Report#

Tip

This entity is analogous to these STIX objects:

A report wraps around different pieces of threat intelligence to weave a common story into a consistent narrative.

During an analysis or an investigation, you may use a number of sources to gather many bits of information. Reports allow you to structure and to organize your research, and publish it.

Tip

You can add rich text content to reports. See Create content in reports.

Create a report by selecting:

In the side navigation bar + Create > Report.

Or:

(Requires EclecticIQ Labs: Intelligence creation on the graph)

In the top navigation bar of a graph, select + and then Report to create a draft entity.
Double-click to open the newly created draft entity to edit it.

Then, Configure this entity.

Configure#

The following sections the fields and options available.

Note

Required fields are marked with an asterisk (*).

General#

Field	EIQ JSON field	Description
Title*	`data.title`	Descriptive title for this entity. See Titles and aliases.
Summary	`data.short_description`	Summary of this report. You can add rich text here. See Rich text editor.
Analysis*	`data.description`	Main body of this report. You can add rich text here. See Rich text editor.
Recommendations*	`data.description`	Select + Section > Recommendations to add a “Recommendations” section to the Description field of this report. Appends the content set here to `data.description`. You can add rich text here. See Rich text editor.
Confidence	`data.confidence`	See Confidence scale: High Medium low.

Intents#

Add one or more report intents.

Field	EIQ JSON field	Description
Intents*	`data.types[]`	One or more report intents. Analogous to ReportIntentVocab-1.0. Possible values: Collective Threat Intelligence Threat Report Indicators Indicators - Phishing Indicators - Watchlist Indicators - Malware Artifacts Indicators - Network Activity Indicators - Endpoint Characteristics Campaign Characterization Threat Actor Characterization Exploit Characterization Attack Pattern Characterization Malware Characterization TTP - Infrastructure TTP - Tools Courses of Action Incident Observations Observations - Email Malware Samples

Field

EIQ JSON field

Description

Intents*

data.types[]

One or more report intents. Analogous to ReportIntentVocab-1.0.

Possible values:

Collective Threat Intelligence
Threat Report
Indicators
Indicators - Phishing
Indicators - Watchlist
Indicators - Malware Artifacts
Indicators - Network Activity
Indicators - Endpoint Characteristics
Campaign Characterization
Threat Actor Characterization
Exploit Characterization
Attack Pattern Characterization
Malware Characterization
TTP - Infrastructure
TTP - Tools
Courses of Action
Incident
Observations
Observations - Email
Malware Samples

Observables#

You can create one or more new observables and link it to the currently open entity by selecting + Observable under the Observables section.

Note

If an observable you create here matches an observable rule with an ignore action, it does not appear when the you publish the entity.

In the Add observable view that appears, fill out these fields:

Field	EIQ JSON field	Description
Type*	`extracts[].kind`	See Observable types
Link name*	See Observable link types	See Observable link types
Values(s)*	`extracts[].value`	Enter one or more values. One observable is created per value. Values must be comma-separated, or newline-separated, but not both.
Maliciousness*	See Observable maliciousness	See Observable maliciousness

Relationships#

Add relationships to this entity by selecting + Add relationship.

See Relationships.

Meta#

The Meta section contains configuration options that allow you to attach descriptive data to the entity.

Field	EIQ JSON field	Description
Estimated threat start time	`meta.estimated_threat_start_time`	Estimated start of threat. See Time values.
Estimated threat end time	`meta.estimated_threat_end_time`	Estimated end of threat. See Time values.
Estimated observed time	`meta.estimated_observed_time`	Estimated time threat was observed. See Time values.
Half-life	`meta.half_life`	See Half-life. Select one of these options: Use default value: When selected, half-life for this entity is set to 720 days. Override value: Set a custom value for half-life, in number of days.
Tags	`meta.tags[]` and `meta.taxonomy_paths[]`	See tags and taxonomies.
Source*	`sources[]`	Select one source.
Source reliability	`meta.source_reliability`	See source reliability. Options: Inherit from source: This entity inherits source reliability from Source. Custom override: Set a source reliability value for just this entity.

