Intrusion Set#

Tip

This entity is analogous to these STIX objects:

When exported as EclecticIQ JSON and ingested into EclecticIQ Intelligence Center 2.14, it is ingested as a Threat Actor entity. See Compatibility with 2.14.

Create an Intrusion Set entity by selecting:

  • In the side navigation bar + Create > Intrusion Set.

Or:

Then, Configure this entity.

Configure#

The following sections the fields and options available.

Note

Required fields are marked with an asterisk (*).

General#

Field

EIQ JSON field

Description

Title*

data.title

Compatible with STIX 2.1 export Compatible with STIX 1.2 export

Descriptive title for this entity. See Titles and aliases.

Analysis

data.description

Compatible with STIX 2.1 export Compatible with STIX 1.2 export

Long description.

Aliases

data.aliases[]

Compatible with STIX 2.1 export

One or more known names to identify this threat actor by.

When this entity is published, also creates one name observable for each alias here.

Intended effects

data.intended_effects

Compatible with STIX 2.1 export Compatible with STIX 1.2 export

See Intended effects. For STIX 2.1, maps to goals property of Threat Actor SDO.

Confidence

data.confidence

Compatible with STIX 1.2 export

See Confidence scale: High Medium low.

Characteristics#

Characteristics are properties on an entity that provide context for the intelligence indicated by this object.

The following are characteristics available this entity:

Field

EIQ JSON field

Description

Motivations

data.motivations[]

Compatible with STIX 2.1 export Compatible with STIX 1.2 export

Based on STIX 2.1 §10.2 Attack Motivation Vocabulary. If entity is imported and converted from an earlier version of EclecticIQ Intelligence Center, can contain values from MotivationVocab-1.1.

In STIX 2.1, first item set here is exported as primary_motivation. Subsequent items are exported as items in secondary_motivation.

Sophistication

data.sophistication

Compatible with STIX 2.1 export

Based on STIX 2.1 §10.25 Threat Actor Sophistication Vocabulary. If this entity is converted from an older Threat Actor entity, or imported from an earlier version of EclecticIQ Intelligence Center, can contain values from ThreatActorSophisticationVocab-1.0.

Resource level

data.resource_level

Compatible with STIX 2.1 export

Based on STIX 2.1 §10.3 Attack Resource Level Vocabulary.

Planning and operational support

data.planning_and_operational_support[]

Compatible with STIX 2.1 export Compatible with STIX 1.2 export

Based on PlanningAndOperationalSupportVocab-1.0.1.

Observables#

You can create one or more new observables and link it to the currently open entity by selecting + Observable under the Observables section.

Note

If an observable you create here matches an observable rule with an ignore action, it does not appear when the you publish the entity.

In the Add observable view that appears, fill out these fields:

Field

EIQ JSON field

Description

Type*

extracts[].kind

See Observable types

Link name*

See Observable link types

See Observable link types

Values(s)*

extracts[].value

Enter one or more values. One observable is created per value.

Values must be comma-separated, or newline-separated, but not both.

Maliciousness*

See Observable maliciousness

See Observable maliciousness

Relationships#

Add relationships to this entity by selecting + Add relationship.

See Relationships.

Meta#

The Meta section contains configuration options that allow you to attach descriptive data to the entity.

Field

EIQ JSON field

Description

Estimated threat start time

meta.estimated_threat_start_time

Estimated start of threat. See Time values.

Estimated threat end time

meta.estimated_threat_end_time

Estimated end of threat. See Time values.

Estimated observed time

meta.estimated_observed_time

Estimated time threat was observed. See Time values.

Half-life

meta.half_life

See Half-life.

Select one of these options:

  • Use default value: When selected, half-life for this entity is set to 720 days.

  • Override value: Set a custom value for half-life, in number of days.

Tags

meta.tags[] and meta.taxonomy_paths[]

See tags and taxonomies.

Source*

sources[]

Select one source.

Source reliability

meta.source_reliability

See source reliability.

Options:

  • Inherit from source: This entity inherits source reliability from Source.

  • Custom override: Set a source reliability value for just this entity.

Information source#

Field

EIQ JSON field

Description

Description

data.information_source.description

Description of information source.

Identity

data.information_source.identity

Name of this information source

Roles

data.information_source.roles[]

One or more information source roles. Possible values:

  • Initial Author

  • Content Enhancer/Refiner

  • Aggregator

  • Transformer/Translator

References

data.information_source.references[]

One or more URLs.

Data marking#

Descriptive metadata for entity.

Field

EIQ JSON field

Description

TLP

meta.tlp_color

Set a TLP color for this entity.

Terms of use

data.handling[].marking_structures[]

Free text field allowing you to attach terms of use to an entity. Analogous to TermsOfUseMarkingStructureType.

Simple

data.handling[].marking_structures[]

Free text field for attaching any text to an entity. Analogous to SimpleMarkingStructureType.

Workflow#

Use options here to apply workflow options to this entity.

Field

Description

Add to dataset

Select this option to add this entity to one or more datasets on Publish.

Manually enrich

Run one or more enrichers on this entity on Publish.

Save and publish#

Tip

For more information, see Draft and published entities.

Select Publish to create this entity, and make it available under + Create > Production > Published.

For more publishing options, select More Drop-down menu arrow and then one of these options:

  • Publish and new: Publish this entity, and start creating a new entity.

  • Publish and duplicate: Publish this entity, and start creating a new entity using all the values set for this entity.

Select Save draft to save this entity as a draft, and make it available under + Create > Production > Drafts. You must publish an entity to use it elsewhere on EclecticIQ Intelligence Center.

For more options while saving as a draft, select More Drop-down menu arrow and then one of these options:

  • Publish and new: Save this entity as a draft, and start creating a new entity.

  • Publish and duplicate: Save this entity as a draft, and start creating a new entity using all the values set for this draft entity.

Compatibility with 2.14#

You can export this entity type as EclecticIQ JSON and import it into EclecticIQ Intelligence Center 2.14.

When imported into 2.14, it produces a Threat Actor entity with the following transformations:

Intrusion Set field

Mapped to 2.14 Threat Actor field

Description

data.title

data.title

data.title field prefixed with Intrusion set:. E.g. An Intrusion Set entity with title “Anonymous” is ingested in 2.14 as a Threat Actor entity with title “Intrusion set: Anonymous”.

data.aliases[]

N/A

Not ingested.

data.resource_level

N/A

Not ingested.