Threat Actor#
Tip
This entity is analogous to these STIX objects:
You can also use the Intrusion Set and Identity entities to represent malicious actors.
A threat actor is an adversary who is motivated to damage an individual, a group, an entity or an organization. Threat actors can be individuals, groups, or organizations; they can be nation-sponsored or nation-state actors; they can be external to the targeted victims, or they can be insider threats. The motivation that drives them ranges from economic, political, ideological, to revenge and bragging. The benefits they gain from attacking a targeted victim vary from financial, to reputation damage, to intellectual property theft, and so on.
You can associate threat actors to TTPs and campaigns to understand how they plan and organize their attacks to the targeted victims. Indicators can help you track them, and relate them to observables and sightings. For example, an email address, an IP address, or a domain name associated with a real person’s identity.
Create a threat actor by selecting:
In the side navigation bar + Create > Threat actor.
Or:
(Requires EclecticIQ Labs: Intelligence creation on the graph)
In the top navigation bar of a graph, select + and then Threat actor to create a draft entity.
Double-click to open the newly created draft entity to edit it.
Then, Configure this entity.
Configure#
The following sections the fields and options available.
Note
Required fields are marked with an asterisk (*).
General#
Field |
EIQ JSON field |
Description |
---|---|---|
Name* |
|
Descriptive title for this entity. See Titles and aliases. |
Analysis |
|
Free text description of entity. |
Types* |
|
One or more threat actor types. Select a predefined type, or add a custom type by typing in the field and pressing ENTER. See Threat actor types |
Aliases |
|
One or more known names to identify this threat actor by. When this entity is published, also creates
one |
Intended effects |
|
See Intended effects.
For STIX 2.1, maps to |
Confidence* |
|
Observables#
You can create one or more new observables and link it to the currently open entity by selecting + Observable under the Observables section.
Note
If an observable you create here matches an observable rule with an ignore action, it does not appear when the you publish the entity.
In the Add observable view that appears, fill out these fields:
Field |
EIQ JSON field |
Description |
---|---|---|
Type* |
|
See Observable types |
Link name* |
||
Values(s)* |
|
Enter one or more values. One observable is created per value. Values must be comma-separated, or newline-separated, but not both. |
Maliciousness* |
Characteristics#
Characteristics are properties on an entity that provide context for the intelligence indicated by this object.
The following are characteristics available for threat actors:
Field |
EIQ JSON field |
Description |
---|---|---|
Motivations |
|
Based on STIX 2.1 §10.2 Attack Motivation Vocabulary. If entity is imported from an earlier version of EclecticIQ Intelligence Center, can contain values from MotivationVocab-1.1 |
Personal motivations |
|
|
Sophistication |
|
Based on STIX 2.1 §10.25 Threat Actor Sophistication Vocabulary. If this entity is imported from an earlier version of EclecticIQ Intelligence Center, can contain values from ThreatActorSophisticationVocab-1.0. |
Resource level |
|
|
Planning and operational support |
|
Based on PlanningAndOperationalSupportVocab-1.0.1. |
Roles |
|
Relationships#
Add relationships to this entity by selecting + Add relationship.
See Relationships.
Meta#
The Meta section contains configuration options that allow you to attach descriptive data to the entity.
Field |
EIQ JSON field |
Description |
---|---|---|
Estimated threat start time |
|
Estimated start of threat. See Time values. |
Estimated threat end time |
|
Estimated end of threat. See Time values. |
Estimated observed time |
|
Estimated time threat was observed. See Time values. |
Half-life |
|
See Half-life. Select one of these options:
|
Tags |
|
See tags and taxonomies. |
Source* |
|
Select one source. |
Source reliability |
|
See source reliability. Options:
|
Information source#
Field |
EIQ JSON field |
Description |
---|---|---|
Description |
|
Description of information source. |
Identity |
|
Name of this information source |
Roles |
|
One or more information source roles. Possible values:
|
References |
|
One or more URLs. |
Data marking#
Descriptive metadata for entity.
Field |
EIQ JSON field |
Description |
---|---|---|
TLP |
|
Set a TLP color for this entity. |
Terms of use |
|
Free text field allowing you to attach terms of use to an entity. Analogous to TermsOfUseMarkingStructureType. |
Simple |
|
Free text field for attaching any text to an entity. Analogous to SimpleMarkingStructureType. |
Workflow#
Use options here to apply workflow options to this entity.
Field |
Description |
---|---|
Add to dataset |
Select this option to add this entity to one or more datasets on Publish. |
Manually enrich |
Run one or more enrichers on this entity on Publish. |
Save and publish#
Tip
For more information, see Draft and published entities.
Select Publish to create this entity, and make it available under + Create > Production > Published.
For more publishing options, select More and then one of these options:
Publish and new: Publish this entity, and start creating a new entity.
Publish and duplicate: Publish this entity, and start creating a new entity using all the values set for this entity.
Select Save draft to save this entity as a draft, and make it available under + Create > Production > Drafts. You must publish an entity to use it elsewhere on EclecticIQ Intelligence Center.
For more options while saving as a draft, select More and then one of these options:
Publish and new: Save this entity as a draft, and start creating a new entity.
Publish and duplicate: Save this entity as a draft, and start creating a new entity using all the values set for this draft entity.
Appendix#
Threat actor types#
Characterizes this threat actor.
The threat actor entity allows you to set a type by:
Selecting from a set of predefined values.
These predefined values are derived from the STIX 1.2 ThreatActorTypeVocab-1.0.
Or, entering a custom value.
Tip
For compliance with STIX 2.1 recommendations, enter custom values that correspond to the STIX 2.1 §10.23 Threat Actor Type Vocabulary.
When this entity is exported to STIX 1.2 or STIX 2.1 formats, the entity’s type values are mapped to the corresponding Threat Actor object’s type field:
Identity property#
The identity property is no longer part of the Threat Actor entity. Use the Identity entity instead.