownership class*	`data.affected_assets[].identity.specification_xml`	OwnershipClassVocab-1.0.
Management class*	`data.affected_assets[].identity.specification_xml`	ManagementClassVocab-1.0.
Location class*	`data.affected_assets[].identity.specification_xml`	LocationClassVocab-1.0.
Business function or role	`data.affected_assets[].business_function_or_role`	Describes the business function or role of this affected asset.
Properties Affected	`data.affected_assets[].nature_of_security_effect_properties_affected[]`	See Affected assets: Properties affected.

Affected assets: Properties affected#

Add one or more properties affected. Analogous to PropertyAffectedType

Field	EIQ JSON field	Description
Property	`data.affected_assets[].nature_of_security_effect_properties_affected[].property`	LossPropertyVocab-1.0.
Type of availability loss	`data.affected_assets[].nature_of_security_effect_properties_affected[].type_of_availability_loss`	AvailabilityLossTypeVocab-1.1.1.
Duration of availability loss	`data.affected_assets[].nature_of_security_effect_properties_affected[].duration_of_availability_loss`	LossDurationVocab-1.0.
Non public data compromised	`data.affected_assets[].nature_of_security_effect_properties_affected[].non_public_data_compromised`	SecurityCompromiseVocab-1.0.
Description of effect	`data.affected_assets[].nature_of_security_effect_properties_affected[].description_of_effect`	Description of how this property was affected.

Characteristics: Impact#

Add impact details to this incident Analogous to ImpactAssessmentType.

Field	EIQ JSON field	Description
Effects	`data.impact_assessment.effects[]`	Select one or more effects for this incident. Analogous to EffectsType. Uses Intended effects.

Field

EIQ JSON field

Description

Effects

data.impact_assessment.effects[]

Select one or more effects for this incident. Analogous to EffectsType.

Uses Intended effects.

Set the following additional properties:

Impact: Direct impact summary
Impact: Indirect impact summary
Impact: Total loss estimation

Impact: Direct impact summary#

DirectImpactSummaryType.

Field	EIQ JSON field	Description
Asset losses	`data.impact_assessment.direct_impact_summary_asset_losses`	ImpactRatingVocab-1.0.
Business mission disruption	`data.impact_assessment.direct_impact_summary_business_mission_disruption`	ImpactRatingVocab-1.0.
Response and recovery costs	`data.impact_assessment.direct_impact_summary_response_and_recovery_costs`	ImpactRatingVocab-1.0.

Impact: Indirect impact summary#

Field	EIQ JSON field	Description
Loss of competitive advantage	`data.impact_assessment.indirect_impact_summary_loss_of_competitive_advantage`	SecurityCompromiseVocab-1.0.
Brand and market damage	`data.impact_assessment.indirect_impact_summary_brand_and_market_damage`	SecurityCompromiseVocab-1.0.
Increased operating costs	`data.impact_assessment.indirect_impact_summary_increased_operating_costs`	SecurityCompromiseVocab-1.0.
Legal and regulatory costs	`data.impact_assessment.indirect_impact_summary_legal_and_regulatory_costs`	SecurityCompromiseVocab-1.0.
Impact qualification	`data.impact_assessment.impact_qualification`	ImpactQualificationVocab-1.0.

Impact: Total loss estimation#

Initial reported

Field	EIQ JSON field	Description
Amount	`data.impact_assessment.total_loss_estimation_initial_reported_amount`	Initially reported total loss estimation.
Currency	`data.impact_assessment.total_loss_estimation_initial_reported_iso_currency_code`	Currency used for reported total loss estimation.

Actual

Field	EIQ JSON field	Description
Amount	`data.impact_assessment.total_loss_estimation_actual_amount`	Actual total loss estimation.
Currency	`data.impact_assessment.total_loss_estimation_actual_iso_currency_code`	Currency used for actual total loss estimation.

Characteristics: Victim#

Add one or more victims of this incident. Analogous to InformationSourceType.

Field	EIQ JSON field	Description
Name*	`data.victims[].identity.name`	Name of this information source. Also creates a `name` observable when this entity is published.
Specification	`data.victims[].identity.specification_xml`	See Identity specification.

Field

EIQ JSON field

Description

Name*

data.victims[].identity.name

Name of this information source.

Also creates a name observable when this entity is published.

Specification

data.victims[].identity.specification_xml

See Identity specification.

Observables#

You can create one or more new observables and link it to the currently open entity by selecting + Observable under the Observables section.

