Observable link types#
Link types for observables are labels for the relations between a given observable and an entity.
Link types for observables are displayed in two places:
In the EIQ JSON field
entities[].extracts[].instance_meta.link_types[]
(see jq filter).When viewing an open entity in the entity builder, under the Observables tab.
The Relations column displays the link type of each observable.
Tip
Link types for observables are only visible where observables can be displayed in relation to specific entities.
Create observables with link types#
You can create observables with link types by:
Adding an observable to an existing entity.
Open an existing observable.
In the entity builder, go to the Observables tab.
Select + Add observable.
Adding an observable to a new entity.
Create a new entity. In the left navigation, select + Create then select an entity type.
Navigate to the Observables section and select + Observable.
List of predefined link types#
The following table describes available predefined link types.
Entity type |
Possible link types |
---|---|
Course of action |
|
Exploit target |
|
Incident |
|
Indicator |
|
TTP |
|
Report |
|
Threat actor |
|
Campaign |
N/A. Campaign-related observables do not have link types. |
Search by link type#
You can use link types to search for specific observables, based on the type of relationship they have with their parent entity.
The type of relationship between an observable and and entity adds context, and it can help understand the function of the observable within the broader threat landscape it belongs to.
For example, a relationship can help identify an observable as a victim, and affected asset, a vulnerability, or as a component of the threat actor’s malicious infrastructure.
Let’s assume that an analyst is investigating a threat scenario where a threat actor exploits the CVE-2017-8793 vulnerability to gain access to the targeted victim’s assets.
The analyst may want to search EclecticIQ Intelligence Center for any exploit target entities containing observables that are related to the parent exploit target because they represent a vulnerability.
To search for an observable representing a vulnerability:
In the search input field enter your search query:
data.type:exploit-target AND \ extracts.kind:domain AND \ meta.bundled_extracts.link_types:vulnerability OR \ extracts.instance_meta.link_types:vulnerability OR \ extracts_nested.instance_meta.link_types:vulnerability
Press ENTER to start the search.
In the search query example:
meta.bundled_extracts.link_types
is the JSON path pointing to the JSON field in the entity data structure that holds the link type value defining the relationship between entities and the corresponding bundled observables.extracts.instance_meta.link_types
is the JSON path pointing to the JSON field in the entity data structure that holds the link type value defining the relationship between entities and non-embedded observables.extracts_nested.instance_meta.link_types
is the JSON path pointing to the JSON field in the entity data structure that holds the link type value defining the relationship between entities and the corresponding embedded observables.vulnerability
is the link type value defining the the type of entity-observable relationship you are looking for.
If the link type value search string contains multiple words
separated by spaces, wrap the search string in double quotes
(example: "my multiple word search string"
).
EclecticIQ Intelligence Center search functionality uses the Elasticsearch query syntax.
The following table maps the link type values you can enter in a search query to the corresponding options displayed in the GUI (campaign entities have no link types to define relationships with observables):
Search input value |
GUI option |
Entity |
---|---|---|
parameter |
Parameter |
Course of action |
affected |
Affected |
Exploit target |
configuration |
Configuration |
Exploit target |
vulnerability |
Vulnerability |
Exploit target |
weakness |
Weakness |
Exploit target |
affected-asset |
Affected asset |
Incident |
related |
Related |
Incident |
observed |
Observable |
Indicator |
sighted |
Sighted |
Indicator |
test-mechanism |
Test mechanism |
Indicator |
malicious-infrastructure |
Malicious infrastructure |
TTP |
targeted-victim |
Targeted victim |
TTP |
observable |
Observable |
Report |
identity |
Identity |
Threat actor |
Link types for observables extracted from unstructured text#
An observable that is extracted from unstructured text does not have link types.
Instead, the Relations column displays the name of the field that contains the unstructured text from which the observable was extracted from.
In EIQ JSON, these field names are set in the
instance_meta.paths[]
field of an observable:
"extracts": [
{
"instance_meta": {
"link_types": [],
"paths": [
"description",
"short_description"
]
},
"kind": "cve",
"meta": {},
"value": "2022-26134"
},
//...
]
Observable XML#
Observable XML appears as a Relation for observables when the observable is extracted from CybOX XML. This only occurs for entities ingested from STIX 1.x data.
Like Link types for observables extracted from unstructured text,
the extraction source is not saved as a link type
but instead as an item in instance_meta.paths[]
.
For example, a CybOX object like this:
<indicator:Observable id="ctix:Observable-4d294757-c1e5-41f8-960e-0e0f13cb06e8">
<cybox:Title>New STIX 09</cybox:Title>
<cybox:Object id="ctix:URI-10584646-d18b-4890-a1ee-3bec6756817f">
<cybox:Properties xsi:type="URIObj:URIObjectType">
<URIObj:Value>https://www.tuop.com</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>
Is ingested to produce an extracts
object in EIQ JSON:
"extracts": {
"instance_meta": {
"link_types": [],
"paths": [
"observable.object.properties_xml"
]
},
"kind": "uri",
"meta": {},
"value": "https://www.tuop.com/"
}