Skip to main content
Ctrl+K
Logo image Logo image

Intelligence Center 3.5.0 Docs

Site Navigation

  • Release
  • Manage
  • Use
  • Integrate

Section Navigation

  • Navigate
    • Search
      • Basic search
        • Basic operators & syntax
        • Wildcards
        • Regular expression
        • Entity search
          • Relational search
          • Observable-based
          • Save & load
        • Observable search
        • Outgoing feed inclusion
      • Kibana
      • Tokenization
    • Browse
      • Filter
        • Source filter
        • TLP filter
      • Customize list columns
      • Edit Entities while browsing
  • AI features
    • Data privacy disclaimer
    • Assistant
    • Search
    • Report generation
    • Entity Extraction
    • Text editing
  • Command palette
  • Intelligence objects
    • Entities
      • STIX compatibility
        • STIX 2.1 Common Properties
        • STIX 2.1 STIX Patterns
        • STIX 2.1 Indicator SDO
        • STIX 2.1 Observed Data SDO
        • STIX 2.1 Data Markings
        • STIX 2.1 Cyber-observable Objects
        • STIX 2.1 Known issues
      • Entities | Edit
      • Entities | Copy
      • Entity | Details
        • Access the entity detail pane
        • Entity | Details | Entity overview
        • Entity | Details | Versions
        • Entity | Details | History
        • Entity | Details | Observables tab
        • Entity | Details | Manually add Observables from Entities overview
        • Entity | Details | Neighborhood tab
        • Add relationships
        • Entity | Details | JSON tab
        • Entity | Details | Extract PDFs
      • Entity types
        • Entities: Common properties
        • Attack pattern
        • Campaign
        • Course of Action
        • Exploit target
        • Identity
        • Incident
        • Indicator
        • Infrastructure
        • Intrusion Set
        • Location
        • Malware
        • Malware Analysis
        • Note
        • Report
        • Sighting
        • Threat Actor
        • Tool
        • TTP (deprecated)
      • View and search
        • Dashboard overview
        • Search for entities
        • Discover entities
        • Act on exposed entities
      • Manage entities
        • Export entities
        • Download entities
        • Delete entities
        • Merge entities
    • Observables
      • Add observables
      • Manage observables
      • Export Observables
      • Ignore observables
      • Observable link types
      • Observable maliciousness
    • EIQ's data model
  • Attributes
    • TLP
    • Relations
      • Relationship type compatibility tables
    • ATT&CK Classifications
      • (Un)assign TTPs to entities
      • Filter with and view TTPs
    • Observable scoring
      • Work with policies
      • Configure decay
    • Source reliability
    • Tags
  • Create
    • Ingest
      • Access incoming feeds
      • Create and configure incoming feeds
      • Start and stop incoming feeds
      • Reingest incoming feeds
      • Delete incoming feed content and configuration
    • Upload files
      • Standard upload
      • Create custom data mapping
      • Upload with a custom mapping
      • Review uploads
      • Delete files
    • Manually create
      • Draft and published entities
      • Create entities from observables
      • Customize list columns
      • Edit entities in Production
      • Filter entities in Production
    • Retention policies
      • Create
      • Manage
  • Organize
    • Dashboards
      • Create & Manage
      • Configure
      • Create Widgets
      • Configure Widgets
    • Datasets
      • Create
      • Edit
      • Delete
      • Metrics
      • Edit Entities in Dataset
      • Export Entities in Dataset
      • Datasets | Add Entities to Collection datasets
    • Workspaces
      • Access workspaces
      • Default public workspace
      • Create workspaces
      • List and unlist workspaces
      • Add edit and remove entities
      • Add edit and remove datasets
      • Add and remove graphs
      • Collaborate with other users
        • Add collaborators to a workspace
        • Remove collaborators from a workspace
        • Create user tasks
        • View tasks
        • Edit tasks
        • Write and review comments
      • Edit workspaces
      • Archive workspaces
      • Restore workspaces
      • Delete workspaces
      • View workspace history
    • Taxonomy
      • Create a taxonomy entry
      • Edit a taxonomy entry
      • Filter by tag and taxonomy
      • Delete a taxonomy entry
    • Knowledge packs
  • Process
    • Rules
      • Entity rules
        • About entity rules
        • Create entity rules
        • Entity rule actions
        • Content criteria tool
        • Manage entity rules
      • Observable rules
        • Create observable rules
        • Manage observable rules
      • Enrichment rules
        • Create
        • Manage
      • Discovery rules
        • Create
        • Manage
    • Enrichment
      • Configure enrichers
      • Run enrichers
      • Rules for enrichers
      • Saving data
    • Intelligence Compass
      • Create
      • View matches & history
      • Manually run
      • Manually update Entities
    • Discovery
      • Add entities from the discovery service
      • Customize list columns
      • Edit entities through the Discovery page
      • Export from discovery
    • Graphs
      • About graphs
      • Create a graph
      • Access a graph
      • Add entities to a graph
      • Analyze entities in a graph
      • Group entities in a graph
      • Edit entities in a graph
      • Publish entities in a graph
      • Remove entities from a graph
      • Add relationships to a graph
      • Edit relationships in a graph
      • Publish relationships in a graph
      • Remove relationships from a graph
      • Add observables to a graph
      • Publish observables in a graph
      • Edit observables in a graph
      • Remove observables from a graph
      • Delete observables from a graph
      • Review Enrichment observables
      • Move around on the graph
      • Graph on Neighborhood tab
      • Add graph to workspaces
      • Filter entities with the timebar
      • Filter entities with the histogram
      • Toggle visualization layouts
      • Save and export the graph
      • View full titles in the graph
    • ATT&CK Heatmaps
      • Create heat maps
      • Customize heat maps
    • Malware Sandbox
      • Integrate
      • Use
    • Exposure
      • About exposure
      • Configure exposure
      • View exposure
      • Edit entities in Exposure
      • Review Exposure
      • Override exposure
      • Customize list columns
    • Outgoing feeds
      • Access outgoing feeds
      • Configure content types
      • Update strategy
      • Download outgoing feed created packages
      • Create and configure outgoing feeds
      • Start and stop outgoing feeds
      • Exchange data between EclecticIQ Intelligence Center instances
        • Exchanging data between EclecticIQ Intelligence Center instances
        • Create an automation role
        • Create an automation user
        • Create an automation group
        • Create a TAXII outgoing feed
        • Create a TAXII incoming feed
        • About ingestion discrepancies
  • Users & access
    • Users
      • User permissions
      • Manage your own user account
      • Manage users
      • Manage groups
      • Manage roles
      • Manage notifications
      • Manage automation users
    • Permissions
      • Default Intelligence Center roles
      • Intelligence Center permissions
      • Permissions to access settings
      • Permissions to access data
      • Permissions for public API endpoints
      • Token-based authentication
        • Create an API token
        • Delete an API token
      • Two-factor authentication (2FA)
        • About two-factor authentication
        • Enforce two-factor authentication
        • Set up two-factor authentication
        • Use Do not ask for N days
        • Generate new recovery codes
        • Recover two-factor authentication
        • Disable two-factor authentication
        • Review two-factor authentication activity
    • Account policies

