Configure content types
Contents
Error rendering macro 'toc'
[com.ctc.wstx.exc.WstxLazyException] com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "stixcommon" at [row,col {unknown-source}]: [5,3777]
Overview
Generic transport types support a broader range of content types than vendor-specific transport types (such as Intel 471 and MISP feeds).
Examples of generic transport types are:
HTTP download
SFTP download
Syslog push
Table of outgoing feed content types
The following table describes the available generic content types for outgoing feeds:
|
Content type |
Description |
|
EclecticIQ Entities CSV |
CSV files containing records describing EIQ entities. |
|
EclecticIQ Observables CSV |
CSV files containing records describing EIQ observables. When creating an outgoing feed using this content type, you must set at least:
|
|
EclecticIQ HTML Report |
Creates a HTML package for each Report entity exported. You can customize the appearance of your HTML reports. See Customize EclecticIQ HTML Report below. Example HTML report |
|
EclecticIQ HTML Report Digest |
Creates a HTML package that contains a summary of all Report entities exported by the feed. You can customize the appearance of your HTML reports. See Customize EclecticIQ HTML Report below. Example HTML digest report |
|
EclecticIQ JSON |
EclecticIQ entities and observables in JSON. Typically used when sharing data between Intelligence Center instances. Selecting Override producer sets the Producer for all entities going through this feed as the value set in Settings ( |
|
PAN-OS External Dynamic List |
For sending Palo Alto firewall blocklists containing IP, domain, and URL sightings. |
|
Plain text value |
Produces a plain text file that contains one value per line, extracted from entities in your feed’s datasets. See Plain text value below. |
|
STIX 1.2 |
See STIX 1.2 below. |
|
STIX 2.1 |
See STIX 2.1 |
Appendix
Table of all generic content types
The following table describes content types available for generic transport types:
|
|
Send email |
FTP upload |
HTTP download |
Mount point upload |
Syslog push |
SFTP upload |
TAXII inbox |
TAXII Poll |
TAXII 2.1 push |
TAXII 2.1 Inbox |
TAXII 2.1 Poll |
Amazon S3 push |
|
ArcSight CEF |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
|
|
|
✅ |
|
EclecticIQ Entities CSV |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
|
|
|
✅ |
|
EclecticIQ HTML Report |
✅ |
✅ |
✅ |
✅ |
|
✅ |
✅ |
✅ |
|
|
|
✅ |
|
EclecticIQ HTML Report Digest |
✅ |
✅ |
✅ |
✅ |
|
✅ |
✅ |
✅ |
|
|
|
✅ |
|
EclecticIQ JSON |
✅ |
✅ |
✅ |
✅ |
|
✅ |
✅ |
✅ |
|
|
|
✅ |
|
EclecticIQ Observables CSV |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
|
|
|
✅ |
|
EclecticIQ PDF |
✅ |
✅ |
✅ |
✅ |
|
✅ |
✅ |
✅ |
|
|
|
✅ |
|
PAN-OS External Dynamic List |
✅ |
✅ |
✅ |
✅ |
|
✅ |
✅ |
✅ |
|
|
|
✅ |
|
Plain text value |
✅ |
✅ |
✅ |
✅ |
|
✅ |
✅ |
✅ |
|
|
|
✅ |
|
STIX 1.2 |
✅ |
✅ |
✅ |
✅ |
|
✅ |
✅ |
✅ |
|
|
|
✅ |
|
STIX 2.1 |
✅ |
✅ |
✅ |
✅ |
|
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
Customize EclecticIQ HTML Report
You can customize the appearance of your HTML reports with the following fields in the Content configuration section of your outgoing feed configuration:
Required fields are marked with an asterisk (*).
|
Field |
Description |
|
Include following tags and taxonomy* |
Tags or taxonomies added here are added as “Tags” to the HTML report. Type tag names or select one or more tags from the drop-down menu. Selecting a “parent” tag from the drop-down menu, such as Admiralty code, adds all its children. |
|
Include terms of use |
Select to add a “Terms of use” section to the report. The “Terms of use” section is filled with the contents of the Default terms of use field in your Intel report settings. Set it by going to Settings ( |
|
Include logo |
Select to add your organization’s logo to the generated report. This uses the image specified in your Intel report settings to brand your reports. Set it by going to Settings ( Your image must:
|
|
Include contact information |
Select to add contact details to your report. This uses the information specified in your Intel report settings to brand your reports. Set it by going to Settings ( |
|
Root URL of EclecticIQ platform installation |
Set this to the URL at which you can access the platform at. Defaults to the host name set in Settings ( |
|
Additional information |
Add information you want to include with your reports. The contents of this field is included at the end of each generated report. |
PAN-OS External Dynamic List
When setting PAN-OS external Dynamic List as the content type of an outgoing feed, you must also set for this feed the Content configuration > Palo Alto PAN-OS External Dynamic List field to one of the following:
PAN-OS IP External Dynamic List: packs outgoing feed as a list of IP (v4 and v6) addresses for Palo Alto firewall blocklists.
PAN-OS Domain External Dynamic List: packs outgoing feed as a list of domains for Palo Alto firewall blocklists.
PAN-OS URL External Dynamic List: packs outgoing feed as a list of URLs for Palo Alto firewall blocklists.
For PAN-OS URL External Dynamic List feeds, URLs from your dataset:
must not contain a scheme (e.g. ‘https://’, ‘ftp://’)
can contain wildcards
are case-insensitive
Plain text value
The Plain text value content type extracts a single value from each entity in your outgoing feed’s dataset.
It writes to the resulting text file one value per line for each entity in your dataset(s).
To use this content type, you must set three fields in the Content configuration section of your feed configuration:
|
Field name |
Description |
|
Field to take values from* |
Specify an EclecticIQ JSON field name to extract values from. This should be written in dot notation. For example, to access the Title of an Indicator entity, set this field to: data.title
|
|
Field to check a conditional value in* |
Specify an EclecticIQ JSON field name. For a given entity processed by this outgoing feed:
This should be written in dot notation. For example, to access the Title of an Indicator entity, set this field to: data.title
|
|
Only use entities that match this conditional value* |
Value to match in Field to check conditional value in. This must be an exact match. |
Example: Include only indicators with SNORT rules
To configure this feed to only pack SNORT rules from indicators in this feed:
Only Indicator entities can contain test mechanisms, such as SNORT rules.
|
Content configuration field |
Value |
|
Field to check a conditional value in |
data.test_mechanisms.test_mechanism_type |
|
Only use entities that match this conditional value |
snort |
|
Field to take values from |
data.test_mechanisms.rules.value |
STIX 1.2
Typical use cases include feeding a STIX 1.2-format outgoing feed to an external STIX-compatible device to instrument further processing or to trigger a response action.
Under Content configuration, do the following:
Selecting Override producer sets the Producer for all entities going through this feed as the value set in Settings (
) > STIX and TAXII > STIX > Add STIX settings > Producer.This setting changes the following nested XML element in the entity STIX structure:
… code-block:: xml
EclecticIQSelect the Include EclecticIQ-specific STIX extensions checkbox to enable EclecticIQ STIX extensions for the entities and the observables included in the outgoing feed content.
Select only if feed recipients cannot validate and parse STIX 1.2 content with EclecticIQ STIX extensions.
To validate STIX 1.x content, use the following projects: