Search | Query Syntax | Entities | Observable relations

You can search for Entities by defining which types of Observable they are related to or the relationship types they have to the Observables they are related to.

Related Observables

Entities can have Observables related to them. This is usually when Entities are ingested together with Observables through Incoming feeds.

You can search for Entities that are directly related to certain Observables by using extracts. or enrichment_extracts. followed by the paths and values used for Observable search.

For example, to search for Entities related to an Observable of the Domain type:

extracts.kind: Domain

Entity-Observable relationship type

Use link names to search for Entities that have a specific type of relationship to any Observables.

Let’s assume that an analyst is investigating a threat scenario where a threat actor exploits the CVE-2017-8793 vulnerability to gain access to the targeted victim’s assets.

The analyst may want to search EclecticIQ Intelligence Center for: Exploit target Entities with Domain observables that are related to the Exploit target Entity as vulnerability.

Example query:

data.type:exploit-target AND \
extracts.kind:domain AND \
meta.bundled_extracts.link_types:vulnerability OR \
extracts.instance_meta.link_types:vulnerability

In the search query example:

• meta.bundled_extracts.link_types is the JSON path pointing to the JSON field in the Entity data structure that holds the link name value defining the relationship between Entities and the corresponding bundled Observables.

• extracts.instance_meta.link_types is the JSON path pointing to the JSON field in the Entity data structure that holds the link name value defining the relationship between Entities and non-embedded Observables.

• vulnerability is the link name value defining the the type of Entity-Observable relationship you are looking for.

If the link name value search string contains multiple words separated by spaces, wrap the search string in double quotes (example: "my multiple word search string").

The following table maps the link name values you can enter in a search query to the corresponding options displayed in the GUI (Campaign Entities have no link names to define relationships with Observables):

Search input value	GUI option	Linked to Entity
parameter	Parameter	Course of action
affected	Affected	Exploit target
configuration	Configuration	Exploit target
vulnerability	Vulnerability	Exploit target
weakness	Weakness	Exploit target
affected-asset	Affected asset	Incident
related	Related	Incident
observed	Observable	Indicator
sighted	Sighted	Indicator
test-mechanism	Test mechanism	Indicator
malicious-infrastructure	Malicious infrastructure	TTP
targeted-victim	Targeted victim	TTP
observable	Observable	Report
identity	Identity	Threat actor