Information source#

Field	EIQ JSON field	Description
Description	`data.information_source.description`	Description of information source.
Identity	`data.information_source.identity`	Name of this information source
Roles	`data.information_source.roles[]`	One or more information source roles. Possible values: Initial Author Content Enhancer/Refiner Aggregator Transformer/Translator
References	`data.information_source.references[]`	One or more URLs.

Attachment#

Upload one or more attachments for this report.

Drag and drop files into the box here, or select Upload to browse your local filesystem and select files to upload.

Tip

When exported to EIQ JSON, these attachments are base64-encoded and embedded in the attachments[] field of the entity object.

Tip

By default, the maximum size for file attachments is 50MB.

Data marking#

Descriptive metadata for entity.

Field	EIQ JSON field	Description
TLP	`meta.tlp_color`	Set a TLP color for this entity.
Terms of use	`data.handling[].marking_structures[]`	Free text field allowing you to attach terms of use to an entity. Analogous to TermsOfUseMarkingStructureType.
Simple	`data.handling[].marking_structures[]`	Free text field for attaching any text to an entity. Analogous to SimpleMarkingStructureType.

Workflow#

Use options here to apply workflow options to this entity.

Field	Description
Add to dataset	Select this option to add this entity to one or more datasets on Publish.
Manually enrich	Run one or more enrichers on this entity on Publish.

Save and publish#

Tip

For more information, see Draft and published entities.

Select Publish to create this entity, and make it available under + Create > Production > Published.

For more publishing options, select More and then one of these options:

Publish and new: Publish this entity, and start creating a new entity.
Publish and duplicate: Publish this entity, and start creating a new entity using all the values set for this entity.

Select Save draft to save this entity as a draft, and make it available under + Create > Production > Drafts. You must publish an entity to use it elsewhere on EclecticIQ Intelligence Center.

For more options while saving as a draft, select More and then one of these options:

Publish and new: Save this entity as a draft, and start creating a new entity.
Publish and duplicate: Save this entity as a draft, and start creating a new entity using all the values set for this draft entity.

Create content in reports#

You can create content in reports with the rich text editor, and then publish them.

Rich text editor#

The Summary, Description, and Recommendations fields allow you to create rich content using the rich text editor.

Editor features:

Feature	Description
Insert relationship	Create a relationship to another entity, and insert a link to the selected entity here. See Relationships.
Insert observable	Create an observable and insert a link to it here. When selected, brings up the Add observable view. Fill out these fields: *Type: (`extracts[].kind`) See Observable types Values(s):* (`extracts[].value`) Enter one or more values. One observable is created per value. Values must be comma-separated, or newline-separated, but not both. *Maliciousness: See Observable maliciousness Select Save** to finish adding the observable.
Insert reference	Insert an external URL reference. When selected, brings up the Add link view. Fill out these fields: *Url: Enter a valid URL. Text: Enter link text. Select Insert** to finish inserting the reference.
Insert image	Insert an an inline image (max 10MB). When you attempt to insert an image larger than 10MB, you’ll be asked if you want to insert it as an attachment instead. For more information about exports and inline images, see Export and distribute reports.
Insert table	Insert a table.
Insert date/time	Insert currnet date and time as plain text. Select the down arrow on the right to select a date/time format to use.

Export and distribute reports#

Reports can be exported and distributed, manually or through outgoing feeds.

Inline images are embedded as attachments in the entity. When exported as EIQ JSON, images and attachments are base64 encoded and stored in the data.attachments[] field. In PDF exports, inline images are embedded and displayed.

Attachments and inline images are not supported for STIX 1.2 and STIX 2.1 exports.

STIX 2.1#

Report types#

The STIX 2.1 report_types field is mapped to tags in entities.

When a Report SDO is ingested, all values set in its report_types field are ingested as tags in the resulting report entity, with the format Report type - <report_type>.

When an EclecticIQ report entity is exported as STIX 2.1, Report type - <report_type> tags are set as members of the report_types field in the resulting Report SDO, where <report_type> is a valid report-type-ov value.