Observable link types#

Link types for observables are labels for the relations between a given observable and an entity.

Link types for observables are displayed in two places:

  • In the EIQ JSON field entities[].extracts[].instance_meta.link_types[] (see jq filter).

  • When viewing an open entity in the entity builder, under the Observables tab.

    The Relations column displays the link type of each observable.

    **Observables** tab displays a list of observables, with the link type displayed in the **Relations** column.

    Observables tab displays a list of observables, with the link type displayed in the Relations column.#

Tip

Link types for observables are only visible where observables can be displayed in relation to specific entities.

Create observables with link types#

You can create observables with link types by:

  • Adding an observable to an existing entity.

    1. Open an existing observable.

    2. In the entity builder, go to the Observables tab.

    3. Select + Add observable.

      Add an observable to an existing entity in the entity builder.

      Add an observable to an existing entity in the entity builder.#

  • Adding an observable to a new entity.

    1. Create a new entity. From the left sidebar, select + Create then select an entity type.

    2. Navigate to the Observables section and select + Observable.

List of predefined link types#

The following table describes available predefined link types.

Entity type

Possible link types

Course of action

  • Parameter: The related observable describes specific CybOX-related technical parameters, settings, and configurations.

Exploit target

  • Affected: Related observable describes an affected resource.

  • Configuration: Related observable is a Common Configuration Enumeration (CCE) code.

    Example: CCE-5770-3

  • Vulnerability: Related observable is a Common Vulnerabilities and exposures (CVE) identifier.

    Examples:

    • CVE-2017-6394

    • CVE-2017-6394

  • Weakness: Related observable is a Common Weakness Enumeration (CWE) identifier.

    Example: CWE-319, CWE-642.

Incident

  • Affected asset: Related observable describes an affected resource or asset type.

  • Related: Generic. Observable is related to this incident.

Indicator

  • Observable: Generic. Related observable is an embedded CybOX observable object.

  • Sighted: Related observable an embedded CybOX observable object.

    This observable was detected at least once within the organization.

  • Test mechanism: Related observable describes a test mechanism, or contains a detection rule/pattern used by an external system.

    For more information on test mechanisms, see Indicator.

TTP

  • Malicious infrastructure: Related observable describes a component of the infrastructure – gear, equipment, tools, software and hardware, services – used to carry out the malicious activities described in the TTP.

