Entities: Common properties#

Entity data model#

Tip

EIQ JSON paths#

Documentation here refers to EIQ JSON paths to show how data is structured for export and import when using the EclecticIQ JSON content type.

EIQ JSON paths mentioned here by convention omit the entities[] object, and assumes that we are dealing with the contents of the entity object only.

So an EIQ JSON path or field written here as data.id would be shorthand for the full path: .entities[].data.id.

Titles and aliases#

All entities have a Title field that is displayed whereever they appear in EclecticIQ Intelligence Center UI.

An entity can also have an Alias. If an entity has an alias, the alias is displayed instead of the title when the entity is displayed.

To set an alias for an entity:

Select published entity to open it.
Select the title of the entity.
In the drop-down that appears, select Edit.
Type an alias for the entity, and press enter.

These are set in EIQ JSON with the following fields:

Field	EIQ JSON field
Title	`data.title`
Alias	`meta.title`

Field

EIQ JSON field

Title

data.title

Alias

meta.title

ID values#

EclecticIQ entities are uniquely identified by an id value at the object root. Other ID values are derived from this id value.

The following table describes the different id fields in an entity:

EIQ JSON field	Description
`id`	UUID (UUID4 or UUID5) that uniquely identifies this entity.
`data.id`	Contains an EclecticIQ qualified ID in the following format: {<domain_name>}<entity_type>-<UUID> `<domain_name>` is the Hostname value set for your EclecticIQ Intelligence Center instance. Go to Settings > System settings > General to configure this. `<entity_type>` is the current entity type. `<UUID>` is usually the value of `id` for the current entity. If you imported this entity from another EclecticIQ Intelligence Center instance, `<UUID>` here may differ from `id`. Example: `{http://www.example.org/}indicator-cc23cea8-50ba-4cec-937a-a56596ad2f69`

EIQ JSON field

Description

id

UUID (UUID4 or UUID5) that uniquely identifies this entity.

data.id

Contains an EclecticIQ qualified ID in the following format:

{<domain_name>}<entity_type>-<UUID>

<domain_name> is the Hostname value set for your EclecticIQ Intelligence Center instance. Go to Settings > System settings > General to configure this.
<entity_type> is the current entity type.
<UUID> is usually the value of id for the current entity. If you imported this entity from another EclecticIQ Intelligence Center instance, <UUID> here may differ from id.

Example: {http://www.example.org/}indicator-cc23cea8-50ba-4cec-937a-a56596ad2f69

When an entity is exported, the id value is used to form an ID value compliant with the export format:

Export format	Description
STIX 1.2	Exported entities contain a STIX 1.2 QName. Example: `www.example.org:indicator-cc23cea8-50ba-4cec-937a-a56596ad2f69`
STIX 2.1	Exported entities contain a STIX 2.1 §2.9 Identifier. Example: `indicator--cc23cea8-50ba-4cec-937a-a56596ad2f69`

Export format

Description

STIX 1.2

Exported entities contain a STIX 1.2 QName.

Example: www.example.org:indicator-cc23cea8-50ba-4cec-937a-a56596ad2f69

STIX 2.1

Exported entities contain a STIX 2.1 §2.9 Identifier.

Example: indicator--cc23cea8-50ba-4cec-937a-a56596ad2f69

MITRE ATT&CK classifications#

You can apply MITRE ATT&CK classifications to entities when open an entity to view it.

You cannot add an ATT&CK classification when you create or edit an entity.

From the left navigation, select Search > Go to search and browse.
Select an entity to open it.
Navigate to the MITRE ATT&CK classifications section. Select + ATT&CK Classification.
Select one or more classifications.
Select Classify to finish adding classifications.

Note

MITRE ATT&CK classifications are not supported for exports to STIX 2.1 or STIX 1.2.

STIX 1.2 and 2.1 specifications don’t have properties for MITRE ATT&CK classifications. If you need to need to represent MITRE ATT&CK data in STIX 2.1-compatibile formats, consider importing objects from the MITRE ATT&CK STIX Data repository.

Time values#

Time values are represented as ISO8601-formatted text. E.g. 2017-11-30T10:04:07.890853+00:00

EclecticIQ Intelligence Center UI will typically allow you to select a date from the calendar, or type in a YYYY-MM-DD HH:MM value.

Date and time precision#

Some fields allow you to specify a precision for date and time values. Selecting a precision allows you to describe how accurate the recipient of intelligence should expect the specified date and time value should be.

Analogous to STIX 1.2 DateTimePrecisionEnum.

STIX 2.1 has no time precision properties.

Possible values for precision:

year
month
day
hour
minute
second

For example, time windows have start and start_precision properties. A start_precision of minute means that the value of start is accurate up to the specified minute.

Half-life#

Half-life is the amount of time it takes for a threat to lose half its intelligence value, in days.

Default half-life value#

You can change the default half-life values of entities by modifying the following section in platform_settings.py and restarting EclecticIQ Intelligence Center services:

HALF_LIFE = {
    "attack-pattern": 720,
    "campaign": 1000,
    "course-of-action": 182,
    "eclecticiq-sighting": 182,
    "exploit-target": 182,
    "identity": 4000,
    "incident": 182,
    "indicator": 30,
    "infrastructure": 720,
    "intrusion-set": 1000,
    "location": 4000,
    "malware": 720,
    "malware-analysis": 720,
    "report": 182,
    "threat-actor": 1000,
    "tool": 720,
    "ttp": 720,
}

Half-life relevancy#

Represents the intelligence value of this entity relative to its age, or if the threat has already ended.

Used in filters and searches on EclecticIQ Intelligence Center.

See:

Confidence scale: High Medium low#

A confidence scale is used to represent the level of confidence an intelligence provider has in in the information presented.

In EclecticIQ Intelligence Center, this is represented as the following values

High
Medium
Low
None
Unknown

In STIX 1.2, this is analogous to HighMediumLowVocab.

In STIX 2.1:

Confidence is a common property across SDOs.
EclecticIQ entities and observables continue to use HighMediumLowVocab values for confidence. When exported to STIX 2.1, these values are mapped according to STIX 2.1 Appendix A. Confidence Scales.

Example: An entity with a confidence value of HIGH when exported to STIX 2.1 will contain a confidence value of 85.

Intended effects#

A list of values that describe the intended effect of a property. Analogous to STIX 1.2 IntendedEffectVocab. STIX 2.1 has no corresponding specification.

Possible values:

Advantage
Advantage - Economic
Advantage - Military
Advantage - Political
Theft
Theft - Intellectual Property
Theft - Credential Theft
Theft - Identity Theft
Theft - Theft of Proprietary Information
Account Takeover
Brand Damage
Competitive Advantage
Degradation of Service
Denial and Deception
Destruction
Disruption
Embarrassment
Exposure
Extortion
Fraud
Harassment
ICS Control
Traffic Diversion
Unauthorized Access

Malware types#

A list of values that describe the type of malware identified.

There are two sets of malware type values available in EclecticIQ Intelligence Center:

The deprecated TTP (deprecated) entity has Characteristics: Malware that uses the STIX 1.2 MalwareTypeVocab-1.0.
The Malware entity has a type property that uses the STIX 2.1 §10.15 Malware Type Vocabulary.

Infrastructure types#

List of values that describe the type of infrastructure identified.

There are two sets of infrastructure type values available in EclecticIQ Intelligence Center:

The deprecated TTP (deprecated) entity has Characteristics: Infrastructure that uses the AttackerInfrastructureTypeVocab-1.0.
The Infrastructure entity has a type property that uses the STIX 2.1 §10.12 Infrastructure Type Vocabulary.