Skip to main content
Ctrl+K
Logo image Logo image

Intelligence Center 3.5.0 Docs

Site Navigation

  • Release
  • Manage
  • Use
  • Integrate

Section Navigation

  • Navigate
    • Search
      • Basic search
        • Basic operators & syntax
        • Wildcards
        • Regular expression
        • Entity search
          • Relational search
          • Observable-based
          • Save & load
        • Observable search
        • Outgoing feed inclusion
      • Kibana
      • Tokenization
    • Browse
      • Filter
        • Source filter
        • TLP filter
      • Customize list columns
      • Edit Entities while browsing
  • AI features
    • Data privacy disclaimer
    • Assistant
    • Search
    • Report generation
    • Entity Extraction
    • Text editing
  • Command palette
  • Intelligence objects
    • Entities
      • STIX compatibility
        • STIX 2.1 Common Properties
        • STIX 2.1 STIX Patterns
        • STIX 2.1 Indicator SDO
        • STIX 2.1 Observed Data SDO
        • STIX 2.1 Data Markings
        • STIX 2.1 Cyber-observable Objects
        • STIX 2.1 Known issues
      • Entities | Edit
      • Entities | Copy
      • Entity | Details
        • Access the entity detail pane
        • Entity | Details | Entity overview
        • Entity | Details | Versions
        • Entity | Details | History
        • Entity | Details | Observables tab
        • Entity | Details | Manually add Observables from Entities overview
        • Entity | Details | Neighborhood tab
        • Add relationships
        • Entity | Details | JSON tab
        • Entity | Details | Extract PDFs
      • Entity types
        • Entities: Common properties
        • Attack pattern
        • Campaign
        • Course of Action
        • Exploit target
        • Identity
        • Incident
        • Indicator
        • Infrastructure
        • Intrusion Set
        • Location
        • Malware
        • Malware Analysis
        • Note
        • Report
        • Sighting
        • Threat Actor
        • Tool
        • TTP (deprecated)
      • View and search
        • Dashboard overview
        • Search for entities
        • Discover entities
        • Act on exposed entities
      • Manage entities
        • Export entities
        • Download entities
        • Delete entities
        • Merge entities
    • Observables
      • Add observables
      • Manage observables
      • Export Observables
      • Ignore observables
      • Observable link types
      • Observable maliciousness
    • EIQ's data model
  • Attributes
    • TLP
    • Relations
      • Relationship type compatibility tables
    • ATT&CK Classifications
      • (Un)assign TTPs to entities
      • Filter with and view TTPs
    • Observable scoring
      • Work with policies
      • Configure decay
    • Source reliability
    • Tags
  • Create
    • Ingest
      • Access incoming feeds
      • Create and configure incoming feeds
      • Start and stop incoming feeds
      • Reingest incoming feeds
      • Delete incoming feed content and configuration
    • Upload files
      • Standard upload
      • Create custom data mapping
      • Upload with a custom mapping
      • Review uploads
      • Delete files
    • Manually create
      • Draft and published entities
      • Create entities from observables
      • Customize list columns
      • Edit entities in Production
      • Filter entities in Production
    • Retention policies
      • Create
      • Manage
  • Organize
    • Dashboards
      • Create & Manage
      • Configure
      • Create Widgets
      • Configure Widgets
    • Datasets
      • Create
      • Edit
      • Delete
      • Metrics
      • Edit Entities in Dataset
      • Export Entities in Dataset
      • Datasets | Add Entities to Collection datasets
    • Workspaces
      • Access workspaces
      • Default public workspace
      • Create workspaces
      • List and unlist workspaces
      • Add edit and remove entities
      • Add edit and remove datasets
      • Add and remove graphs
      • Collaborate with other users
        • Add collaborators to a workspace
        • Remove collaborators from a workspace
        • Create user tasks
        • View tasks
        • Edit tasks
        • Write and review comments
      • Edit workspaces
      • Archive workspaces
      • Restore workspaces
      • Delete workspaces
      • View workspace history
    • Taxonomy
      • Create a taxonomy entry
      • Edit a taxonomy entry
      • Filter by tag and taxonomy
      • Delete a taxonomy entry
    • Knowledge packs
  • Process
    • Rules
      • Entity rules
        • About entity rules
        • Create entity rules
        • Entity rule actions
        • Content criteria tool
        • Manage entity rules
      • Observable rules
        • Create observable rules
        • Manage observable rules
      • Enrichment rules
        • Create
        • Manage
      • Discovery rules
        • Create
