EclecticIQ Intelligence Center 3.6 introduces Custom objects built on STIX extensions to let analysts capture and operationalize intelligence that does not fit standard STIX object types, such as cryptocurrency wallets, forensic evidence, or honeypot events. The feature supports full integration—search, correlation, visualization, automation, import/export, and governance—so custom data can be used like native STIX entities. #EclecticIQ #STIX
Keypoints
- Custom objects enable modeling of nonstandard intelligence (e.g., cryptocurrency wallets, forensic evidence, credit card data, honeypot events) using STIX extension capability.
- Custom objects are treated like native platform entities—searchable, correlatable, visualizable, and usable in analysis and automations.
- Platform supports reusable attributes with strict data types, mandatory vs. optional fields, and reuse across objects for consistency.
- Custom objects integrate with workflows: automated rules, detection logic, TLP marking, MITRE ATT&CK mapping, and tagging.
- Data governance features include type checking, mandatory field enforcement, evolving object structures without breaking data, audit trails, and role-based access control.
- Import and export capabilities: import custom objects directly; export in EIQ-JSON or CSV with selectable custom fields.
- Use cases include linking blockchain transaction history to threat actors or campaigns and capturing honeypot events (attacker IPs, payloads) for timeline modeling.
MITRE Techniques
- [T1585 ] Resource Development – Custom objects allow mapping of external resources (e.g., cryptocurrency wallets, credit card data) to STIX entities: “capture the full details of a cryptocurrency wallet tied to ransomware, including blockchain type and transaction history, all linked back to STIX Threat Actors or Campaigns.”
- [T1098 ] Account Manipulation – Documenting and linking financial or credential artifacts (e.g., credit card data linked to fraud campaigns) to support detection and investigation: “define a custom type for credit card data linked to fraud campaigns.”
- [T1608 ] Stage Capabilities – Modeling honeypot intelligence and attacker behavior including payloads and infrastructure to analyze adversary actions over time: “model honeypot intelligence with fields for attacker behavior, payloads, and infrastructure.”
- [T1113 ] Screen Capture – Forensic evidence attributes (chain of custody, analysis results, storage locations) support capturing detailed investigation artifacts: “document forensic evidence from a breach with attributes for chain of custody, analysis results, and storage locations.”
- [T1499 ] Endpoint Denial of Service – Linking operational events (e.g., individual honeypot events including attacker IPs) to broader campaign activity for timeline and impact analysis: “captured individual events from their honeypot network, including key attributes like attacker IPs, allowing them to model intrusion activity over time.”
Indicators of Compromise
- [File Name ] examples of custom-recorded forensic artifacts – e.g., breach evidence records with chain-of-custody metadata and analysis_result.json (illustrative filenames).
- [Wallet Identifiers ] cryptocurrency wallet context – e.g., wallet address examples captured and linked to ransomware campaigns (example_address_1, example_address_2 and 2 more addresses).
- [IP Address ] honeypot attacker context – e.g., captured attacker IPs from honeypot events (198.51.100.10, 203.0.113.5).
- [CSV/EIQ-JSON Export ] shared artifact context – exported datasets containing selected custom fields for analysis and sharing (export_2025-01-01.csv, export_payloads.eiq-json).
Read more: https://blog.eclecticiq.com/beyond-stix-how-custom-objects-empower-your-intelligence-work