Outgoing feed - HTTP Download feed#

Note

This article describes how to configure outgoing feeds for a particular feed source. To see how to configure outgoing feeds in general, see Create and configure outgoing feeds.

Specifications

Transport type

HTTP download

Content type

  • Advanced Entities CSV (IC 3.3.0 and newer)

  • Advanced Observables CSV (IC 3.3.0 and newer)

  • ArcSight CEF

  • EclecticIQ Entities CSV

  • EclecticIQ HTML Report

  • EclecticIQ HTML Report Digest

  • EclecticIQ JSON

  • EclecticIQ Observables CSV

  • EclecticIQ PDF

  • PAN-OS External Dynamic List

  • Plain text value

  • STIX 1.2

  • STIX 2.1

For more information, see Configure content types.

Description

The feed publishes entities and observables in the selected content type through the platform API. Each time the outgoing feed task runs, it generates a data package containing zero or more entities, depending on the outgoing feed update strategy, and on the feed data source containing data that match the feed configuration.

Configure the outgoing feed#

The HTTP download transport type for outgoing feeds publishes data in the supported content types to the specified location on the target HTTP download.

  1. Create or edit an outgoing feed.

  2. From the Transport type drop-down menu, select HTTP download.

  3. From the Content type drop-down menu, select the appropriate content type for the data you want to publish through the outgoing feed.
    The selected content type for the feed should match the actual format of the source data you are publishing through the feed.
    This can vary, depending on the dataset sources you retrieve the data for publication from.

  4. From the Datasets drop-down menu, select one or more existing datasets to use as sources to populate the outgoing feed content.
    For the feed not to be empty, at least one selected dataset should contain entities and observables in the same format as the configured content type for the feed.

  5. From the Update strategy drop-down menu, select the preferred method to populate the outgoing feed with data before publishing it.
    Update strategies help define how content is aggregated and packaged for publication when an outgoing feed task runs:

    • Append: every time the outgoing feed task runs, it fetches only new, unpublished data to generate the content for publication.
      The published packages contain only new entities and observables ingested in the platform after the previous execution of the outgoing feed.

    • Replace: every time the outgoing feed task runs, it fetches new and existing data to generate the content for publication.
      The published packages contain new and existing entities and observables included also in the previous execution of the outgoing feed.

    • Diff : this option is available only for the EclecticIQ Entities CSV and EclecticIQ Observables CSV content types. Every time the outgoing feed task runs, new data is compared against existing data to identify any differences between the two datasets:

      • At entity level: any entities added to or removed from the set, if EclecticIQ Entities CSV is the designated content type for the feed.

      • At observable level: any observable added to or removed from the entities in the set, if EclecticIQ Observables CSV is the designated content type for the feed.

      Depending on the selected CSV content option, each row in the CSV output contains information about one entity being added or removed, or one observable being added or removed.
      An extra diff column is added to the output CSV to indicate if a row, and therefore either an entity or an observable, has been added to or removed from the set.
      This option enables identifying changes in a feed between two executions without downloading the whole feed every time.

      Note

      Update strategies help define how content is aggregated and packaged for publication when an outgoing feed task runs:

      Update strategies rely on the last_updated_at database field to identify entities whose timestamp value was updated since the previous execution of the outgoing feed.
      Entities with a more recent timestamp value compared to the previous execution of the outgoing feed are packaged and included in the published content of the outgoing feed.

      • Changes to the data section of an entity create a new version of the entity.
        They also add a new log entry to the entity history to record the changes.

      • Changes to the meta section of an entity do not create a new version of the entity.
        However, they do update the timestamp value of the last_update_at database field.

  6. Select the Public checkbox to make the outgoing feed available to all platform groups and to all platform users.
    Leave it deselected to make the outgoing feed available only to specific groups.

  7. You can select the intended recipient groups in the Authorized groups drop-down.

  8. The Authorized groups option restricts access to the outgoing feed to the groups you select from the drop-down, and to their member users.
    The Authorized groups option is available only when the Public checkbox is deselected (default setting).

  9. To store your changes, click Save; to discard them, click Cancel.

View and retrieve outgoing feed content#

  1. In the top navigation bar click Data configuration > Outgoing feeds.

  2. In the Outgoing feeds view, click anywhere in the row corresponding to the outgoing feed whose content you want to view or retrieve.

  3. In the selected outgoing feed detail pane, click the Created packages tab.

  4. In the Created packages tab, under the Download column header, click the name of a package to download it, and to save it to a target location.

About HTTP endpoints#

The default platform API endpoints for HTTP download outgoing feeds are:

  • https://${platform_host}/private/open-outgoing-feed-download/ for publicly accessible outgoing feeds.
    These feeds publish content that all platform users can access.

  • https://${platform_host}/private/outgoing-feed-download/for non-publicly accessible outgoing feeds.
    These feeds publish content that only the intended recipients can access.

You can append additional elements to the URL to retrieve specific content from an HTTP download outgoing feed:

  • https://${platform_host}/private/open-outgoing-feed-download/{feed_id}/runs/latest Replace {feed_id} with the outgoing feed ID reference to retrieve all packages from the latest outgoing feed task run.
    The feed ID is the integer value in the &detail={integer} URL element in the URL pointing to the Details tab of the outgoing feed detail pane.

  • https://${platform_host}/private/open-outgoing-feed-download/{feed_id}/runs/{run_id} Replace {feed_id} with the outgoing feed ID reference and {run_id} with the desired outgoing feed task run identifier value to retrieve all packages form a specific outgoing feed task run.
    To retrieve the task run ID, do the following:

    1. In the left navigation bar click > System jobs > Succeeded.

    2. In the successfully completed system job overview, look for the desired task run ID under the ID column.

  • https://${platform_host}/private/open-outgoing-feed-download/{feed_id}/runs/{run_id}/content-blocks/latest Replace {feed_id} with the outgoing feed ID reference and {run_id} with the desired outgoing feed task run identifier value to retrieve the latest/most recent package from a specific outgoing feed task run.

  • https://${platform_host}/private/open-outgoing-feed-download/{feed_id}/runs/{run_id}/content-blocks/{block_id} Replace {feed_id} with the outgoing feed ID reference, {run_id} with the desired outgoing feed task run identifier value, and {block_id} with the desired content block ID reference to retrieve a specific package from a specific outgoing feed task run.
    To retrieve the content block ID, do the following:

    1. In the web browser address bar, enter the URL pointing to the list of all content blocks in the specified outgoing feed: https://${platform_host}/private/open-outgoing-feed-download/{feed_id}

    2. The data.content_block JSON array lists the URLs pointing to all the content blocks belonging to the outgoing feed.
      The content block ID is the integer value at the end of the URL.

Example:

Note

{ “data”:{ “content_blocks”:[ “/private/open-outgoing-feed-download/12/runs/ff7458fg-c63b-4f94-a811-ffa87a254d98/content-blocks/98”, “/private/open-outgoing-feed-download/12/runs/678bf255-0835-4994-a0ed-d98ac98aaa58/content-blocks/44”, “/private/open-outgoing-feed-download/12/runs/c4a394e9-0a8f-42ca-ad4b-72cc3762afd7/content-blocks/32”, “/private/open-outgoing-feed-download/12/runs/bf711b50-c2a1-4f5t-994f-ec1c481ace3d/content-blocks/11” ], “id”: 4, “name”: “Download CSV Line per entity” } }

The same URL format applies to the https://${platform_host}/private/outgoing-feed-download/ for non-publicly accessible HTTP download outgoing feeds.