Contents

Introduction

Knowledge packs provide pre-defined configurations or packs, that equip Intelligence Center users with the ability to address their threat research and investigations through expert-curated workspaces and datasets.

Knowledge packs come with a set of packs created by EclecticIQ's threat research team as a culmination of their vast research experience and expertise.

As of version 2.11, Intelligence Center users can create their own knowledge packs. Users can create these knowledge packs and share them with their consumers.

Requirements

Permissions

The following permissions are required to use knowledge packs. To see your permissions, go to, Settings > User management > Permissions. See Permissions for more information on the permission settings for knowledge packs.

Permissions	Description
`install knowledge-packs`	Can enable knowledge packs. Must have both this and `read knowledge-packs` permissions to install knowledge packs.
`modify knowledge-packs`	Can modify the knowledge packs.
`read knowledge-packs`	Can view knowledge packs.

For your Intelligence Center to be able to receive knowledge packs from a Knowledge pack producer, you must allow outgoing network access to that producer instance.

Knowledge pack consumers and producers

Intelligence Center users can create their own knowledge packs for dissemination to their users, fully customized to their own requirements and priorities. Knowledge pack creators are designated as producers. Users that install and use the packs created by producers are called consumers. To be a producer, appropriate privileges must be provided in the settings.

Note: The CREATED PACKS tab is visible only if you have permission to create packs as a producer.

(Beta) Producers

This section describes how to create and manage knowledge packs.

How to enable knowledge pack creation and set up a producer?

This feature is still in beta. To enable, go to > System settings and select Edit > (Beta) Knowledge pack creation.

To enable knowledge pack creation and set up a producer:

From the left navigation bar, go to Settings( )> System settings > General.
- You can also go to Data configuration ( )> Knowledge packs > CREATED PACKS, and then select SETUP PRODUCER. You will see this option only when you set up a producer for the first time and you have not created any packs.
Select EDIT SETTINGS.
Select the Enable knowledge packs creation checkbox.
- The Producer name field appears.
Enter the producer's name.
- Producer name is a mandatory field.
- The name entered here is shown as a producer on the consumer's Intelligence Center instance.
Select SAVE.

How to create and publish knowledge packs?

To create a knowledge pack:

From the left navigation bar, go to Data configuration ( )> Knowledge packs > CREATED PACKS.
Select Create Knowledge Pack( ).
Enter the knowledge pack Name.
To select the configuration settings that you want to add to the knowledge pack that you are creating, select ADD EXISTING under Objects.
- Create knowledge pack window appears.
Select the objects that should form the knowledge packs from the tabs of the Select objects window.
Select CONFIRM.
- The objects that you selected are listed in the Create knowledge pack window.
Enter a description for the pack in the Description field.
Select SAVE.
The knowledge pack created is listed in the CREATED PACKS tab.
- When you create a pack, it is in an unpublished state. You must publish it to be made available to the consumers.
Click and open the pack that you created.
Select PUBLISH.
The pack is published and will be available for the consumers.

How to unpublish a knowledge pack?

To unpublish a knowledge pack:

Click and select the ellipsis ( ) of the knowledge pack that you want to unpublish.
Select Unpublish.

When you unpublish a pack:

The pack becomes unavailable to the consumers , that is, it is no longer listed as an available package on a consumer Intelligence Center.
Consumers that have already enabled the pack can continue to use it i n their Intelligence Center instances.

How to edit and update a knowledge pack?

To edit and update a knowledge pack:

Unpublish the pack if it is in the published state.
Add or remove the objects as required.
Publish the pack again.

How to share knowledge packs?

For consumers to see and retrieve knowledge packs, the producer must share a Uniform Resource Locator (URL) that hosts all available packs. To share the knowledge packs:

From the left navigation bar, go to Data configuration ( )> Knowledge packs > CREATED PACKS.
Select Share knowledge packs ( ).
- Share knowledge packs window appears with a URL that provides access to your packs.
Select COPY LINK to copy the URL.
Share the URL with your consumers. See How to add or remove producers and their packs? for more information on how consumers use this URL.

