Full Report
In today’s fast-moving threat landscape, your intelligence doesn’t always fit predefined categories. EclecticIQ Intelligence Center 3.6 gives you Custom objects, built on STIX’s extension capability, so you can capture and operationalize intelligence that goes beyond the standard object types.
Analysis Summary
The provided article focuses on a feature within the EclecticIQ Intelligence Center 3.6—**Custom Objects**—which extends the STIX standard to allow users to model intelligence that doesn't fit predefined categories. Since the article describes a platform capability rather than a specific malware, tool, or attack technique, the summary will reflect this focus on data modeling and platform features.
# Tool/Technique: Custom Objects (EclecticIQ Intelligence Center 3.6 Feature)
## Overview
Custom Objects are a feature within EclecticIQ Intelligence Center version 3.6 that utilizes STIX's extension capability to allow users to define and operationalize intelligence that falls outside the scope of standard STIX object types. This provides flexibility for CTI teams dealing with specialized data like cryptocurrency tracking, forensic evidence documentation, or highly specific honeypot data.
## Technical Details
- Type: Platform Feature / Data Modeling Capability
- Platform: EclecticIQ Intelligence Center 3.6 (Architecture dependent)
- Capabilities: Define new object types, create reusable attributes with defined data types (string, number, date), enforce mandatory fields, link to standard STIX entities, support TLP marking, tagging, and ATT&CK mapping.
- First Seen: Not specified (Feature release associated with EIQ 3.6)
## MITRE ATT&CK Mapping
* **Note:** As this is a platform feature for intelligence modeling and not a specific attacker technique, direct, mandatory ATT&CK mappings are not applicable. However, the *data collected* using these objects can certainly map to ATT&CK. The capability supports mapping:
- **[Not Applicable] - Data Modeling Support**
- **[General Use Case]** - Data used to track adversary activities documented under various T### techniques.
## Functionality
### Core Capabilities
- **Custom Data Structuring:** Ability to define entirely new object types to model specific intelligence needs (e.g., Cryptocurrency Wallets, Forensic Evidence, Financial Fraud Data).
- **Attribute Definition:** Create reusable attributes with strict data typing (string, number, date).
- **Integration:** Custom objects can be linked back to standard STIX entities (Threat Actors, Campaigns) and benefit from core platform functionality (search, correlation, visualization).
### Advanced Features
- **Workflow Integration:** Can be used within automated rules and detection logic.
- **Data Quality Enforcement:** Supports type checking and mandatory field enforcement for data governance.
- **Audit Trails & Access Control:** Maintains audit trails and supports role-based permissions for object access control.
## Indicators of Compromise
- **File Hashes:** N/A (Feature focuses on data structure, not specific IoCs)
- **File Names:** N/A
- **Registry Keys:** N/A
- **Network Indicators:** Data captured via custom objects *can* include network indicators (e.g., attacker IPs from honeypots), which would need to be defanged by the user upon entry. Example data modeling could include attacker IPs linked to intrusion events.
- **Behavioral Indicators:** Data captured can describe specific attacker behavior observed via honeypots or specialized telemetry.
## Associated Threat Actors
- N/A (This is a defensive intelligence modeling feature, not utilized by threat actors.)
## Detection Methods
- **Signature-based detection:** N/A
- **Behavioral detection:** N/A
- **YARA rules if available:** N/A
## Mitigation Strategies
- **Prevention measures:** Proper implementation and governance of custom object schemas to ensure data relevance and integrity.
- **Hardening recommendations:** Utilize role-based permissions to control who can define and modify custom object structures and who can ingest related data.
## Related Tools/Techniques
- Standard STIX 2.x Objects (Custom Objects extend these)
- Data modeling frameworks based on JSON Schema
- Other intelligence platforms supporting flexible CTI data schema extensions.