Edit entities#
Edit entities to update their information, and to keep their intelligence value in sync with the real-life threat elements they model.
About editing entities#
You can open the entity editor to modify or to update entity information from almost anywhere in EclecticIQ Intelligence Center with a couple of selects.
For quick edits on the fly, you can bypass the editor and apply inline edits in the entity detail pane.
You may need to edit entities to keep their information accurate and reliable over time. At the same time, you want to keep the original intelligence as it was ingested into EclecticIQ Intelligence Center. Besides the original entity, you want to be able to browse the entity change history; for example, to inspect how the entity changed and evolved over time, or who introduced specific changes at a certain point in time. Versioning takes care of that.
About entity versions#
Saving changes to an entity produces a new version of the entity.
When you edit an entity and save the changes, EclecticIQ Intelligence Center creates a new version of the entity with the changes, and it archives the previous version without the changes.
For example, if you edit the TLP value of an entity, or if you assign a TLP override value to an entity, the update produces a new version of the entity.
The new version receives a new Intelligence Center ID, it is published to EclecticIQ Intelligence Center, and it becomes the current version of the entity.
The previous version is not editable and not searchable. It is obsolete, and it remains available for reference.
Obsolete entity versions are flagged as outdated.
You can select an entity version name to view the corresponding details, to export it as JSON or STIX, to add it to a dataset, or to delete it.
Other actions are disabled in as outdated entities.
To view a list of all existing versions of an entity open the entity detail pane, and then select Versions.
About editing entity data sources#
When EclecticIQ Intelligence Center ingests duplicate data, it updates existing entities to add the origin of the duplicate data as a new data source.
When changes to the data sources for an entity occur – for example, adding a new data source, renaming an enricher, or deleting an incoming feed – the process triggers entity and observable rules that use the changed data sources as a criterion:
The current data sources of the affected entities are reassessed.
For example, any unavailable sources, such as a deleted incoming feed, are dropped; new sources, such as the origin of a discarded duplicate package, are added.
The timestamp recording the most recent entity update is set to now; that is, the time the data source change occurs.
Entity and observable rules are triggered to update any entity information that may have changed because of the data source modification.
Note
Changes to entity data sources affect user access to entity data.
For example, if the data source an entity refers to changes from group A to group B, group A members who are not also members of group B can no longer access the entity.
About non-editable entities#
If the Edit option is grayed out, it is not available for the selected entity.
It is not possible to edit entities in the following cases:
The entity is outdated (
meta.is_outdated_version: true
).Obsolete entity versions are flagged as outdated.
You can view an outdated entity, export it as JSON or STIX, add it to a dataset, or delete it.
Other actions are disabled.
The entity is unresolved, because it is a only a pointer to external reference (
meta.is_unresolved_idref: true
).Unresolved entities contain an
idref
pointing to external data.They are placeholders for the external data they refer to, and they do not hold any other information.
The entity is associated with a draft copy (
entity.meta.draft_id
).To edit the entity, you must first either publish the associated draft, or delete it.
Edit entities#
Edit entities on the fly#
In the entity detail pane you can edit some entity details without opening the editing editor, and without having to manually save your changes.
This is a time-efficient option to implement quick updates to only one or two editable fields.
You can apply in-pane, on-the-fly edits to the following entity fields:
Title
Tags
Estimated threat start time
Estimated threat end time
Estimated observed time
Half life
Source reliability
Edit entities on the fly#
To apply quick on-the-fly edits to an entity:
Open the detail pane of the entity you want to edit.
In the selected entity detail pane, select the edit icon () next to the field you want to update.
Apply the changes as needed.
To store your changes, select Save; to discard them, select Cancel.
Besides the fields where the edit icon () is available, you can edit on the fly also the title, the TLP value, and the tags of an entity.
Edit entity alias on the fly#
To edit an entity title:
In the entity detail pane, select anywhere in the title field.
Select Edit.
In the Edit entity alias pop-up dialog input field, change the title as needed.
To store your changes, select Save; to discard them, select Cancel.
This action creates an entity title alias: the newly applied changes become the current title of the entity, whereas the original entity title is stored as Original title.
Subsequent changes to the entity alias are not recorded.
To restore the original title of the entity, delete the content of the alias.
Entity aliases are useful to rename reader-unfriendly titles of ingested entities, usually automatically generated, to friendlier and more memorable titles.
Edit TLP on the fly#
To edit the TLP value:
In the entity detail pane, select anywhere in the TLP field.
In the Override TLP pop-up dialog, from the drop-down menu select a different TLP color.
To store your changes, select Save; to discard them, select Cancel.
Note
If you assign a TLP override value to an entity, the update produces a new version of the entity.
Changing an entity TLP value affects user access and permissions to the entity data.
For example, if you change an entity TLP from green to red, and if group A has access to EclecticIQ Intelligence Center entities up to TLP red, whereas group B has access only up to TLP green, group B members who are not also members of group A can no longer access the entity.
Edit entities in the detail pane#
In the entity detail pane you can apply more extensive edits to entity details by opening the in-pane entity editor.
This approach avoids focus switching: it keeps you focused in the current area, instead of directing – and distracting – you to the entity editor in a new view.
To edit an entity in the detail pane:
Select and select the entity to edit in a view such as Browse, Production, Exposure, Production, or from the Entities section of a workspace dashboard.
To open the in-pane entity editor, in the entity detail panel select the edit icon () .
Alternatively:
In the entity detail panel select the menu icon , and from the drop-down menu select Edit.
