To complete this procedure, you need:

Access to the EclecticIQ Platform with an administrator role.
Access to the EclecticIQ Platform instance host system terminal/command line, to sync entities in PostgreSQL and Elasticsearch.

You may need system administrator rights to run some commands. In this case, prefix sudo to the command.

Scenario

An EclecticIQ Platform instance release 2.1.x or later, contains existing data that was ingested with a previous version of the platform. It is not possible to set half-life values to these entities, due to an issue that is resolved in later releases.

Issue

You may need to update existing indicators in the EclecticIQ Platform to assign them a valid half-life value.

Mitigation

You must manually update both the PostgreSQL database, and the Elasticsearch indices.

Half-life update in PostgreSQL

On the host system where EclecticIQ Platform is running, open a terminal shell.
In the terminal, switch to the postgres user, and then launch the psql terminal:

$ sudo -u postgres psql
Run the following SQL query in a psql shell:

UPDATE entity

SET meta = meta || ' {"half_life": 30} '

WHERE data->>'type' = 'indicator';

Half-life update in Elasticsearch

Save the following JSON data as a .json file, and name it indicator-set-half-life.json:

{ "query": { "term": { "data.type": "indicator" } }, "script": { "lang": "painless", "source": "ctx._source.meta.half_life = 30" } }
Update the Elasticsearch STIX index by passing the saved JSON file with an _update_by_query API request. By default, the Elasticsearch host is localhost, and the default Elasticsearch port is 9200.

$ curl \

-X POST \

-H "Content-Type: application/json" \

--data @indicator-set-half-life.json \

'localhost:9200/stix/_update_by_query?refresh&conflicts=proceed&pretty'

# copy-paste version:

$ curl -X POST -H "Content-Type: application/json" --data @indicator-set-half-life.json 'localhost:9200/stix/_update_by_query?refresh&conflicts=proceed&pretty'