Incoming feed - Advanced CSV
This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Configure incoming feeds general options.
|
Specifications |
Transport types |
Advanced CSV |
Content type |
EclecticIQ Entities Advanced CSV |
Ingested data |
Ingests CSV files. |
Endpoint(s) |
N/A |
Processed data |
See Data mapping. |
Requirements
A single CSV file served through HTTP/S at a URL.
Configure the incoming feed
Create or edit an incoming feed.
Under Transport and content, fill out these fields:
Required fields are marked with an asterisk (*).
Field
Description
Transport type*
Select Advanced CSV from the drop-down menu.
Content type*
Select EclecticIQ Entities Advanced CSV from the drop-down menu.
CSV URL*
URL of CSV file to ingest. Must be a direct download.
CSV mapping*
Enter how values in the CSV file should be mapped, in the form:
<column_one_header>:<target_eiq_json_path>[,<column_two_header>:<target_eiq_json_path>[, ...]
For more information, see Data mapping.
Delimiter*
Character used to separate values in selected file.
Set to , by default.
Quote characters*
Character(s) used to enclose CSV fields that contain characters that must be escaped. For example: ,, ", and space characters.
Set to " by default.
Some software such as Microsoft Excel do not use a single " character to enclose CSV fields.
Ignore lines that start with #
Select to ignore all lines that don’t have delimiter characters (set in Delimiter).
Ignore lines without defined delimiter
Select to ignore all lines that start with with a ‘#’ character in the target CSV file.
Field Names*
Enter column headers as a comma-separated list, in the form:
<column_one_header>[, <column_two_header>[, ...]]
Leave blank to use first line of CSV file as headers.
SSL verification
Selected by default. Select this option to enable SSL for this feed.
Path to SSL certificate file.
Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.
For more information, see SSL certificates.
Store your changes by selecting Save.
SSL certificates
To use an SSL certificate with the platform, it must be:
Accessible on the EclecticIQ Platform host.
Placed in a location that can be accessed by the eclecticiq user.
Owned by eclecticiq:eclecticiq.
To make sure that the platform can access the SSL certificate:
Upload the SSL certificate to a location on the platform host.
On the platform host, open the terminal.
Change ownership of the SSL certificate by running as root in the terminal:
chown eclecticiq:eclecticiq
/
path
/
to
/
cert.pem
Where /path/to/cert.pem is the location of the SSL certificate the platform needs to access.
Data mapping
This implementation supports a limited set of Entity values that you can map CSV fields to. For more information, see Mapping table.
Overview
Use the CSV mapping field to specify how columns in the selected CSV file map to entities and observables on the platform.
For example to ingest the following CSV file:
bf20c674a0533e7c0d825de097629a96cb42ae2d4840b07dd1168993d95163e8,ATMSpitter,
"lorem ipsum example"
,
2016
-
08
-
02
,example_tag_1,example_tag_2,example_reference_1.com,example_reference_2.com
Serve the CSV file at a URL. See Serving a single CSV file through HTTP.
Set up the Advanced CSV incoming feed.
Set the CSV mapping field to:
hash
:entity.observable.
hash
-
sha256,name:entity.name,description:entity.description,timestamp:entity.tags,tag_1:entity.tags,tag_2:entity.tags,reference_1:entity.references,reference_2:entity.references
Set Field Names to:
hash
,name,description,timestamp,tag_1,tag_2,reference_1,reference_2
Save and run the feed.
This produces, per row in the CSV file:
An Indicator entity (for each row), because an entity.type is not specified. For more information, see Mapping table.
These indicators take their title from the name column, and their description field set to the contents of the description column.
Three tags attached to the Indicator, taking their respective values from the timestamp, tag_1, and tag_2 columns.
Two reference entries in the indicator’s Information source, taking their respective values from the reference_1 and reference_2 columns.
hash-256 type Observables attached to this Indicator, taking its value from the hash column.
Mapping table
Each row in the CSV file is treated as a single record.
This means that all fields in a given row are mapped to a single resulting Entity on the platform.
