Exploit target

Tip

This entity is analogous to these STIX objects:

• STIX 1.2 ExploitTargetType

• STIX 2.1 §4.19 Vulnerability SDO

An exploit target represents a vulnerability or a weakness in a software or hardware product or system, in a network, or in a configuration that enables a threat actor to use it as an entry point to access your assets and resources, and eventually to take control over them. Like a window that is left open upon leaving the house, it is a security hole in your ecosystem or infrastructure that malicious actors can leverage to get in and pursue their objectives.

Tip

The EclecticIQ exploit target entity is analogous to the STIX 2.1 Vulnerability SDO.

Create an exploit target by selecting:

• In the side navigation bar + Create > Exploit target.

Or:

• (Requires EclecticIQ Labs: Intelligence creation on the graph)

  In the top navigation bar of a graph, select + and then Exploit target to create a draft entity.

• Double-click to open the newly created draft entity to edit it.

Then, Configure this entity.

Configure

The following sections the fields and options available.

Note

Required fields are marked with an asterisk (*).

General

Field	EIQ JSON field	Description
Title*	data.title	Descriptive title for this entity. See Titles and aliases.
Analysis	data.description	Long description.
Confidence	data.confidence	See Confidence scale: High Medium low.

Characteristics

Characteristics are properties on an entity that provide context for the intelligence indicated by this object.

The following are characteristics available for this entity:

• Characteristics: Vulnerability

• Characteristics: Weakness

• Characteristics: Configuration

Characteristics: Vulnerability

Add one or more vulnerabilities to attach to this entity. Analogous to VulnerabilityType

Field	EIQ JSON field	Description
Title	data.vulnerabilities[].title	Title for this vulnerability.
Is known	data.vulnerabilities[].is_known	Select this if the vulnerability is known, i.e. not a 0-day vulnerability.
Is publicly acknowledged	data.vulnerabilities[].is_publicly_acknowledged	Select this if the vulnerability has been publicly acknowledged by the software vendor for the affected software product.
Description	data.vulnerabilities[].description	Description of vulnerability.
Source	data.vulnerabilities[].source	Source of vulnerability.
Discovered date/time	data.vulnerabilities[].discovered_datetime	Date and time this vulnerability is discovered.
Discovered date/time precision	data.vulnerabilities[].discovered_datetime_precision	See Date and time precision.
Published date/time	data.vulnerabilities[].published_datetime	Date and time this vulnerability is published.
Published date/time precision	data.vulnerabilities[].published_datetime_precision	See Date and time precision.
CVE-ID	data.vulnerabilities[].cve_id	CVE ID. Must conform to the format CVE-YYYY-NNNN. E.g. CVE-2021-3855. Also creates a new cve observable with the vulnerability link name when this entity is published.
OSVDB-ID	data.vulnerabilities[].title	(Deprecated) Open Sourced Vulnerability Database (OSVDB) ID.

In addition, you can set the following vulnerability properties:

• Vulnerability: CVSS Score

• Vulnerability: Affected software

• Vulnerability: References

Vulnerability: CVSS Score

Set the CVSS score for this vulnerability. Analogous to CVSSVectorType.

Field	EIQ JSON field	Description
Overall score	data.vulnerabilities[].cvss_score.overall_score	Overall CVSS score. Calculated using the NVD CVSSv2 calculator. Must be in format \d\.\d. E.g. 8.8.
Base score	data.vulnerabilities[].cvss_score.base_score	Base CVSS score. Must be in format \d\.\d. E.g. 8.8.
Base vector	data.vulnerabilities[].cvss_score.base_vector	Base metrics. Must be in format AV:<score>/AC:<score>/Au:<score>/C:<score>/I:<score>/A:<score>.
Temporal score	data.vulnerabilities[].cvss_score.temporal_score	Temporal CVSS score Must be in format \d\.\d. E.g. 8.8.
Temporal vector	data.vulnerabilities[].cvss_score.temporal_vector	Temporal metrics Must be in format E:<score>/RL:<score>/RC:<score>.
Environmental score	data.vulnerabilities[].cvss_score.environmental_score	Environmental CVSS score Must be in format \d\.\d. E.g. 8.8.
Environmental vector	data.vulnerabilities[].cvss_score.environmental_vector	Environmental metrics Must be in format CDP:<score>/TD:<score>/CR:<score>/IR:<score>/AR:<score>

Vulnerability: Affected software

Describe the software product affected by this vulnerability. All values here are used to construct the XML object set in data.vulnerabilities[].affected_software[].properties_xml. Analogous to AffectedSoftwareType.