Note

If an observable you create here matches an observable rule with an ignore action, it does not appear when the you publish the entity.

In the Add observable view that appears, fill out these fields:

Field	EIQ JSON field	Description
Type*	`extracts[].kind`	See Observable types
Link name*	See Observable link types	See Observable link types
Values(s)*	`extracts[].value`	Enter one or more values. One observable is created per value. Values must be comma-separated, or newline-separated, but not both.
Maliciousness*	See Observable maliciousness	See Observable maliciousness

Relationships#

Add relationships to this entity by selecting + Add relationship.

See Relationships.

Meta#

The Meta section contains configuration options that allow you to attach descriptive data to the entity.

Field	EIQ JSON field	Description
Estimated threat start time	`meta.estimated_threat_start_time`	Estimated start of threat. See Time values.
Estimated threat end time	`meta.estimated_threat_end_time`	Estimated end of threat. See Time values.
Estimated observed time	`meta.estimated_observed_time`	Estimated time threat was observed. See Time values.
Half-life	`meta.half_life`	See Half-life. Select one of these options: Use default value: When selected, half-life for this entity is set to 720 days. Override value: Set a custom value for half-life, in number of days.
Tags	`meta.tags[]` and `meta.taxonomy_paths[]`	See tags and taxonomies.
Source*	`sources[]`	Select one source.
Source reliability	`meta.source_reliability`	See source reliability. Options: Inherit from source: This entity inherits source reliability from Source. Custom override: Set a source reliability value for just this entity.

Information source#

Field	EIQ JSON field	Description
Description	`data.information_source.description`	Description of information source.
Identity	`data.information_source.identity`	Name of this information source
Roles	`data.information_source.roles[]`	One or more information source roles. Possible values: Initial Author Content Enhancer/Refiner Aggregator Transformer/Translator
References	`data.information_source.references[]`	One or more URLs.

Data marking#

Descriptive metadata for entity.

Field	EIQ JSON field	Description
TLP	`meta.tlp_color`	Set a TLP color for this entity.
Terms of use	`data.handling[].marking_structures[]`	Free text field allowing you to attach terms of use to an entity. Analogous to TermsOfUseMarkingStructureType.
Simple	`data.handling[].marking_structures[]`	Free text field for attaching any text to an entity. Analogous to SimpleMarkingStructureType.

Workflow#

Use options here to apply workflow options to this entity.

Field	Description
Add to dataset	Select this option to add this entity to one or more datasets on Publish.
Manually enrich	Run one or more enrichers on this entity on Publish.

Save and publish#

Tip

For more information, see Draft and published entities.

Select Publish to create this entity, and make it available under + Create > Production > Published.

For more publishing options, select More and then one of these options:

Publish and new: Publish this entity, and start creating a new entity.
Publish and duplicate: Publish this entity, and start creating a new entity using all the values set for this entity.

Select Save draft to save this entity as a draft, and make it available under + Create > Production > Drafts. You must publish an entity to use it elsewhere on EclecticIQ Intelligence Center.

For more options while saving as a draft, select More and then one of these options:

Publish and new: Save this entity as a draft, and start creating a new entity.
Publish and duplicate: Save this entity as a draft, and start creating a new entity using all the values set for this draft entity.

Appendix#

Identity specification#

Add one or more items to Specification to flesh out the identity being described. Content here is used to construct the XML content in the specification_xml field in EIQ JSON. Analogous to STIXCIQIdentity3.0Type as used in IdentityType/ CIQIdentity3.0InstanceType/ CIQ 3.0 Specifications.

Field	Description
Account	Describes a bank account or similar. Available fields: *Account type: Set an account type. Free text field. Account status:* Set an account status. Free text field. Account specification: Add one or more account specifications. For each account specification, set these fields: *Type: One of the following options: Account ID Issuing authority Account type Account branch Issuing country name Value:* Set a value for this account specification.
Person	Add one or more properties describing a person. *Type: Select one of these options: Preceding title Title First name Middle name Last name Other name Alias name Generation identifier Degree Value:* Enter a value for this Type.
Organization	Add one or more properties describing an organization. *Type: Select one of these options: Name only Type only (i.e. “Inc”) Full name Value:* Enter a value for this Type.
Electronic address	Add one or more electronic addresses for this targeted victim. *Type: Select an electronic address type. Value:* Enter the full electronic address.

Each item added to the Specification section creates an observable with the corresponding type:

Specification field	Resulting observable type(s)
Account	`bank-account`
Person	`person`
Organization	`organization`
Electronic address	`email` `domain` `handle`