EclecticIQ Entity field |
Syntax |
Description |
Entity Title |
entity.name |
Sets the title for the resulting Entity. |
Entity Type |
entity.type |
Set the type for the resulting Entity. |
Entity Description |
entity.description |
Set the description for the resulting Entity. |
Entity Tags |
entity.tags |
Adds entries to the Tags field of the resulting Entity. The text of the resulting Tag is taken from the value of the CSV field. Each CSV field mapped to entity.tags creates a new tag for the Entity. |
Entity References |
entity.references |
Adds entries to the Information source > References field of the resulting Entity. The text of the resulting reference is taken from the value of the CSV field. Each CSV field mapped to entity.references creates a new reference for the Entity. |
Observables |
entity.observable.<observable_type> |
Adds an Observable of <observabe_type> to the resulting Entity. The value of the resulting Observable takes its text from the value of that CSV field. |
Estimated threat start time |
entity.meta.estimated_threat_start_time |
Sets the Estimated threat start time value for the resulting entity. Accepts a date and time. For example: 2021-01-17 07:44:46 See Date-time values for more information. |
Estimated threat end time |
entity.meta.estimated_threat_end_time |
Sets the Estimated threat end time value for the resulting entity. Accepts a date and time. For example: 2021-01-17 07:44:46 See Date-time values for more information. |
Estimated observed time |
entity.meta.estimated_observed_time |
Sets the Estimated observed time value for the resulting entity. Accepts a date and time. For example: 2021-01-17 07:44:46 See Date-time values for more information. |
Date-time values
The extension accepts a wide range of formats for date time values, but ambiguous date-time values (for example, writing 01 02 03 to represent 2 January 2003) can produce unexpected results.
For consistent ingestion of date-time values, those values should either follow ISO 8601 date-time formats (YYYY-MM-DDThh:mm:ss.sTZD), or be written such that the day, month, and year are distinct (2 Jan 2003 00:00).
Fields that accept date-time values also accept Unix epoch values.
List of Observable types
List of Observable types:
actor-id
address
asn
bank-account
card
card-owner
cce
city
company
country
country-code
cve
cwe
domain
email
email-subject
eui-64
file
forum-name
forum-room
forum-thread
fox-it-portal-uri
geo
geo-lat
geo-long
handle
hash-authentihash
hash-imphash
hash-md5
hash-rich-pe-header
hash-sha1
hash-sha256
hash-sha512
hash-ssdeep
hash-vhash
host
industry
inetnum
ipv4
ipv4-cidr
ipv6
ipv6-cidr
ja3-full
ja3-hash
ja3s-full
ja3s-hash
mac-48
malware
mutex
name
nationality
netname
organization
person
port
postcode
process
product
registrar
rule
snort
street
telephone
uri
uri-hash-sha256
winregistry
yara
Serving a single CSV file through HTTP
This extension ingests a single CSV file through the URL you specify in the CSV URL field. This URL must allow a direct download of the CSV.
If you are trying to ingest a CSV file from a host on your network, you can start a Python-based web server to serve that CSV file over HTTP and allow this extension to access it.
This extension does not support URLs from Microsoft OneDrive, Google Drive, or similar file sharing services.
Requirements
Python 3.
Access to the command line.
Administrator permissions on the file host.
IP address of the file host.
The platform can connect to the file host on port 8888.
Start the web server
Do not use in production.
Only serve sensitive data for the extension to access through secure HTTPS connections.
Consider using a trusted CDN service, or ask your network administrator for assistance.
Open the terminal or PowerShell/Command Prompt.
Run:
python3
-
m http.server
-
-
directory
/
path
/
to
/
data.csv
8888
When prompted by your Operating System, allow Python 3 to accept incoming connections.
You can now access the CSV file at http://<filehost_ip_address:8888. Set your CSV URL field to this value.
Troubleshooting
If you encounter the following error in the tracelog:
backend
/
extensions
/
advanced_csv
/
eiq
/
extensions
/
advanced_csv
/
transformer.py", line
83
,
in
make_uuid
values_list.sort()
TypeError:
'<'
not
supported between instances of
'NoneType'
and
'str'
The mapping configured for the feed may not match the format of the CSV files being ingested. Check that the format of the CSV files match the contents of these fields in the feed configuration:
CSV mapping
Delimiter
Quote character
Field names
and that the contents of your target CSV file are valid.