Entities: Common properties#

Entity data model#

EIQ JSON paths#

Documentation here refers to EIQ JSON paths to show how data is structured for export and import when using the EclecticIQ JSON content type.

EIQ JSON paths mentioned here by convention omit the entities[] object, and assumes that we are dealing with the contents of the entity object only.

So an EIQ JSON path or field written here as data.id would be shorthand for the full path: .entities[].data.id.

Titles and aliases#

All entities have a Title field that is displayed whereever they appear in EclecticIQ Intelligence Center UI.

An entity can also have an Alias. If an entity has an alias, the alias is displayed instead of the title when the entity is displayed.

To set an alias for an entity:

  1. Select published entity to open it.

  2. Select the title of the entity.

  3. In the drop-down that appears, select Edit.

  4. Type an alias for the entity, and press enter.

These are set in EIQ JSON with the following fields:

Field

EIQ JSON field

Title

Compatible with STIX 2.1 export Compatible with STIX 1.2 export

data.title

Alias

meta.title

ID values#

Compatible with STIX 2.1 export Compatible with STIX 1.2 export

EclecticIQ entities are uniquely identified by an id value at the object root. Other ID values are derived from this id value.

The following table describes the different id fields in an entity:

EIQ JSON field

Description

id

UUID (UUID4 or UUID5) that uniquely identifies this entity.

data.id

Contains an EclecticIQ qualified ID in the following format:

{<domain_name>}<entity_type>-<UUID>
  • <domain_name> is the Hostname value set for your EclecticIQ Intelligence Center instance. Go to Settings Settings > System settings > General to configure this.

  • <entity_type> is the current entity type.

  • <UUID> is usually the value of id for the current entity. If you imported this entity from another EclecticIQ Intelligence Center instance, <UUID> here may differ from id.

Example: {http://www.example.org/}indicator-cc23cea8-50ba-4cec-937a-a56596ad2f69

When an entity is exported, the id value is used to form an ID value compliant with the export format:

Export format

Description

STIX 1.2

Exported entities contain a STIX 1.2 QName.

Example: www.example.org:indicator-cc23cea8-50ba-4cec-937a-a56596ad2f69

STIX 2.1

Exported entities contain a STIX 2.1 §2.9 Identifier.

Example: indicator--cc23cea8-50ba-4cec-937a-a56596ad2f69

MITRE ATT&CK classifications#

You can apply MITRE ATT&CK classifications to entities when open an entity to view it.

You cannot add an ATT&CK classification when you create or edit an entity.

  1. From the left navigation, select Search icon Search > Go to search and browse.

  2. Select an entity to open it.

  3. Navigate to the MITRE ATT&CK classifications section. Select + ATT&CK Classification.

  4. Select one or more classifications.

  5. Select Classify to finish adding classifications.

Note

MITRE ATT&CK classifications are not supported for exports to STIX 2.1 or STIX 1.2.

STIX 1.2 and 2.1 specifications don’t have properties for MITRE ATT&CK classifications. If you need to need to represent MITRE ATT&CK data in STIX 2.1-compatibile formats, consider importing objects from the MITRE ATT&CK STIX Data repository.

Time values#

Time values are represented as ISO8601-formatted text. E.g. 2017-11-30T10:04:07.890853+00:00

EclecticIQ Intelligence Center UI will typically allow you to select a date from the calendar, or type in a YYYY-MM-DD HH:MM value.

Select date and using the UI.

Select date and using the UI.#

Date and time precision#

Some fields allow you to specify a precision for date and time values. Selecting a precision allows you to describe how accurate the recipient of intelligence should expect the specified date and time value should be.

Analogous to STIX 1.2 DateTimePrecisionEnum.

STIX 2.1 has no time precision properties.

Possible values for precision:

  • year

  • month

  • day

  • hour

  • minute

  • second

For example, time windows have start and start_precision properties. A start_precision of minute means that the value of start is accurate up to the specified minute.

Half-life#

Half-life is the amount of time it takes for a threat to lose half its intelligence value, in days.

Default half-life value#

You can change the default half-life values of entities by modifying the following section in platform_settings.py and restarting EclecticIQ Intelligence Center services:

HALF_LIFE = {
    "attack-pattern": 720,
    "campaign": 1000,
    "course-of-action": 182,
    "eclecticiq-sighting": 182,
    "exploit-target": 182,
    "identity": 4000,
    "incident": 182,
    "indicator": 30,
    "infrastructure": 720,
    "intrusion-set": 1000,
    "location": 4000,
    "malware": 720,
    "malware-analysis": 720,
    "note": 30,
    "report": 182,
    "threat-actor": 1000,
    "tool": 720,
    "ttp": 720,
}

Half-life relevancy#

Represents the intelligence value of this entity relative to its age, or if the threat has already ended.

Used in filters and searches on EclecticIQ Intelligence Center.

See:

Confidence scale: High Medium low#

A confidence scale is used to represent the level of confidence an intelligence provider has in in the information presented.

In EclecticIQ Intelligence Center, this is represented as the following values

  • High

  • Medium

  • Low

  • None

  • Unknown

In STIX 1.2, this is analogous to HighMediumLowVocab.

In STIX 2.1:

  • Confidence is a common property across SDOs.

  • EclecticIQ entities and observables continue to use HighMediumLowVocab values for confidence. When exported to STIX 2.1, these values are mapped according to STIX 2.1 Appendix A. Confidence Scales.

    Example: An entity with a confidence value of HIGH when exported to STIX 2.1 will contain a confidence value of 85.

Intended effects#

A list of values that describe the intended effect of a property. Analogous to STIX 1.2 IntendedEffectVocab. STIX 2.1 has no corresponding specification.

Possible values:

  • Advantage

  • Advantage - Economic

  • Advantage - Military

  • Advantage - Political

  • Theft

  • Theft - Intellectual Property

  • Theft - Credential Theft

  • Theft - Identity Theft

  • Theft - Theft of Proprietary Information

  • Account Takeover

  • Brand Damage

  • Competitive Advantage

  • Degradation of Service

  • Denial and Deception

  • Destruction

  • Disruption

  • Embarrassment

  • Exposure

  • Extortion

  • Fraud

  • Harassment

  • ICS Control

  • Traffic Diversion

  • Unauthorized Access

Malware types#

A list of values that describe the type of malware identified.

There are two sets of malware type values available in EclecticIQ Intelligence Center:

Infrastructure types#

List of values that describe the type of infrastructure identified.

There are two sets of infrastructure type values available in EclecticIQ Intelligence Center: