ManageEngine | Outgoing feed#

Specifications

Transport type

ManageEngine Outgoing Feed

Content type

ManageEngine JSON Model

Exported data

Threat Actor, Report, Incident, and Indicator entities with their related Observables.

Limitations#

  • Runs on On-premise ManageEngine Setup Only.

Requirements#

The ManageEngine v2 Outgoing feed requires EclecticIQ Intelligence Center version 3.0.0 or later.

Configure the Outgoing feed#

Note

This article describes how to configure outgoing feeds for a particular feed source. To see how to configure outgoing feeds in general, see Create and configure outgoing feeds.

TLP v1 only

This Outgoing feed supports TLP v1 only. Any TLP v2 values assigned to intelligence objects included in the feed will be converted to v1 values (i.e., CLEAR becomes WHITE and AMBER+STRICT becomes RED).

  1. Create or edit an Outgoing feed.

  2. Under Feed content, select the Datasets you want to package in this feed and the Update strategy for this feed; Append or Replace.

  3. From the Transport type drop-down menu, select ManageEngine Outgoing Feed.

  4. From the Content type drop-down menu, select ManageEngine JSON Model.

  5. Under Transport configuration, enter your ManageEngine API URL and API key.

    • (Optional) With the SSL verification checkbox, you can choose whether to use SSL verification.
      If you do, enter the Path to SSL certificate.

    • enter the Requestor name.

    • enter the Template ID and Site ID, as per the the configuration created in your ManageEngine application.

    • enter the Confidence value map field , Sources value map field , and Observables value map field as per the custom fields created for the same in ManageEngine(Use the ID of the custom fields, eg: “udf_sline_201”)

  6. Under Content configuration

    • check or uncheck Push unstructured observables, and if you check it then unstructured observables will be pushed.

  7. To store your changes, select Save.
    If you want the Outgoing feed to run right away, select the dropdown arrow next to Save and then select Save and run.

SSL cert keys#

To use an SSL certificate, it must be:

  • Accessible on the EclecticIQ Intelligence Center host.

  • Placed in a location that can be accessed by the eclecticiq user.

  • Owned by eclecticiq:eclecticiq.

To make sure that EclecticIQ Intelligence Center can access the SSL certificate:

  1. Upload the SSL certificate to a location on the EclecticIQ Intelligence Center host.

  2. On the EclecticIQ Intelligence Center host, open the terminal.

  3. Change ownership of the SSL certificate by running as root in the terminal:

    chown eclecticiq:eclecticiq /path/to/cert.pem

    Where /path/to/cert.pem is the location of the SSL certificate EclecticIQ Intelligence Center needs to access.