Location Entity #946
Replies: 5 comments 5 replies
-
|
The other thing I'm considering is just dropping it into the Context field on the IP/ASN or whatever. Might be a better option to prevent tag bloat on entities and having to handle if things change or go stale. |
Beta Was this translation helpful? Give feedback.
-
|
I'm closing this. I think the better option here is to fill in context on a specific observable. Since observables and entities can't be linked through anything but tags. You'd just end up with hundreds of tags on some location entities like countries. Doesn't make sense. |
Beta Was this translation helpful? Give feedback.
-
What is your use case? Is it manual creation from UI or a feed / task? If your use case is feed / task based, you can link observables and entities together by using a direct link:
However, if your use case is UI based, it's currently not possible to direct link between observable and entities. I've recently discussed about this need with the team. |
Beta Was this translation helpful? Give feedback.
-
|
Is this done via the |
Beta Was this translation helpful? Give feedback.
-
|
You can handle this from the web api directly. The complete workflow is as follow but if you already have observable id and entity id you can directly jump to step 3. Let's also assume there's a location entity.
{
"query": {"value": "1.2.3.4"},
"type": "ipv4",
"count": 50,
"page": 0
}You will get a list containing observables as response. If you provided an exact value, you should have only one item in the list and it will contain the
{
"query": {"name": "org", "country": "France"},
"type": "location",
"count": 50,
"page": 0
}The response is a list of entities and if it contains an exact match, there will be only one item in the list. Pick the
{
"source": "observable/123456",
"target": "location/654321",
"link_type": "located_at",
"description": "can be empty"
} |
Beta Was this translation helpful? Give feedback.
-
|
thank you! I'll give that a try. |
Beta Was this translation helpful? Give feedback.
-
|
I also think that the solution that @benmontour went with (adding location in the context of an observable) is the way to go. But I'm not sure about your use-case - how would the location change depending on which entity you're linking it to? |
Beta Was this translation helpful? Give feedback.
-
|
In this case the use case was relating to populating Geo-IP data onto an IP address observable. With IPs sometimes changing hands or being relocated to different regions by the owner, I was looking for a way to cleanly keep track of that information and be able to easily see via links what country/city an IP is associated with based on the latest Geo-IP dataset. Example: "context": [
{
"source": "ExampleBadIPs"
},
{
"enriched": "MaxMindASN"
},
{
"iprange": "123.45.67.89/17",
"ASN": "12345",
"ORG": "EXAMPLE-AS"
},
{
"enriched": "MaxMindGEO"
},
{
"iprange": "123.45.67.89/32",
"lat": "123.4567",
"lon": "-123.4567",
"radius": "20",
"cont": "Example Continent",
"cc": "EX",
"nation": "Example Country",
"sc": "EX",
"state": "Example State/Region",
"city": "Example City",
"mcode": "555",
"tz": "UTC",
"eu": "0"
}
] |
Beta Was this translation helpful? Give feedback.
-
|
Your approach in encoding this into the Observable context is the right one, IMO. However, I would've expected your context to look like this: So essentially three context items, one for the feed that brought the IP in, and two for the analytics that processed the IP. Does that make sense? |
Beta Was this translation helpful? Give feedback.
-
|
That does make sense. I'll adjust what I'm doing to match that. |
Beta Was this translation helpful? Give feedback.
-
I wanted to ask if a
Locationentity had been considered. I'm looking for a place to populate Geo information for things like IPs/ASNs/Companies and the STIX Location Domain Object seems the best fit for that. I'm happy to help create that, just not 100% sure all the places it would need to be defined.Beta Was this translation helpful? Give feedback.
All reactions