Add relationships#
Relationships add intelligence value by describing how entities and observables are related. This information provides additional context, and it helps understand how a specific resource is used, or the purpose it serves for a potential attacker.
For example, it can clarify that an observable describes a vulnerability or a weakness that is related to its parent exploit target entity. Options vary based on the relationship the observable has with the specific entity type it belongs to. See About relationships for more information on relationships in EclecticIQ Intelligence Center.
There are two ways of adding relationships between entities:
In a graph
In an entity’s neighborhood tab
These two ways are explained below.
Add a relationship in a graph#
Add a relationship to a graph explains how to create relationships between entities while in a graph.
Add a relationship in the Neighborhood tab#
On the Neighborhood tab you can update entity information by adding and removing entity relationships.
To do so, do the following:
Under Directly related entities select Edit relationships.
From the drop-down menu select the option corresponding to the relationship you want to create.
On the Search an entity dialog, select the checkbox(es) to select one or more entities to relate them to the current one.
You can refine the displayed results by specifying a search string in the filter input field. Alternatively, select one of the available filter options to select and filter by specific:
Entity types
Source
Date
Datasets
Select Select.
From the Source drop-down menu, select a data source for the entity or entities you are relating to the current one. You can select only one data source at a time, regardless the number of entities you choose on the Search an entity dialog.
Select Save to store your changes, or Cancel to discard them.
To remove a relationship or a relationship type, select the icon on the row displaying the relationship or next to the relationship type you want to remove.
The row and the corresponding relationship or the relationship type are removed. You cannot undo this action.
Set campaign relationships#
Select this option… |
… to create this relationship for the campaign |
|---|---|
Associated Neighborhoods |
Outgoing relationship — Relates the campaign to the selected campaign(s) on the Search an entitydialog. |
Attributions |
Outgoing relationship — Relates the campaign to the selected threat-actor(s) on the Search an entity dialog. |
Related incidents |
Outgoing relationship — Relates the campaign to the selected incident(s) on the Search an entitydialog. |
Related TTPs |
Outgoing relationship — Relates the campaign to the selected TTP(s) on the Search an entity dialog. |
Indicator → Related campaigns |
Incoming relationship — Relates the selected indicator(s) on the Search an entity dialog to the campaign. |
Report Campaigns |
Incoming relationship — Relates the selected report(s) on the Search an entity dialog to the campaign. |
Threat actor Associated campaigns |
Incoming relationship — Relates the selected threat-actor(s) on the Search an entity dialog to the campaign. |
Sighting Campaign |
Incoming relationship — Relates the selected sighting(s) on the Search an entity dialog to the campaign. |
Set course of action relationships#
Select this option… |
… to create this relationship for the course of action |
|---|---|
Related exploit targets |
Outgoing relationship — Relates the course of action to the selected exploit target(s) on the Search an entity dialog. |
Related incidents |
Outgoing relationship — Relates the course of action to the selected incident(s) on the Search an entity dialog. |
Related courses of action |
Outgoing relationship — Relates the course of action to the selected course(s) of action on the Search an entity dialog. |
Exploit target Potential courses of action |
Incoming relationship — Relates the selected exploit target(s) on the Search an entity dialog to the course of action. |
Indicator → Suggested courses of action |
Incoming relationship — Relates the selected indicator(s) on the Search an entity dialog to the course of action. Recommends carrying out a course of action to respond to an indicator. |
Incident Courses of action requested |
Incoming relationship — Relates the selected indicator(s) on the Search an entity dialog to the course of action. Requests to carry out a course of action to respond to an incident. |
Incident Courses of action taken |
Incoming relationship — Relates the selected indicator(s) on the Search an entity dialog to the course of action. Reports the course of action carried out as a response to an incident. |
Report Courses of action |
Incoming relationship — Relates the selected report(s) on the Search an entity dialog to the course of action. |
Sighting Course of action |
Incoming relationship — Relates the selected sighting(s) on the Search an entity dialog to the course of action. |
Set exploit target relationships#
Select this option… |
… to create this relationship for the exploit target |
|---|---|
Potential courses of action |
Outgoing relationship — Relates the exploit target to the selected potential course(s) of action on the Search an entity dialog |
Related exploit targets |
Outgoing relationship — Relates the exploit target to the selected exploit target(s) on the Search an entity dialog |
Course of action → Related exploit targets |
Incoming relationship — Relates the selected course(s) of action on the Search an entity dialog to the exploit target. |
Report → Exploit targets |
Incoming relationship — Relates the selected report(s) on the Search an entity dialog to the exploit target. |
TTP → Exploit targets |
Incoming relationship — Relates the selected TTP(s) on the Search an entity dialog to the exploit target. |
Sighting → Exploit target |
Incoming relationship — Relates the selected sighting(s) on the Search an entity dialog to the exploit target. |
Set incident relationships#
Select this option… |
… to create this relationship for the incident |
|---|---|
Related indicators |
Outgoing relationship — Relates the incident to the selected indicator(s) on the Search an entitydialog. |
Leveraged TTPs |
Outgoing relationship — Relates the incident to the selected TTP(s) on the Search an entity dialog. |
Attributed threat actors |
Outgoing relationship — Relates the incident to the selected threat-actor(s) on the Search an entitydialog. |
Related incidents |
