Getting started

The EclecticIQ Browser Extension speeds up your intelligence collection process by allowing you to create observables and entities and send them to the EclecticIQ Platform while you search for threat intelligence on the web.

To use the browser extension, you need to:

  1. Install the browser extension

  2. Connect to the platform

  3. Create new observables

  4. Create new entities

  5. Add observables to entities

  6. Ingest entity to update the platform

Before using the browser extension, see Requirements and Limitations.

This article uses IPv4 addresses that have been identified as Indicators of Compromise (IoC) in Investigating Phishing Attacks Exploiting Coronavirus Themes (EclecticIQ Blog) as examples.

Below is a partial list of IPv4 addresses found in Investigating Phishing Attacks Exploiting Coronavirus Themes:

  • 23.253.207[.]142

  • 60.152.212[.]149

  • 61.204.119[.]188

  • 78.186.102[.]195

  • 78.188.170[.]128

  • 85.109.190[.]235

  • 109.236.109[.]159

  • 125.209.114[.]180

  • 149.202.153[.]251

  • 177.144.130[.]105

  • 182.187.137[.]199

  • 186.147.245[.]204

You can use these IoCs when trying out the EclecticIQ Browser Extension.

Requirements

  • Platform: EclecticIQ Platform 2.3 and newer.

  • Network: You must be able to access the web interface for the EclecticIQ Platform through the browser.

  • User permissions: Use a user account that has been assigned:

    • A user role that gives at least "modify entities" permissions.

    • A user group that allows access to the appropriate data sources.

      LDAP and SAML

      The browser extension does not support LDAP or SAML authentication. Create a new user account with the appropriate roles and groups and use it with the browser extension.

Limitations

The browser extension is designed to help you quickly process IoCs that you find while browsing the web. If you need to collect and process a large number of IoCs, set up Incoming feeds instead.

In the browser extension, you can have:

  • Up to 1000 created observables at any one time. Once you have 1000 observables created in the browser extension, it ignores any new observables you try to add. To continue creating new observables in the browser extension, ingest or remove observables that are already created in the browser extension.

  • Entities with up to 99 observables attached. Once an entity created in the browser extension has 99 observables attached to it, it rejects attempts to attach more observables to it. To add more observables to an entity created in the browser extension, you must ingest that entity and then manage those connections on the platform.

Install the browser extension

Google Chrome

To install the EclecticIQ Browser Extension for Google Chrome:

  1. Go to the Chrome web store.

  2. Select Add to Chrome.

  3. A dialog box opens in Google Chrome asking if you would like to Add "EclecticIQ"?. Click Add extension to finish installing the browser extension.

Firefox

The EclecticIQ Browser Extension for Firefox can be downloaded directly from our servers here: EclecticIQ Browser Extension for Firefox

To install the EclecticIQ Browser Extension for Firefox:

  1. Using the Firefox browser, and click on this link to have Firefox download and check the extension package.

  2. A dialog box opens in Firefox asking if you would like to Add EclecticIQ. Click Add to finish installing the browser extension.

Connect to the platform

After installing the browser extension, sign in to the platform:

  1. Click the EclecticIQ Browser Extension icon images/download/attachments/41375041/icon16.png on your browser toolbar.

  2. In the open browser extension window, select the gear icon images/download/attachments/20716098/image2019-1-15_16-50-44.png to open the Settings page.

  3. With the Settings page open, select the Credentials tab. Fill out these fields:

    • Platform URL: The fully qualified domain name (FQDN) or IP address you use to access the platform. Make sure to include https:// at the start of your platform URL.

    • Username: User name of a user on the platform who is assigned:

      • A user role that gives at least "modify entities" permissions.

      • A user group that allows the user access to the appropriate data sources.

        For more information about user permissions, see User permissions.

    • Password: Password for the user.

  4. Once done, select Save options.

    images/download/attachments/82475534/enter-connection-settings--save-options.png

Create new observables

Using the browser extension, you can create new observables while browsing the web.

Create new observables using the extension in two ways:

Extract observables from a web page

You can add observables by selecting text on a web page, and using the browser extension to extract observables from the selected text automatically. Observables extracted this way are automatically assigned a type. This also works with any document that you can open in the browser, such as PDF documents.

The browser extension can extract these observable types:

  • IPv4

  • URI

  • Domain

  • E-mail

  • Hash-MD5

  • Hash-SHA256

  • Hash-SHA512

  • Hash-SHA1

  • File name

To use the browser extension to extract observables from a web page:

  1. Open Google Chrome and navigate to a web page that contains information about a threat that you want to add to the platform.