  • Targeted victim: Related observable describes a component of the targeted victim’s assets and resources.

Report

  • Observable: Generic. Related observable was detected outside the organization.

Threat actor

  • Identity: Related observable holds information that can be used to identify an actor, usually the related threat actor.

    For example, an individual’s first and/or last name, or the denomination of an organization.

Campaign

N/A. Campaign-related observables do not have link types.

Search by link type#

You can use link types to search for specific observables, based on the type of relationship they have with their parent entity.

The type of relationship between an observable and and entity adds context, and it can help understand the function of the observable within the broader threat landscape it belongs to.

For example, a relationship can help identify an observable as a victim, and affected asset, a vulnerability, or as a component of the threat actor’s malicious infrastructure.

Let’s assume that an analyst is investigating a threat scenario where a threat actor exploits the CVE-2017-8793 vulnerability to gain access to the targeted victim’s assets.

The analyst may want to search EclecticIQ Intelligence Center for any exploit target entities containing observables that are related to the parent exploit target because they represent a vulnerability.

To search for an observable representing a vulnerability:

  1. From the left sidebar click the search icon Search icon.

  2. In the search input field enter your search query:

    data.type:exploit-target AND \
    extracts.kind:domain AND \
    meta.bundled_extracts.link_types:vulnerability OR \
    extracts.instance_meta.link_types:vulnerability OR \
    extracts_nested.instance_meta.link_types:vulnerability
    
  3. Press ENTER to start the search.

In the search query example:

  • meta.bundled_extracts.link_types is the JSON path pointing to the JSON field in the entity data structure that holds the link type value defining the relationship between entities and the corresponding bundled observables.

  • extracts.instance_meta.link_types is the JSON path pointing to the JSON field in the entity data structure that holds the link type value defining the relationship between entities and non-embedded observables.

  • extracts_nested.instance_meta.link_types is the JSON path pointing to the JSON field in the entity data structure that holds the link type value defining the relationship between entities and the corresponding embedded observables.

  • vulnerability is the link type value defining the the type of entity-observable relationship you are looking for.

If the link type value search string contains multiple words separated by spaces, wrap the search string in double quotes (example: "my multiple word search string").

EclecticIQ Intelligence Center search functionality uses the Elasticsearch query syntax.

The following table maps the link type values you can enter in a search query to the corresponding options displayed in the GUI (campaign entities have no link types to define relationships with observables):

Search input value

GUI option

Entity

parameter

Parameter

Course of action

affected

Affected

Exploit target

configuration

Configuration

Exploit target

vulnerability

Vulnerability

Exploit target

weakness

Weakness

Exploit target

affected-asset

Affected asset

Incident

related

Related

Incident

observed

Observable

Indicator

sighted

Sighted

Indicator

test-mechanism

Test mechanism

Indicator

malicious-infrastructure

Malicious infrastructure

TTP

targeted-victim

Targeted victim

TTP

observable

Observable

Report

identity

Identity

Threat actor

Link types for observables extracted from unstructured text#

An observable that is extracted from unstructured text does not have link types.

Instead, the Relations column displays the name of the field that contains the unstructured text from which the observable was extracted from.

Observables with paths instead of link types

Observables with paths instead of link types#

In EIQ JSON, these field names are set in the instance_meta.paths[] field of an observable:

"extracts": [
  {
    "instance_meta": {
      "link_types": [],
      "paths": [
        "description",
        "short_description"
      ]
    },
    "kind": "cve",
    "meta": {},
    "value": "2022-26134"
  },
  //...
]

Observable XML#

Observable XML appears as a Relation for observables when the observable is extracted from CybOX XML. This only occurs for entities ingested from STIX 1.x data.

Like Link types for observables extracted from unstructured text, the extraction source is not saved as a link type but instead as an item in instance_meta.paths[].

For example, a CybOX object like this:

<indicator:Observable id="ctix:Observable-4d294757-c1e5-41f8-960e-0e0f13cb06e8">
<cybox:Title>New STIX 09</cybox:Title>
<cybox:Object id="ctix:URI-10584646-d18b-4890-a1ee-3bec6756817f">
<cybox:Properties xsi:type="URIObj:URIObjectType">
<URIObj:Value>https://www.tuop.com</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>

Is ingested to produce an extracts object in EIQ JSON:

"extracts": {
  "instance_meta": {
    "link_types": [],
    "paths": [
      "observable.object.properties_xml"
    ]
  },
  "kind": "uri",
  "meta": {},
  "value": "https://www.tuop.com/"
}

previous

Ignore observables

next

Observable maliciousness

On this page
  • Create observables with link types
  • List of predefined link types
  • Search by link type
  • Link types for observables extracted from unstructured text
  • Observable XML