        • Manage
    • Enrichment
      • Configure enrichers
      • Run enrichers
      • Rules for enrichers
      • Saving data
    • Intelligence Compass
      • Create
      • View matches & history
      • Manually run
      • Manually update Entities
    • Discovery
      • Add entities from the discovery service
      • Customize list columns
      • Edit entities through the Discovery page
      • Export from discovery
    • Graphs
      • About graphs
      • Create a graph
      • Access a graph
      • Add entities to a graph
      • Analyze entities in a graph
      • Group entities in a graph
      • Edit entities in a graph
      • Publish entities in a graph
      • Remove entities from a graph
      • Add relationships to a graph
      • Edit relationships in a graph
      • Publish relationships in a graph
      • Remove relationships from a graph
      • Add observables to a graph
      • Publish observables in a graph
      • Edit observables in a graph
      • Remove observables from a graph
      • Delete observables from a graph
      • Review Enrichment observables
      • Move around on the graph
      • Graph on Neighborhood tab
      • Add graph to workspaces
      • Filter entities with the timebar
      • Filter entities with the histogram
      • Toggle visualization layouts
      • Save and export the graph
      • View full titles in the graph
    • ATT&CK Heatmaps
      • Create heat maps
      • Customize heat maps
    • Malware Sandbox
      • Integrate
      • Use
    • Exposure
      • About exposure
      • Configure exposure
      • View exposure
      • Edit entities in Exposure
      • Review Exposure
      • Override exposure
      • Customize list columns
    • Outgoing feeds
      • Access outgoing feeds
      • Configure content types
      • Update strategy
      • Download outgoing feed created packages
      • Create and configure outgoing feeds
      • Start and stop outgoing feeds
      • Exchange data between EclecticIQ Intelligence Center instances
        • Exchanging data between EclecticIQ Intelligence Center instances
        • Create an automation role
        • Create an automation user
        • Create an automation group
        • Create a TAXII outgoing feed
        • Create a TAXII incoming feed
        • About ingestion discrepancies
  • Users & access
    • Users
      • User permissions
      • Manage your own user account
      • Manage users
      • Manage groups
      • Manage roles
      • Manage notifications
      • Manage automation users
      • Export and import user database
    • Permissions
      • Default Intelligence Center roles
      • Intelligence Center permissions
      • Permissions to access settings
      • Permissions to access data
      • Permissions for public API endpoints
      • Token-based authentication
        • Create an API token
        • Delete an API token
      • Two-factor authentication (2FA)
        • About two-factor authentication
        • Enforce two-factor authentication
        • Set up two-factor authentication
        • Use Do not ask for N days
        • Generate new recovery codes
        • Recover two-factor authentication
        • Disable two-factor authentication
        • Review two-factor authentication activity
    • Account policies

Navigate | Search#

Searching in EclecticIQ Intelligence Center returns Entities and Observables from the data that has been ingested.

When searching Entities or Observables, you can use:

  • AI-powered search to turn a natural language question into a machine-readable query.

  • Search queries to get (relational) results.

  • Kibana.

  • Tokenizations.

Permissions for search#

Search results are filtered and made available based on the current user’s set of rights and permissions.

This means that users who have different access rights, and who run identical search queries on the same Intelligence Center instance, can receive different search results.

If a user runs a search query that returns matches including objects that the current user doesn’t have access to, they receive a notification message:

Some matches may be excluded due to access restrictions.

Search results include matches that the current user can access, based on:

  • The selected Allowed sources in the group configuration of the group(s) the user belongs to.

  • The TLP access level for the specified allowed sources in the group configuration of the group(s) the user belongs to.

  • The Permissions granted to the role assigned to the user.

Limitations#

Searches can only return up to 10,000 results. If your search should return more than 10,000 results, refine your search.

Synching your search database#

See Elasticsearch: Sync the search database for more information about synching your search database.

previous

Use | Navigate | About

next

Search | Query Syntax
On this page
  • Permissions for search
  • Limitations
  • Synching your search database