Configure EclecticIQ Platform

  1. Log in to EclecticIQ Platform.

  2. Configure one or more Incoming feeds.

  3. Search for intelligence of interest.
    For example, search for phishing indicators in the last 24 hours.

  4. Create a Dataset using the previous search query.

Create an outgoing feed

  1. In the top navigation bar, click Data configurations > Outgoing feeds >

Step 1 - The General section

  1. In the Feed name field, enter a descriptive name that is easy to remember.

Step 2 - The Transport and content section

  1. From the Transport type drop-down menu, select Syslog push.

  2. From the Content type drop-down menu, select ArcSight CEF.

  3. From the Datasets drop-down menu, select the dataset you created earlier.

  4. From the Update strategy drop-down menu, select Append.

  5. In the Syslog server host field, enter the address of your ArcSight ESM server.

  6. In the Syslog server port field, enter 1514.

  7. From the Protocol drop-down menu, select TCP.

Step 3 - Schedule section

  1. From the Execution schedule drop-down menu, select how often you want to run the outgoing feed task:

    Option

    Functionality

    Required action

    None

    Scheduled feed execution is disabled.

    You need to manually trigger the task to ingest or to publish data through an incoming or an outgoing feed, respectively.

    Every [n] minutes

    The feed task runs automatically once every [n] minutes.
    [n] defines the selected time interval in minutes.

    You define the execution interval in 5-minute increments from the corresponding drop-down.

    Every hour, [n] minutes past the hour

    The feed task runs automatically once an hour every hour at the specified minute offset from the hour.

    You define how long in minutes after the beginning of an hour the task should run from the corresponding drop-down.

    Every [n] hours

    The feed task runs automatically once every [n] hours.
    [n] defines the time interval in hours between two consecutive feed task runs.

    You define how long the time interval between feed executions should be by selecting the number of hours from the corresponding drop-down.

    Every day at [time]

    The feed task runs automatically once a day at the specified time.

    You define the time of the day when the task should run from the corresponding drop-downs.

    Every [n] days

    The feed task runs automatically once every [n] days.
    [n] defines the time interval in days between two consecutive feed task runs.

    You define how long the time interval between feed executions should be by selecting the number of days from the corresponding drop-down.

    Every week on [day of the week] at [time]

    The feed task runs automatically once a week on the designated day, at the specified time.

    You define the day of the week and time of the day when the task should run from the corresponding drop-downs.

    Every month on [day of the month] at [time]

    The feed task runs automatically once a month on the designated day of the month, at the specified time.

    You define the day of the week and time of the day when the task should run from the corresponding drop-downs.
    Keep in mind that not all months of the year have 30 or 31 days.

Step 4 - The Processing section

  1. From the Override TLP drop-down menu, select with what TLP color you want to overwrite the TLP color code associated to the outgoing feed entities.
    The selected TLP value is assigned to all the entities in the outgoing feed.

  2. From the Filter TLP color drop-down menu, select which entities you want to include in the outgoing feed data, based on the selected TLP value.
    Only the entities that are flagged with the selected TLP color code are included in the outgoing feed.

  3. From the Source reliability filter drop-down menu, select the minimum reliability level an entity must have in order to be send out in the feed

  4. In the Relevancy threshold (%) field, set a filter to include in the outgoing feed data only the entities whose relevancy value is higher than the one defined here.

  5. From the Allowed observable states drop-down menu, select one or more observable states to include in the outgoing feed data only the entities whose observable states match the selections defined here.

  6. From the Observable types drop-down menu, select all the observable types that you want to send out in the feed.

  7. From the Enrichment observable types drop-down menu, select all the observable types that you want to send out in the feed.

  8. Click Save to store your changes, or Cancel to discard them.