Outgoing relationship — Relates the incident to the selected incident(s) on the Search an entitydialog. |
Courses of action requested |
Outgoing relationship — Relates the incident to the selected course(s) of action on the Search an entity dialog to respond to the incident. |
Courses of action taken |
Outgoing relationship — Relates the incident to the selected course(s) of action on the Search an entity dialog that are carried out as a response to the incident. |
Campaign → Related incidents |
Incoming relationship — Relates the selected campaign(s) on the Search an entity dialog to the incident. |
Course of action → Related incidents |
Incoming relationship — Relates the selected course(s) of action on the Search an entity dialog to the incident. |
Report Incidents |
Incoming relationship — Relates the selected report(s) on the Search an entity dialog to the incident. |
Sighting Incident |
Incoming relationship — Relates the selected sighting(s) on the Search an entity dialog to the incident. |
Edit indicator relationships#
Select this option… |
… to create this relationship for the indicator |
|---|---|
Indicated TTPs |
Outgoing relationship — Relates the indicator to the selected TTPs(s) on the Search an entity dialog. |
Suggested courses of action |
Outgoing relationship — Relates the indicator to the selected course(s) of action on the Search an entity dialog. Recommends carrying out a course of action to respond to the indicator. |
Related Neighborhoods |
Outgoing relationship — Relates the indicator to the selected indicator(s) on the Search an entitydialog. |
Related campaigns |
Outgoing relationship — Relates the indicator to the selected campaign(s) on the Search an entitydialog. |
Incident → Related indicators |
Incoming relationship — Relates the selected incident(s) on the Search an entity dialog to the indicator. |
Report Indicators |
Incoming relationship — Relates the selected report(s) on the Search an entity dialog to the indicator. |
Sighting Indicator |
Incoming relationship — Relates the selected sighting(s) on the Search an entity dialog to the indicator. |
Set report relationships#
Select this option… |
… to create this relationship for the report |
|---|---|
Indicators |
Outgoing relationship — Relates the report to the indicator(s) on the Search an entity dialog. |
TTPs |
Outgoing relationship — Relates the report to the selected TTP(s) on the Search an entity dialog. Recommends carrying out a course of action to respond to the report. |
Exploit targets |
Outgoing relationship — Relates the report to the selected exploit target(s) on the Search an entitydialog. |
Incidents |
Outgoing relationship — Relates the report to the selected incident(s) on the Search an entity dialog. |
Courses of action |
Outgoing relationship — Relates the report to the selected course(s) of action on the Search an entity dialog. |
Campaigns |
Outgoing relationship — Relates the report to the selected campaign(s) on the Search an entitydialog. |
Threat actors |
Outgoing relationship — Relates the report to the selected threat actor(s) on the Search an entitydialog. |
Sighting Neighborhood |
Incoming relationship — Relates the selected sighting(s) on the Search an entity dialog to the report. |
Set sighting relationships#
Select this option… |
… to create this relationship for the sighting |
|---|---|
Campaign |
Outgoing relationship — Relates the sighting to the selected campaign(s) on the Search an entitydialog. |
Course of action |
Outgoing relationship — Relates the sighting to the selected course(s) of action on the Search an entity dialog. |
Exploit target |
Outgoing relationship — Relates the sighting to the selected exploit target(s) on the Search an entitydialog. |
Indicator |
Outgoing relationship — Relates the sighting to the selected indicator(s) on the Search an entitydialog. |
Incident |
Outgoing relationship — Relates the sighting to the selected incident(s) on the Search an entitydialog. |
Report |
Outgoing relationship — Relates the sighting to the selected report(s) on the Search an entity dialog. |
Threat actor |
Outgoing relationship — Relates the sighting to the threat actor(s) on the Search an entity dialog. |
TTP |
Outgoing relationship — Relates the sighting to the selected TTP(s) on the Search an entity dialog. |
Set threat actor relationships#
Select this option… |
… to create this relationship for the threat actor |
|---|---|
Observed TTPs |
Outgoing relationship — Relates the threat actor to the selected TTP(s) on the Search an entitydialog. |
Associated campaigns |
Outgoing relationship — Relates the threat actor to the selected campaign(s) on the Search an entitydialog. |
Associated actors |
Outgoing relationship — Relates the threat actor to the selected threat actor(s) on the Search an entity dialog. |
Campaign Attributions |
Incoming relationship — Relates the selected campaign(s) on the Search an entity dialog to the threat actor. |
Incident → Attributed threat actors |
Incoming relationship — Relates the selected incident(s) on the Search an entity dialog to the threat actor. |
Report → Threat actors |
Incoming relationship — Relates the selected report(s) on the Search an entity dialog to the threat actor. |
Sighting Threat actor |
Incoming relationship — Relates the selected sighting(s) on the Search an entity dialog to the threat actor. |
Set TTP relationships#
Select this option… |
… to create this relationship for the TTP |
|---|---|
Exploit targets |
Outgoing relationship — Relates the TTP to the selected exploit target(s) on the Search an entitydialog. |
Related TTPs |
Outgoing relationship — Relates the TTP to the selected TTP(s) on the Search an entity dialog. |
Campaign → Related TTPs |
Incoming relationship — Relates the selected campaign(s) on the Search an entity dialog to the TTP. |
Indicator → Indicated TTPs |
Incoming relationship — Relates the selected indicator(s) on the Search an entity dialog to the TTP. |
Incident → Leveraged TTPs |
Incoming relationship — Relates the selected incident(s) on the Search an entity dialog to the TTP. |
Report → TTPs |
Incoming relationship — Relates the selected report(s) on the Search an entity dialog to the TTP. |
Threat actor Observed TTPs |
Incoming relationship — Relates the selected threat actor(s) on the Search an entity dialog to the TTP |
Sighting → TTP |
Incoming relationship — Relates the selected sighting(s) on the Search an entity dialog to the TTP. |