Properties set here are also used to create a product: <Product>|<Version>|<Update> observable with the affected link name, when this entity is published.

Set values for the following fields:

• Product: Name of software product affected.

• Edition: Edition of software.

• Language: Language used in software.

• Update: Is the software up to date?

• Vendor: Vendor name for software.

• Version: Version of software.

• Device manufacturer: Manufacturer of device running affected software.

• Device model: Model of device running affected software.

• Device serial number: Serial number of device running affected software.

• Device firmware version: Firmware version running on device.

• Device system os: OS running on device.

Vulnerability: References

Field	EIQ JSON field	Description
References	data.vulnerabilities[].references[]	Enter one or more URLs.

Characteristics: Weakness

Add one or more weaknesses. Analogous to WeaknessType.

Field	EIQ JSON field	Description
Description*	data.vulnerabilities[].weaknesses[].description	Describe this weakness.
CWE-ID	data.vulnerabilities[].weaknesses[].cwe_id	Assign a CWE ID.

Characteristics: Configuration

Add one or more vulnerable configurations. Analogous to ConfigurationType.

Field	EIQ JSON field	Description
Description*	data.vulnerabilities[].configurations[].description	Describe this vulnerable configuration.
CCE-ID	data.vulnerabilities[].configurations[].cce_id	Assign a CCE ID. Also creates new cce observable with a configuration link name when this entity is published.

Observables

You can create one or more new observables and link it to the currently open entity by selecting + Observable under the Observables section.

Note

If an observable you create here matches an observable rule with an ignore action, it does not appear when the you publish the entity.

In the Add observable view that appears, fill out these fields:

Field	EIQ JSON field	Description
Type*	extracts[].kind	See Observable types
Link name*	See Observable link types	See Observable link types
Values(s)*	extracts[].value	Enter one or more values. One observable is created per value. Values must be comma-separated, or newline-separated, but not both.
Maliciousness*	See Observable maliciousness	See Observable maliciousness

Relationships

Add relationships to this entity by selecting + Add relationship.

See Relationships.

Meta

The Meta section contains configuration options that allow you to attach descriptive data to the entity.

Field	EIQ JSON field	Description
Estimated threat start time	meta.estimated_threat_start_time	Estimated start of threat. See Time values.
Estimated threat end time	meta.estimated_threat_end_time	Estimated end of threat. See Time values.
Estimated observed time	meta.estimated_observed_time	Estimated time threat was observed. See Time values.
Half-life	meta.half_life	See Half-life. Select one of these options: Use default value: When selected, half-life for this entity is set to 720 days. Override value: Set a custom value for half-life, in number of days.
Tags	meta.tags[] and meta.taxonomy_paths[]	See tags and taxonomies.
Source*	sources[]	Select one source.
Source reliability	meta.source_reliability	See source reliability. Options: Inherit from source: This entity inherits source reliability from Source. Custom override: Set a source reliability value for just this entity.

Information source

Field	EIQ JSON field	Description
Description	data.information_source.description	Description of information source.
Identity	data.information_source.identity	Name of this information source
Roles	data.information_source.roles[]	One or more information source roles. Possible values: Initial Author Content Enhancer/Refiner Aggregator Transformer/Translator
References	data.information_source.references[]	One or more URLs.

Data marking

Descriptive metadata for entity.

Field	EIQ JSON field	Description
TLP	meta.tlp_color	Set a TLP color for this entity.
Terms of use	data.handling[].marking_structures[]	Free text field allowing you to attach terms of use to an entity. Analogous to TermsOfUseMarkingStructureType.
Simple	data.handling[].marking_structures[]	Free text field for attaching any text to an entity. Analogous to SimpleMarkingStructureType.

Workflow

Use options here to apply workflow options to this entity.

Field	Description
Add to dataset	Select this option to add this entity to one or more datasets on Publish.
Manually enrich	Run one or more enrichers on this entity on Publish.

Save and publish

Tip

For more information, see Draft and published entities.

Select Publish to create this entity, and make it available under + Create > Production > Published.

For more publishing options, select More and then one of these options:

• Publish and new: Publish this entity, and start creating a new entity.

• Publish and duplicate: Publish this entity, and start creating a new entity using all the values set for this entity.

Select Save draft to save this entity as a draft, and make it available under + Create > Production > Drafts. You must publish an entity to use it elsewhere on EclecticIQ Intelligence Center.

For more options while saving as a draft, select More and then one of these options:

• Publish and new: Save this entity as a draft, and start creating a new entity.

• Publish and duplicate: Save this entity as a draft, and start creating a new entity using all the values set for this draft entity.