Entities: Common properties#
Entity data model#
Tip
See also: Data model and EclecticIQ JSON
EIQ JSON paths#
Documentation here refers to EIQ JSON paths to show how data is structured for export and import when using the EclecticIQ JSON content type.
EIQ JSON paths mentioned here by convention omit the
entities[]
object, and assumes that we are
dealing with the contents of the entity
object only.
So an EIQ JSON path or field written here as data.id
would
be shorthand for the full path: .entities[].data.id
.
Titles and aliases#
All entities have a Title field that is displayed whereever they appear in EclecticIQ Intelligence Center UI.
An entity can also have an Alias. If an entity has an alias, the alias is displayed instead of the title when the entity is displayed.
To set an alias for an entity:
Select published entity to open it.
Select the title of the entity.
In the drop-down that appears, select Edit.
Type an alias for the entity, and press enter.
These are set in EIQ JSON with the following fields:
Field |
EIQ JSON field |
---|---|
Title |
|
Alias |
|
ID values#
EclecticIQ entities are uniquely identified by an id
value
at the object root.
Other ID values are derived from this id
value.
The following table describes the different id
fields
in an entity:
When an entity is exported, the id
value is used to form
an ID value compliant with the export format:
Export format |
Description |
---|---|
STIX 1.2 |
Exported entities contain a STIX 1.2 QName. Example:
|
STIX 2.1 |
Exported entities contain a STIX 2.1 §2.9 Identifier. Example:
|
MITRE ATT&CK classifications#
You can apply MITRE ATT&CK classifications to entities when open an entity to view it.
You cannot add an ATT&CK classification when you create or edit an entity.
From the left navigation, select Search > Go to search and browse.
Select an entity to open it.
Navigate to the MITRE ATT&CK classifications section. Select + ATT&CK Classification.
Select one or more classifications.
Select Classify to finish adding classifications.
Note
MITRE ATT&CK classifications are not supported for exports to STIX 2.1 or STIX 1.2.
STIX 1.2 and 2.1 specifications don’t have properties for MITRE ATT&CK classifications. If you need to need to represent MITRE ATT&CK data in STIX 2.1-compatibile formats, consider importing objects from the MITRE ATT&CK STIX Data repository.
Time values#
Time values are represented as ISO8601-formatted text.
E.g. 2017-11-30T10:04:07.890853+00:00
EclecticIQ Intelligence Center UI will typically allow you to select
a date from the calendar, or type in a YYYY-MM-DD HH:MM
value.
Date and time precision#
Some fields allow you to specify a precision for date and time values. Selecting a precision allows you to describe how accurate the recipient of intelligence should expect the specified date and time value should be.
Analogous to STIX 1.2 DateTimePrecisionEnum.
STIX 2.1 has no time precision properties.
Possible values for precision:
year
month
day
hour
minute
second
For example, time windows
have start
and start_precision
properties.
A start_precision
of minute
means that the value of start
is accurate
up to the specified minute.
Half-life#
Half-life is the amount of time it takes for a threat to lose half its intelligence value, in days.
Default half-life value#
You can change the default half-life values of entities by modifying the following section in platform_settings.py and restarting EclecticIQ Intelligence Center services:
HALF_LIFE = {
"attack-pattern": 720,
"campaign": 1000,
"course-of-action": 182,
"eclecticiq-sighting": 182,
"exploit-target": 182,
"identity": 4000,
"incident": 182,
"indicator": 30,
"infrastructure": 720,
"intrusion-set": 1000,
"location": 4000,
"malware": 720,
"malware-analysis": 720,
"note": 30,
"report": 182,
"threat-actor": 1000,
"tool": 720,
"ttp": 720,
}
Half-life relevancy#
Represents the intelligence value of this entity relative to its age, or if the threat has already ended.
Used in filters and searches on EclecticIQ Intelligence Center.
See:
Confidence scale: High Medium low#
A confidence scale is used to represent the level of confidence an intelligence provider has in in the information presented.
In EclecticIQ Intelligence Center, this is represented as the following values
High
Medium
Low
None
Unknown
In STIX 1.2, this is analogous to HighMediumLowVocab.
In STIX 2.1:
Confidence is a common property across SDOs.
EclecticIQ entities and observables continue to use HighMediumLowVocab values for confidence. When exported to STIX 2.1, these values are mapped according to STIX 2.1 Appendix A. Confidence Scales.
Example: An entity with a
confidence
value ofHIGH
when exported to STIX 2.1 will contain aconfidence
value of85
.
Intended effects#
A list of values that describe the intended effect of a property. Analogous to STIX 1.2 IntendedEffectVocab. STIX 2.1 has no corresponding specification.
Possible values:
Advantage
Advantage - Economic
Advantage - Military
Advantage - Political
Theft
Theft - Intellectual Property
Theft - Credential Theft
Theft - Identity Theft
Theft - Theft of Proprietary Information
Account Takeover
Brand Damage
Competitive Advantage
Degradation of Service
Denial and Deception
Destruction
Disruption
Embarrassment
Exposure
Extortion
Fraud
Harassment
ICS Control
Traffic Diversion
Unauthorized Access
Malware types#
A list of values that describe the type of malware identified.
There are two sets of malware type values available in EclecticIQ Intelligence Center:
The deprecated TTP (deprecated) entity has Characteristics: Malware that uses the STIX 1.2 MalwareTypeVocab-1.0.
The Malware entity has a
type
property that uses the STIX 2.1 §10.15 Malware Type Vocabulary.
Infrastructure types#
List of values that describe the type of infrastructure identified.
There are two sets of infrastructure type values available in EclecticIQ Intelligence Center:
The deprecated TTP (deprecated) entity has Characteristics: Infrastructure that uses the AttackerInfrastructureTypeVocab-1.0.
The Infrastructure entity has a
type
property that uses the STIX 2.1 §10.12 Infrastructure Type Vocabulary.