Incoming feed - EclecticIQ Open Sources Feed#
Note
This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.
Caution
From EclecticIQ Platform 2.9, the EclecticIQ Fusion Center Intelligence Essentials and Premium feeds are now the EclecticIQ Open Sources Feed and EclecticIQ Commercial Sources Feed.
For information on the older EclecticIQ Fusion Center Intelligence Essentials and Premium feeds, see the EclecticIQ Platform 2.8 documentation.
Specifications |
|
|---|---|
Feed name |
EclecticIQ Open Sources Feed |
Transport type |
TAXII Poll |
Content type |
EclecticIQ JSON |
Description |
EclecticIQ Open Sources Feed is an open source intelligence feed curated by the EclecticIQ Fusion Center team. For a list of intelligence sources that are included in this feed, see List of intelligence sources. |
Requirements#
EclecticIQ Fusion Center user name
EclecticIQ Fusion Center password
Execution schedule#
By default, the Execution schedule for the EclecticIQ Open Sources Feed is set to: None
This means that the feed has to be run manually.
We recommend that you set the Execution schedule to Every 1 hours:
Go to the Schedule section.
Set Execution schedule to Every [n] hours.
In the line Every … hours that appears below, select 1 from the drop-down menu, so that the line reads Every 1 hours.
Configure the incoming feed#
The EclecticIQ Open Sources Feed is a pre-configured incoming feed on EclecticIQ Platform 2.9.0 and newer.
To start using the feed, finish configuring it by adding your EclecticIQ Fusion Center user name and password:
Edit the EclecticIQ Open Sources Feed.
Under Transport and content, fill out these fields:
Note
Required fields are marked with an asterisk (*).
Field
Description
Username
Set this to your EclecticIQ Fusion Center user name.
Password
Set this to your EclecticIQ Fusion Center password.
Click Save to store your changes.
List of intelligence sources#
The EclecticIQ Open Sources Feed includes threat intelligence from these sources:
Source |
Name |
Open Source |
Use Case |
|---|---|---|---|
AbuseCh |
URLhaus |
Yes |
Commodity Malware |
AbuseCh |
Malware Bazaar |
Yes |
Malware |
AbuseCh |
SSLBL - SSL Certs and Suricata Rulesets |
Yes |
Malware |
Azorult Tracker |
Azorult Tracker |
Yes |
Malware C2 |
Cybercrime-tracker |
Cybercrime Tracker ATM Provider |
Yes |
ATM Malware |
Florian Roth |
Neo23x0 |
Yes |
Yara Rules |
National Institute of Standards and Technology (NIST) |
National Vulnerability Database (NVD) |
Yes |
Exploit Targets |
PhishTank |
PhishTank |
Yes |
Phishing |
VXVault URL List |
VXVault URL List |
Yes |
Malware |
Default configuration#
For reference, the table below describes the default configuration for the EclecticIQ Open Sources Feed:
Note
Required fields are marked with an asterisk (*).
Field |
Description |
|---|---|
Feed name* |
EclecticIQ Open Sources Feed |
Organization |
EclecticIQ B.V. |
Source reliability |
B - Usually reliable |
Require valid signature |
Not selected. |
Skip extraction of observables from unstructured text |
Not selected. |
Transport type* |
TAXII Poll |
Content type* |
EclecticIQ JSON |
Accept password protected archives |
Not selected. |
Auto Discovery |
|
Polling service URL* |
|
Collection name* |
eclecticiq_open_sources_feed.hourly.json |
TAXII version* |
TAXII 1.1 |
Extra headers |
|
Subscription ID |
|
Start ingesting from* |
10/01/2020 00:00 |
Days per poll |
|
SSL verification |
Not selected. |
SSL CA bundle file path |
|
Basic authentication |
Selected. |
Username |
|
Password |
|
EclecticIQ authentication URL |
|
SSL certificate authentication |
Not selected. |
Execution Schedule* |
Every [n] hours |
Every [n] hours |
1 |