Ensure that the URL is accessible to the intended users.
Instances that are Knowledge pack producers must allow network access to that shared URL.

Consumers

This section describes the operations available for the consumers and the producers.

How to add a producer?

To add a producer:

From the left navigation bar, go to Data configuration > Knowledge packs.
In the MY LIBRARY tab, select Manage producers ( ).
- Producer management window appears.
Enter or paste the URL of the producer that you want to add. See How to share knowledge packs? for more information on how producers create packs and share the URL.

The producer EclecticIQ is enabled by default in every EclecticIQ Intelligencer Center instance.

To be able to receive Knowledge packs from the EclecticIQ producer, you must allow outgoing network traffic to:

https://cti.eclecticiq.com/configuration-bundles/producer
https://cti.eclecticiq.com/configuration-bundles/published

How to remove a producer?

To add a producer:

From the left navigation bar, go to Data configuration ( ) > Knowledge packs.
In the MY LIBRARY tab, select Manage producers ( ).
- Producer management window appears.
Select ( × ) against the producer that you want to remove.
Confirm removal in the dialog that appears.

You must disable all the packs associated with a producer before removing that producer.

Enable or disable a knowledge pack

You can enable or disable a knowledge pack:.

When you enable a pack, the configuration settings that are associated with the knowledge pack, for example, workspaces, datasets, and rules are created in the Intelligence Center.
When you disable a pack, the configuration settings that are associated with the knowledge pack, for example, workspaces, datasets, and rules are removed from the Intelligence Center.

How to enable a pack?

To enable a knowledge pack:

From the left navigation bar, go to Data configuration ( ) > Knowledge packs.
In the MY LIBRARY tab, slide the toggle switch of a disabled pack that you want to enable.
- The Enable package - Step 1 of 3 Knowledge pack details popup showing the configurations that will be created appears.
Select ENABLE.
- Popups with information on what is being created in the Intelligence Center are displayed.
- If the pack has one or more objects that have the same names as the other existing objects in your Intelligence Center instance, Rename knowledge pack window appears. Enter a prefix to rename all the objects in the pack.
- The Enable package - Step 3 of 3 Share popup showing the groups available for you to share the pack appears.
Select the required group(s).
Select DONE.
- The knowledge pack and the associated configurations are created and shared with the selected group(s).

How to disable a pack?

To enable a knowledge pack:

From the left navigation bar, go to Data configuration ( ) > Knowledge packs.
In the MY LIBRARY tab, slide the toggle switch of a pack that you want to disable.
- The Disable package popup showing the configurations that will be deleted appears.
Select the checkbox to confirm disabling the selected pack.
Select PROCEED.
- Popups with information on what is being deleted in the Intelligence Center are displayed.
- The knowledge pack and the associated configurations are removed from the Intelligence Center

Known limitations

Knowledge packs is considered a beta feature. The following is a list of known limitations that EclecticIQ intends to address in the upcoming releases:

No authentication
- At present, knowledge packs cannot be authenticated. When you enable knowledge packs creation, it opens the API endpoint publicly and introduces a risk if the Intelligence Center has connectivity to the internet. This will be addressed in the next release of the Intelligence Center.
Synchronizing updates to consumers.
- Producers cannot synchronize updates to a consumer once:
  - a pack has been published and
  - the consumer has enabled the pack in its Intelligence Center insta nces. In other words, changes to a knowledge pack will not be synchronized to consumers that are already using the pack.
- The current workaround for consu mers is to remove the publisher (and its knowledge packs) and then reinstate it.
Versioning knowledge packs is not possible at present.
Deleting a configuration object from the platform will NOT remove it from a knowledge pack.
- When a producer deletes an object (e.g. a rule, a dataset, or a workspace) that is part of a knowledge pack, the object is not removed from the knowledge pack configuration.