Incoming feed - EclecticIQ Open Sources Feed
This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Configure incoming feeds general options.
From EclecticIQ Platform 2.9, the EclecticIQ Fusion Center Intelligence Essentials and Premium feeds are now the EclecticIQ Open Sources Feed and EclecticIQ Commercial Sources Feed.
For information on the older EclecticIQ Fusion Center Intelligence Essentials and Premium feeds, see the EclecticIQ Platform 2.8 documentation.
|
Specifications |
|
|
Feed name |
EclecticIQ Open Sources Feed |
|
Transport type |
TAXII Poll |
|
Content type |
EclecticIQ JSON |
|
Description |
EclecticIQ Open Sources Feed is an open source intelligence feed curated by the EclecticIQ Fusion Center team. For a list of intelligence sources that are included in this feed, see List of intelligence sources. |
Requirements
EclecticIQ Fusion Center user name
EclecticIQ Fusion Center password
Execution schedule
By default, the Execution schedule for the EclecticIQ Open Sources Feed is set to: None
This means that the feed has to be run manually.
We recommend that you set the Execution schedule to Every 1 hours:
Go to the Schedule section.
Set Execution schedule to Every [n] hours.
In the line Every … hours that appears below, select 1 from the drop-down menu, so that the line reads Every 1 hours.
Configure the incoming feed
The EclecticIQ Open Sources Feed is a pre-configured incoming feed on EclecticIQ Platform 2.9.0 and newer.
To start using the feed, finish configuring it by adding your EclecticIQ Fusion Center user name and password:
Edit the EclecticIQ Open Sources Feed.
Under Transport and content, fill out these fields:
Required fields are marked with an asterisk (*).
Field
Description
Username
Set this to your EclecticIQ Fusion Center user name.
Password
Set this to your EclecticIQ Fusion Center password.
Click Save to store your changes.
List of intelligence sources
The EclecticIQ Open Sources Feed includes threat intelligence from these sources:
|
Source |
Name |
Open Source |
Use Case |
|
AbuseCh |
URLhaus |
Yes |
Commodity Malware |
|
AbuseCh |
Malware Bazaar |
Yes |
Malware |
|
AbuseCh |
SSLBL - SSL Certs and Suricata Rulesets |
Yes |
Malware |
|
Azorult Tracker |
Azorult Tracker |
Yes |
Malware C2 |
|
Circl.lu |
CVE Search API |
Yes |
Exploit Targets |
|
Cybercrime-tracker |
Cybercrime Tracker Domain Provider |
Yes |
Commodity Malware |
|
Cybercrime-tracker |
Cybercrime Tracker ATM Provider |
Yes |
ATM Malware |
|
PhishTank |
PhishTank |
Yes |
Phishing |
|
tweetioc |
tweetioc |
Yes |
Malware |
|
VXVault URL List |
VXVault URL List |
Yes |
Malware |
Default configuration
For reference, the table below describes the default configuration for the EclecticIQ Open Sources Feed:
Required fields are marked with an asterisk (*).
|
Field |
Description |
|
Feed name* |
EclecticIQ Open Sources Feed |
|
Organization |
EclecticIQ B.V. |
|
Source reliability |
B - Usually reliable |
|
Require valid signature |
Not selected. |
|
Skip extraction of observables from unstructured text |
Not selected. |
|
Transport type* |
TAXII Poll |
|
Content type* |
EclecticIQ JSON |
|
Accept password protected archives |
Not selected. |
|
Auto Discovery |
|
|
Polling service URL* |
|
|
Collection name* |
eclecticiq_open_sources_feed.hourly.json |
|
TAXII version* |
TAXII 1.1 |
|
Extra headers |
|
|
Subscription ID |
|
|
Start ingesting from* |
10/01/2020 00:00 |
|
Days per poll |
|
|
SSL verification |
Not selected. |
|
SSL CA bundle file path |
|
|
Basic authentication |
Selected. |
|
Username |
|
|
Password |
|
|
EclecticIQ authentication URL |
|
|
SSL certificate authentication |
Not selected. |
|
Execution Schedule* |
Every [n] hours |
|
Every [n] hours |
1 |