Configure the general options for incoming feeds to ingest data into EclecticIQ Platform.
These configuration options are common to all supported incoming feeds.
By default, only feeds with generic transport types are preinstalled.
Proprietary feeds are not available right out of the box.
You can install them manually in no particular order.
Create an incoming feed
In the in the top navigation bar, go to Data configuration > Incoming feeds.
The Incoming feeds view lists all incoming feeds configured to ingest data from the specified intelligence providers and data sources.
In the top-left corner of the view, click the plus icon at the top-left corner of the page.
In Create incoming feed, fill out the following fields:
Required fields are marked with an asterisk ( * ).
Enter a descriptive label for the feed.
Enter the name to identify the provider of this feed.
Assign a level of source reliability to the feed.
Require valid signature
Enabled by default. When selected, the platform checks the PGP signature of any packages sent by the incoming feed source against its list of Trusted keys. If the package is not signed by a trusted key, the the platform rejects it. For more information, see Add trusted PGP keys below.
Selecting this option without adding the correct PGP public key for the feed source will cause the feed to fail when it runs.
Skip extraction of observables from unstructured text
Select this option to exclude from ingestion data that is:
Written in free-form text, such as text entered in title, description, or note fields.
Without any defined link names to qualify its relationship with the entities it is related to, if applicable.
If you select the checkbox, the platform filters out any observable data detected inside titles, headers, descriptions, summaries, and other free-form text fields.
Observable data inside unstructured text fields is usually not as relevant, and not as valuable in terms of intelligence, as observable data extracted from, for example, CybOX fields or from extracts_nested JSON fields.
In the same way, observables with relationships, but without any link names providing extra context and relevance, can add more noise than actual value to platform data.
Transport and content
To configure transport type and content type, as well as any other specific options for a particular incoming feed, refer to the dedicated documentation page on that feed:
Save the configuration
After setting up the feed, save the configuration:
Click Save to store your changes, or Cancel to discard them.
Or, click on the Save button to view additional save options:
Save and run: Saves the current configuration for the feed and runs it immediately.
Save and new: Saves the current configuration for the feed, and it opens a new empty form to start configuring a new feed.
Save and duplicate: Saves the current configuration for the feed, and it opens a prepopulated copy of the same feed configuration, which you can use as a blueprint/as a template to speed up manual work.
Add trusted PGP public key
The EclecticIQ Platform stores a list of trusted PGP public keys in Settings ( ) > System settings > Trusted Keys. Keys from this list are used to validate signed packages from incoming feeds that have the Require valid signature option enabled.
To add a PGP public key to the list of Trusted keys:
In the side navigation bar, select Settings ( ) > System settings > Trusted Keys.
Select Edit Settings.
In Edit public trusted keys settings:
Select + ADD to add a new PGP public key to the list.
Select + MORE to add more than one PGP public key to the list.
Fill out the following fields for each PGP public key you want to add:
* Required fields.
A descriptive label for this PGP public key.
Enter the exported ASCII output for the PGP public key here. This is usually the contents of an .asc file provided by the data source.
An example of an exported PGP public key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----
Select Save to finish adding your PGP public keys.