About incoming feeds

EclecticIQ Platform can ingest cyber threat intelligence made available in multiple formats.
You can configure incoming feeds to retrieve cyber threat data from many different sources.

You can populate the platform with data by defining one or more incoming feed sources.
Once it is set up and it is running, an incoming feed provides a data stream that the platform ingests and processes automatically.

Incoming feeds provide data, context, and additional information to help analysts draw an accurate map of the threat landscape they are examining.
This knowledge is essential to making informed decisions quickly and efficiently, and to promoting a proactive behavior when monitoring IT infrastructures and managing IT security.

A minimal incoming feed configuration includes:

  • A data source: a pointer to the origin of the data the incoming feed fetches.
    For example, a URI, a path pointing to a network location, or a URL exposing an API endpoint.

  • A transport type: the vehicle carrying the data.
    Typically, this is a communications protocol such as TAXII, HTTP, FTP, or IMAP.

  • A content type: the format of the incoming data the platform ingests through the incoming feed.
    For example, STIX, JSON, plain text, or PDF.

Structured content

For example: STIX, JSON, and (structured) plain text are machine-readable, easy to analyze, parse, and ingest as structured entities and observables.

Unstructured content

For example: PDF, email, (unstructured) text are human-readable, more difficult to analyze, parse, and ingest as structured entities and observables.

When the platform ingests unstructured content — either through an incoming feed or a manual file upload — to produce a report entity, the original unstructured source is attached in its original format to the resulting report entity.
In this way, when analysts modify or update the the resulting report entity, they can always refer back to the original information.