To change the view from the in-pane entity editor to the corresponding full page view:
In the entity detail panel select .
This action produces the following result:
The currently active entity editor is opened in full page view in a new browser tab.
The corresponding in-pane entity editor is closed.
Edit entities in Browse#
In the top navigation bar select Browse.
All the available entities are displayed.
To narrow down the results in the view, select one or more quick filter options, as needed.
Entity: select one more entity types you want to see.
Source: this lists the source the entity is derived from.
Select one more sources to filter the display.
TLP: filter based on the Traffic Light Protocol.
Date: filter using a date range for entity creation.
Dataset: filter using a dataset.
Edit entities in Discovery#
In the left navigation bar, go to Discovery .
All the available entities are displayed.
To narrow down the results in the view, select one or more quick filter options, as needed.
Entity: select one more entity types you want to see.
Source: this lists the source the entity is derived from.
Select one more sources to filter the display.
TLP: filter based on the Traffic Light Protocol.
Date: filter using a date range for entity creation.
Reliability: filter the entities by reliability.
This is set while creating the entity based on how reliable the source is.
Discovery rules: if you have set any discovery rules, you can filter the entities using the Discovery filter.
Dataset: filter using a dataset.
In the active view, browse to the entity you want to edit, and select it.
You can then proceed to edit the entity in one of the following ways:
Edit entities in Exposure#
On the Exposure view select the Entities tab to display an overview of currently exposed entities.
To sort items by column header:
Select the header of the column whose content you want to sort.
Select or to sort the content in either ascending or descending order, respectively.
To show and to hide the available quick filters in the current view select .
Entity: select one or more checkboxes to view exposure details for the specified entity types.
Date: select a time interval to view exposure details for the entities ingested between the specified start and end dates.
Dataset: select one or more checkboxes to view exposure details for entities that relate to the specified datasets.
Note
The Dataset filter is not available if results do not include entities that relate to at least one dataset.
You can stack and combine as many filters as you need. For example, you can create a filter to view exposure details for indicators that belong to the X, Y, and Z datasets that were ingested in the first half of last month.
In the active view, browse to the entity that you want to edit and edit the entity in one of the following ways:
Select the edit option in the context menu.
Open the entity detail pane, and select Actions > Edit.
Apply inline edits in the entity detail pane.
Edit entities in a workspace#
In the workspace view, select the desired workspace to open it.
In the Entities section, select the entity you want to edit.
You can then proceed to edit the entity in one of the following ways:
If you are working on a graph, double-select the entity you want to edit and:
Edit entities in the graph#
Edit entities in an incoming feed#
In the left navigation bar, go to Data configuration > Incoming feeds to display the incoming feed list.
Select anywhere in the row corresponding to the incoming feed containing the entity you want to edit.
In the feed detail pane select the Entities tab.
In the active view, browse to the entity you want to edit, and select it.
Apply inline edits on the fly on the entity detail pane.
Edit entities in a dataset#
Edit uploaded entities#
In the left navigation bar, go to Search > GO TO SEARCH AND BROWSE > Files.
You can edit only entities that are part of successfully uploaded files whose upload status is successful .
Select the menu icon in the row corresponding to the uploaded file originally containing the entity you want to edit.
From the drop-down menu select View.
The page displays a list with the entities ingested through the uploaded file.
In the active view, browse to the entity you want to edit.
You can then proceed to edit the entity in one of the following ways:
You can manually edit entities ingested as a result of a manual file upload operation:
In the left navigation bar, go to Search > GO TO SEARCH AND BROWSE > Files.
You can edit only entities that are part of successfully uploaded files whose upload status is successful .
Select the menu icon in the row corresponding to the uploaded file originally containing the entity you want to edit.
From the drop-down menu select View.
The view lists the entities ingested through the uploaded file.
In the active view, browse to the entity you want to edit.
You can then proceed to edit the entity in one of the following ways:
Select the menu icon in the row corresponding to the entity you want to edit, and then select Edit.
Open the entity detail pane, select the menu icon , and then select Edit.
Apply inline edits on the fly in the entity detail pane.
Save options#
To store your changes, select Save; to discard them, select Cancel.
To access additional save options, select the down arrow on the Save button:
Select Save draft to store your changes without publishing the entity.
Select Publish to release the new version of the entity that includes your changes.
Select Cancel to discard the changes.
Save a draft=#
Drafts are available in the entity editor under Draft entities.
Two additional options are available when saving an entity as a draft:
Select Save draft and new if you are creating a new entity and have not saved it before. This option saves the current populated form as a draft without publishing it to EclecticIQ Intelligence Center, and creates and opens a new draft form in the editor.
Select Save draft and duplicate to the current populated form as a draft without publishing it to EclecticIQ Intelligence Center, and create and opens a prepopulated copy of the draft entity in the editor to speed up the creation of a new entity of the same type.
Publish an entity#
Published entities are saved to EclecticIQ Intelligence Center.
When the new entity is indexed, it is available in the Intelligence Center, in the entity editor under Published.
Published entities associated with a workspace or included in a dataset are available also through the corresponding workspace and dataset.
Two additional options are available when publishing an entity:
Select Publish and new if you are creating a new entity and you have not published it before. This option saves the current populated form, publishes it to EclecticIQ Intelligence Center, and creates and opens a new form in the editor.
Select Publish and duplicate to save the current populated form, publish it to EclecticIQ Intelligence Center, and create and open a prepopulated copy of the newly published entity in the editor to speed up the creation of a new entity of the same type.