  2. On the web page, highlight the text that contains a description of the threat.

  3. Right-click the highlighted text to open the context menu. There, select EclecticIQ to display the options available.

    images/download/attachments/82475534/context-menu-eiq.png
  4. Select an option from the context menu to extract observables from the highlighted text. You can select from the following options:

    Option

    Description

    Collect all known observables

    The browser extension:

    1. Creates observables for each extracted data type.

    2. Automatically sets the name of the created observable and its type.

    3. Displays these extracted observables on the left of the browser extension window.

      images/download/attachments/82475534/observables-list-ip.png

    Collect all known observables and create entities

    Does the same thing as Collect all known observables. In addition, it automatically:

    • Creates an entity for each extracted observable. This entity is given same name as the extracted observable.

    • Adds each observable to its corresponding entity.

      images/download/attachments/82475534/entities-list-ip.png

    You must set the Source group for your new entities after creating them with Collect all known observables. Without a set Source group, the browser extension displays an error when try to ingest the entity. Set the Source group for your new entities by editing multiple entities at the same time.

    Collect IPv4 observables

    Extracts only IPv4 observables.

    Collect URI observables

    Extracts only URI observables.

    Collect Domain observables

    Extracts only Domain observables.

    Collect E-mail observables

    Extracts only E-mail observables.

    Collect Hash-MD5 observables

    Extracts only Hash-MD5 observables.

    Collect Hash-SHA256 observables

    Extracts only Hash-SHA256 observables.

    Collect Hash-SHA512 observables

    Extracts only Hash-SHA512 observables.

    Collect Hash-SHA1 observables

    Extracts only Hash-SHA1 observables.

    Collect File name observables

    Extracts only File name observables.

Each observable type is extracted using a pre-defined regular expression. To customize these regular expressions, see Regular expressions for extracting observables.

Manually

To create observables in the browser extension:

  1. Click the EclecticIQ Browser Extension icon images/download/attachments/41375041/icon16.png on your browser toolbar.

  2. In the open extension window, select the plus icon images/plugins/servlet/confluence/placeholder/unknown-macro.png at the top-left corner to open the Create observable window.

  3. In the Type field, select a type of observable to create. The EIQ Clipboard extension allows you to create the following observable types:

    • IPv4

    • URI

    • Domain

    • E-mail

    • Hash-MD5

    • Hash-SHA1

    • Hash-SHA256

    • Hash-SHA512

    • File Name

  4. (Optional) In the Maliciousness field, select the level of maliciousness the observable presents. This defaults to "Unknown".

  5. Once done, select Create.

This adds the observable to the list left of the extension window, but does not update the platform yet.

To update the platform with your new observables, you must add them to a new entity.

Create new entities

To create a new entity in the browser extension:

  1. Click the EclecticIQ Browser Extension icon images/download/attachments/41375041/icon16.png on your browser toolbar.

  2. In the open extension window, select the plus icon images/plugins/servlet/confluence/placeholder/unknown-macro.png at the top-left corner to open the Create entity window.

  3. Fill out the fields in the Create entity window. You must at least fill out these three fields:

    • Name

    • Sub-type

    • Source group

  4. Select Create to save your settings and create the entity.

Add observables to entities

  1. Click the EclecticIQ Browser Extension icon images/download/attachments/41375041/icon16.png on your browser toolbar.

  2. In the open extension window, select the observables you want to add to an entity by selecting the checkbox on the left of each observable.

    images/download/attachments/82475534/observables-add-to-entity-ip.png
  3. Select images/plugins/servlet/confluence/placeholder/unknown-macro.png Move to open a drop down menu containing a list of entities available in the browser extension.

  4. From the list of entities available, select an entity to add your observables to.

    images/download/attachments/82475534/observables-add-to-entity-select-entity-ip.png

Once done, you can see the observables you've added to the entity.

images/download/attachments/82475534/observables-add-to-entity-end-ip.png

Ingest entity

  1. Click the EclecticIQ Browser Extension icon images/download/attachments/41375041/icon16.png on your browser toolbar.

  2. Select the entities that you want the platform to ingest.

    images/download/attachments/82475534/entity-ingest-select-ip.png
  3. Select images/download/attachments/82475534/ingest-icon.png Ingest to update the platform with the selected entities.