Observable maliciousness#

Gauge maliciousness to assess how dangerous an observable threat potential can be.

In EclecticIQ Intelligence Center you can set a confidence level to estimate the likelihood of an observable being malicious or not.

The maliciousness values you can set help answer the following question:

“Based on the factual evidence and the intelligence gathered so far, how likely is it that the information this observable represents may be malicious?”

The following table lists the possible observable maliciousness levels.

Maliciousness confidence level

Description

Unknown

It is not possible to assess if the observable is malicious or not.

Safe

The observable is not malicious.

Malicious – Low confidence

The observable might be malicious, but I am not sure.

Malicious – Medium confidence

I am confident to a point that the observable may be malicious.

Malicious – High confidence

I am confident that the observable is malicious.

In the data model#

Maliciousness is represented by two keys in the data model. Values in these two keys used to display a combined Maliciousness value in the UI:

Key

Description

extracts[].meta.classification

Sets a broad classification for the observable.

Possible values:

  • "unknown": Sets maliciousness of observable to "unknown".

  • "good": Sets maliciousness of observable to "safe".

  • "bad": Classifies observable as "unsafe". Observable then takes its maliciounessness value from the extracts[].meta.confidence field.

extracts[].meta.confidence

Used only if extracts[].meta.classification is set to "bad".

Possible values:

  • "low": Marks observables in the UI as Malicious – Low confidence.

  • "medium": Marks observables in the UI as Malicious – Medium confidence.

  • "high": Marks observables in the UI as Malicious – High confidence.

Set maliciousness#

You can set the maliciousness confidence level of an observable in one of the following ways:

In the Observables overview

  1. In the left navigation bar, Search Search icon > GO TO SEARCH AND BROWSE > Observables.

  2. Locate the observable you want to set maliciousness for. Select More More > Set maliciousness.

  3. From the dropdown menu, select a maliciousness level.

In the Observables detail pane

  1. Open the detail pane of the observable you want to assign a maliciousness confidence level to.

  2. In the top half of the Overview tab, under Maliciousness, click Edit.

  3. From the drop-down menu select a maliciousness level for the observable.

    Alternatively:

    In the observable detail pane:

    1. Select More More > Set maliciousness.

    2. From the dropdown menu, select a maliciousness level.

In the Observables tab on the entity detail pane

  1. Open the entity detail pane of the entity related to the observable you want to assign a maliciousness confidence level to.

  2. In the entity detail pane, click the Observables tab.

  3. Locate the observable you want to set maliciousness for. Select More More > Set maliciousness.

  4. From the dropdown menu, select a maliciousness level.

Bulk action on multiple observables

You can also select multiple observables, and then you can assign the same maliciousness level to them at once:

  1. Browse to the Observables view or open the Observables tab in the entity detail pane of the entity whose observables you want to assign a maliciousness confidence level to.

  2. Select the checkboxes corresponding to the observables whose maliciousness confidence level you want to set at once.

  3. Click the menu icon above the table header, and from the drop-down menu select Set maliciousness.

  4. From the dropdown menu, select a maliciousness level.