Observable link types#

Link types for observables are labels for the relations between a given observable and an entity.

Link types for observables are displayed in two places:

In the EIQ JSON field entities[].extracts[].instance_meta.link_types[] (see jq filter).
When viewing an open entity in the entity builder, under the Observables tab.

The Relations column displays the link type of each observable.

Observables tab displays a list of observables, with the link type displayed in the Relations column.#

Tip

Link types for observables are only visible where observables can be displayed in relation to specific entities.

Create observables with link types#

You can create observables with link types by:

Adding an observable to an existing entity.
1. Open an existing observable.
2. In the entity builder, go to the Observables tab.
3. Select + Add observable.
  
  Add an observable to an existing entity in the entity builder.#
Adding an observable to a new entity.
1. Create a new entity. From the left sidebar, select + Create then select an entity type.
2. Navigate to the Observables section and select + Observable.

List of predefined link types#

The following table describes available predefined link types.

Entity type	Possible link types
Course of action	Parameter: The related observable describes specific CybOX-related technical parameters, settings, and configurations.
Exploit target	Affected: Related observable describes an affected resource. Configuration: Related observable is a Common Configuration Enumeration (CCE) code. Example: CCE-5770-3 Vulnerability: Related observable is a Common Vulnerabilities and exposures (CVE) identifier. Examples: CVE-2017-6394 CVE-2017-6394 Weakness: Related observable is a Common Weakness Enumeration (CWE) identifier. Example: CWE-319, CWE-642.
Incident	Affected asset: Related observable describes an affected resource or asset type. Related: Generic. Observable is related to this incident.
Indicator	Observable: Generic. Related observable is an embedded CybOX observable object. Sighted: Related observable an embedded CybOX observable object. This observable was detected at least once within the organization. Test mechanism: Related observable describes a test mechanism, or contains a detection rule/pattern used by an external system. For more information on test mechanisms, see Indicator.
TTP	Malicious infrastructure: Related observable describes a component of the infrastructure – gear, equipment, tools, software and hardware, services – used to carry out the malicious activities described in the TTP. Targeted victim: Related observable describes a component of the targeted victim’s assets and resources.
Report	Observable: Generic. Related observable was detected outside the organization.
Threat actor	Identity: Related observable holds information that can be used to identify an actor, usually the related threat actor. For example, an individual’s first and/or last name, or the denomination of an organization.
Campaign	N/A. Campaign-related observables do not have link types.

Search by link type#

You can use link types to search for specific observables, based on the type of relationship they have with their parent entity.

The type of relationship between an observable and and entity adds context, and it can help understand the function of the observable within the broader threat landscape it belongs to.

For example, a relationship can help identify an observable as a victim, and affected asset, a vulnerability, or as a component of the threat actor’s malicious infrastructure.

Let’s assume that an analyst is investigating a threat scenario where a threat actor exploits the CVE-2017-8793 vulnerability to gain access to the targeted victim’s assets.

The analyst may want to search EclecticIQ Intelligence Center for any exploit target entities containing observables that are related to the parent exploit target because they represent a vulnerability.

To search for an observable representing a vulnerability:

From the left sidebar click the search icon .

In the search input field enter your search query:

data.type:exploit-target AND \
extracts.kind:domain AND \
meta.bundled_extracts.link_types:vulnerability OR \
extracts.instance_meta.link_types:vulnerability OR \
extracts_nested.instance_meta.link_types:vulnerability

Press ENTER to start the search.

In the search query example:

meta.bundled_extracts.link_types is the JSON path pointing to the JSON field in the entity data structure that holds the link type value defining the relationship between entities and the corresponding bundled observables.
extracts.instance_meta.link_types is the JSON path pointing to the JSON field in the entity data structure that holds the link type value defining the relationship between entities and non-embedded observables.
extracts_nested.instance_meta.link_types is the JSON path pointing to the JSON field in the entity data structure that holds the link type value defining the relationship between entities and the corresponding embedded observables.
vulnerability is the link type value defining the the type of entity-observable relationship you are looking for.

If the link type value search string contains multiple words separated by spaces, wrap the search string in double quotes (example: "my multiple word search string").

EclecticIQ Intelligence Center search functionality uses the Elasticsearch query syntax.

The following table maps the link type values you can enter in a search query to the corresponding options displayed in the GUI (campaign entities have no link types to define relationships with observables):

Search input value	GUI option	Entity
parameter	Parameter	Course of action
affected	Affected	Exploit target
configuration	Configuration	Exploit target
vulnerability	Vulnerability	Exploit target
weakness	Weakness	Exploit target
affected-asset	Affected asset	Incident
related	Related	Incident
observed	Observable	Indicator
sighted	Sighted	Indicator
test-mechanism	Test mechanism	Indicator
malicious-infrastructure	Malicious infrastructure	TTP
targeted-victim	Targeted victim	TTP
observable	Observable	Report
identity	Identity	Threat actor

Link types for observables extracted from unstructured text#

An observable that is extracted from unstructured text does not have link types.

Instead, the Relations column displays the name of the field that contains the unstructured text from which the observable was extracted from.

Observables with paths instead of link types#

In EIQ JSON, these field names are set in the instance_meta.paths[] field of an observable:

"extracts": [
  {
    "instance_meta": {
      "link_types": [],
      "paths": [
        "description",
        "short_description"
      ]
    },
    "kind": "cve",
    "meta": {},
    "value": "2022-26134"
  },
  //...
]

Observable XML#

Observable XML appears as a Relation for observables when the observable is extracted from CybOX XML. This only occurs for entities ingested from STIX 1.x data.

Like Link types for observables extracted from unstructured text, the extraction source is not saved as a link type but instead as an item in instance_meta.paths[].

For example, a CybOX object like this:

<indicator:Observable id="ctix:Observable-4d294757-c1e5-41f8-960e-0e0f13cb06e8">
<cybox:Title>New STIX 09</cybox:Title>
<cybox:Object id="ctix:URI-10584646-d18b-4890-a1ee-3bec6756817f">
<cybox:Properties xsi:type="URIObj:URIObjectType">
<URIObj:Value>https://www.tuop.com</URIObj:Value>
</cybox:Properties>
</cybox:Object>
</indicator:Observable>

Is ingested to produce an extracts object in EIQ JSON:

"extracts": {
  "instance_meta": {
    "link_types": [],
    "paths": [
      "observable.object.properties_xml"
    ]
  },
  "kind": "uri",
  "meta": {},
  "value": "https://www.tuop.com/"
}