Incoming feed - EclecticIQ Open Sources Feed

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Configure incoming feeds general options.

From EclecticIQ Platform 2.9, the EclecticIQ Fusion Center Intelligence Essentials and Premium feeds are now the EclecticIQ Open Sources Feed and EclecticIQ Commercial Sources Feed.

For information on the older EclecticIQ Fusion Center Intelligence Essentials and Premium feeds, see the EclecticIQ Platform 2.8 documentation.

Specifications

Feed name

EclecticIQ Open Sources Feed

Transport type

TAXII Poll

Content type

EclecticIQ JSON

Description

EclecticIQ Open Sources Feed is an open source intelligence feed curated by the EclecticIQ Fusion Center team.

For a list of intelligence sources that are included in this feed, see List of intelligence sources.

Requirements

  • EclecticIQ Fusion Center user name

  • EclecticIQ Fusion Center password

Execution schedule

By default, the Execution schedule for the EclecticIQ Open Sources Feed is set to: None

This means that the feed has to be run manually.

We recommend that you set the Execution schedule to Every 1 hours:

  1. Go to the Schedule section.

  2. Set Execution schedule to Every [n] hours.

  3. In the line Every … hours that appears below, select 1 from the drop-down menu, so that the line reads Every 1 hours.

Configure the incoming feed

The EclecticIQ Open Sources Feed is a pre-configured incoming feed on EclecticIQ Platform 2.9.0 and newer.

To start using the feed, finish configuring it by adding your EclecticIQ Fusion Center user name and password:

  1. Edit the EclecticIQ Open Sources Feed.

  2. Under Transport and content, fill out these fields:

    Required fields are marked with an asterisk (*).

    Field

    Description

    Username

    Set this to your EclecticIQ Fusion Center user name.

    Password

    Set this to your EclecticIQ Fusion Center password.

  3. Click Save to store your changes.

List of intelligence sources

The EclecticIQ Open Sources Feed includes threat intelligence from these sources:

Source

Name

Open Source

Use Case

AbuseCh

URLhaus

Yes

Commodity Malware

AbuseCh

Malware Bazaar

Yes

Malware

AbuseCh

SSLBL - SSL Certs and Suricata Rulesets

Yes

Malware

Azorult Tracker

Azorult Tracker

Yes

Malware C2

Circl.lu

CVE Search API

Yes

Exploit Targets

Cybercrime-tracker

Cybercrime Tracker Domain Provider

Yes

Commodity Malware

Cybercrime-tracker

Cybercrime Tracker ATM Provider

Yes

ATM Malware

PhishTank

PhishTank

Yes

Phishing

tweetioc

tweetioc

Yes

Malware

VXVault URL List

VXVault URL List

Yes

Malware

Default configuration

For reference, the table below describes the default configuration for the EclecticIQ Open Sources Feed:

Required fields are marked with an asterisk (*).

Field

Description

Feed name*

EclecticIQ Open Sources Feed

Organization

EclecticIQ B.V.

Source reliability

B - Usually reliable

Require valid signature

Not selected.

Skip extraction of observables from unstructured text

Not selected.

Transport type*

TAXII Poll

Content type*

EclecticIQ JSON

Accept password protected archives

Not selected.

Auto Discovery

Polling service URL*

https://cti.eclecticiq.com/feeds/taxii/poll

Collection name*

eclecticiq_open_sources_feed.hourly.json

TAXII version*

TAXII 1.1

Extra headers

Subscription ID

Start ingesting from*

10/01/2020 00:00

Days per poll

SSL verification

Not selected.

SSL CA bundle file path

Basic authentication

Selected.

Username

Password

EclecticIQ authentication URL

SSL certificate authentication

Not selected.

Execution Schedule*

Every [n] hours

Every [n] hours

1