The Threat Intelligence EclecticIQ Platform App for Splunk is a native application that installs directly on your Splunk instance.
EclecticIQ Platform 2.x or later.
Threat Intelligence EclecticIQ Platform App for Splunk installed on your Splunk instance.
Network access between EclecticIQ Platform and your Splunk instance.
Download and install the app on Splunk
Download the Threat Intelligence EclecticIQ Platform App from Splunkbase.
Save the tar.gz package locally.
Log into your Splunk instance.
In the top navigation bar, open the Apps drop-down menu and select Manage Apps.
In the top right corner, click Install app from file.
In the Upload app page, click Browse and select the tar.gz package you just downloaded.
Click Upload to install the package.
When prompted, click Restart to restart your Splunk instance.
(Optional) Create a new source group
Create a new dedicated source group to manage data sent to and received from the Threat Intelligence EclecticIQ Platform App.
When adding Allowed sources to the group, make sure to add Sources that contain data that you want to send to the Threat Intelligence EclecticIQ Platform App.
Set up Outgoing feed on EclecticIQ Platform
In order to allow your Splunk instance to use intelligence from EclecticIQ Platform to detect threats, set up an outgoing feed on your platform instance:
In the left navigation bar, click Data Configuration > Outgoing feeds > +.
Set the following fields in your new outgoing feed:
Enter a descriptive name for the outgoing feed.
Example: Outgoing feed for <vendor system>
Set this to HTTP download.
Set this to EclecticIQ Observables CSV.
Datasets*: Select one or more datasets to include in this outgoing feed.
Update strategy*: Select an update strategy.
The Threat Intelligence EclecticIQ Platform App supports these update strategies:
REPLACE: Select this option to purge the app KV store before updating it each time the feed runs.
Not recommended for feeds with large datasets, or feeds with frequent execution schedules.
DIFF: Select this option to send incremental updates through the feed.
Public: Select this to make this feed publicly available.
Authorized groups: If Public is not selected, select one or more groups to make this feed available to.
If you created a source group earlier, add that here.
Set to None by default.
For more information on configuring HTTP download outgoing feeds, see Outgoing feed - HTTP download feed.
Save and run the outgoing feed.
Get the feed ID
We need the ID of the outgoing feed that you’ve just created.
To get the feed ID:
In the left navigation bar, click Data Configuration > Outgoing feeds.
In the Outgoing feeds overview, click on the outgoing feed you’ve just created.
In the panel that appears, click on the Created packages tab.
Locate and note the feed ID shown in this tab.
The feed ID is displayed as part of the outgoing feed URLs shown. For example, in:
You can download the latest package
the feed ID is 8.
Install Threat Intelligence EclecticIQ Platform App
Sign in to Splunk Web.
From the dashboard, click on Settings ( ) in the left menu.
Click Install app from file at the top right.
In the Upload an app page:
Click on Browse
Locate and select the tar.gz package downloaded in Download and install the app on Splunk.
(Optional) Select Upgrade app if you are upgrading from a previous version of the app.
Configure Threat Intelligence EclecticIQ Platform App
Once the Threat Intelligence EclecticIQ Platform App is installed:
In the top navigation bar of Splunk Web, click Apps > Manage Apps.
Locate EclecticIQ Platform App in the list of apps.
In the Actions column for EclecticIQ Platform App, click Set up.
In the EclecticiIQ Platform App Configuration Page, fill out these fields:
EclecticIQ Platform url
Enter the URL of your EclecticIQ Platform instance.
EclecticIQ Platform Version
Enter your EclecticIQ Platform version.
For example: 2.9
Verify the SSL Connection if SSL is used
Select to ensure that a valid SSL certificate is received from EclecticIQ Platform.
ID of feeds for collection from EclecticIQ Platform
One or more feed IDs obtained from Get the feed ID, separated by commas.
For example, to receive indicators from feeds with IDs 6 and 7: 6,7.
EclecticIQ Platform Source Group
Enter a source group. If you have one set up from Create a source group, enter that group name here.
Enter your user name. This user must be a member of the group specified in EclecticIQ Platform Source Group.
Enter your password.
Click Save Settings to finish configuring the app.
Optional app configuration
(Optional) When configuring the app on the EclecticIQ Platform App Configuration Page, you can set up these options:
If you’re using a proxy, enter its IP address here.
If required, enter the username for authenticating with your proxy.
Enter the password for your proxy.
Set to index=main by default.
Modify this to change the scope of the sightings query used by the app.
Send the following sightings types
All selected by default.
Select one or more sighting types to send to EclecticIQ Platform through the app.
Scripts Log Level
Set the log level for scripts run by the app. Change this only if you have issues with the app.