Install the extensions#

Install extensions to expand Intelligence Center functionality. For example, to integrate it with external intelligence providers and data sources; to exchange data with an external system; or to publish data to human or machine recipients.

About extensions#

EclecticIQ Intelligence Center ships with a set of built-in extensions, such as feeds and enrichers. They expand Intelligence Center functionality by enabling interoperability with external systems, intelligence providers, and data sources.

You can download and install more extensions to add incoming and outgoing feed transport and content types, as well as enrichers.

This modular approach allows implementing as many, or as few, integrations as needed, based on your organization requirements and goals.

You can download extensions to add more feeds and enrichers to EclecticIQ Intelligence Center from https://downloads.eclecticiq.com/Extensions/.

By default, EclecticIQ Intelligence Center ships with all supported extensions preinstalled:

After installing and setting up a Intelligence Center instance, you may want to customize extensions, remove unnecessary ones, add new ones, and maybe reinstall previously removed ones:

Choose the correct version for your Intelligence Center#

About extension versioning#

Extension versioning follows the same approach as Intelligence Center versioning.

However, Intelligence Center and extensions are on separate release cycles. At a given point in time, version numbers for extension and Intelligence Center releases may not be the same.

An extension works correctly on a Intelligence Center instance if the extension version is on the same major and same minor release version as the target Intelligence Center instance the extension is going to be installed to.

Example:

Intelligence Center version: 2.2.1

  • Tick Extension version: 2.2.0

  • No Extension version: 2.1.2

About extension version checking#

Version checking is implemented through pip.

This check prevents installing extensions that are incompatible with the host Intelligence Center instance: if the extension being installed has a version that is incompatible with the version of the target Intelligence Center, the operation aborts.

Download extensions#

  1. Go to the EclecticIQ Intelligence Center extensions repository at https://downloads.eclecticiq.com/Extensions/.

  2. Browse to the extension you want to install, and click its name.

  3. In the extension view, in the General tab, under Versions, click an extension version number to go to the corresponding section.

  4. In the extension version view, in the General tab, under Downloads, click the extension package name to download it.

    Alternatively:

    1. Click the Files tab header.

    2. In the Files tab, click the desired extension package name to download it.

  5. Save the extension package to a local directory.

Extension package names use the following format: eclecticiq-extension-{extension_name}-{platform_release}.tar.gz

Example:

  • eclecticiq-extension-anubis-1.0.0.0.tar.gz: Anubis Cyberfeed incoming feed for EclecticIQ Intelligence Center release 1.14.x.

  • eclecticiq-extension-anubis-2.2.0.0.tar.gz: Anubis Cyberfeed incoming feed for EclecticIQ Intelligence Center release 2.2.x.

Install extensions#

Switch user#

  1. Open a terminal session.

  2. Switch to the root user:

    # Root-access login shell
    sudo -i
    

Activate a virtual environment#

  • Activate a Python virtual environment for EclecticIQ Intelligence Center:

    source /opt/eclecticiq-platform-backend/bin/activate
    

Install the extension#

  • Install the downloaded extension with pip install:

    pip install eclecticiq-extension-${extension-name}-${platform-release}.tar.gz
    
    # Example:
    pip install eclecticiq-extension-anubis-2.1.0.tar.gz
    

Load the fixtures#

  • After installing one or more extensions, and before starting or restarting EclecticIQ Intelligence Center services, you must register the extensions in EclecticIQ Intelligence Center.

    To do so, load the database fixtures:

    eiq-platform database load-fixtures
    

Restart Intelligence Center services#

  • After editing or updating systemd-managed unit configuration files, you must restart all systemd-managed Intelligence Center services.

    It enables systemd to reload all configurations, and to apply any changes to make them effective.

    To restart systemd-managed Intelligence Center services through the command line:

    systemctl restart eclecticiq-platform-backend-services
    

Restart Intelligence Center workers#

  • After editing or updating backend worker configuration files and parameters, restart the workers.

    It enables workers to reload their configurations, and to apply any changes to make them effective.

    To restart backend workers through the command line:

    systemctl restart eclecticiq-platform-backend-workers
    

Remove extensions#

You may need to remove an extension for several reasons: to upgrade it to a newer release, to reinstall it in order to address functionality issues, or because you do not need it any longer.

To remove an extension:

  1. Run the standard pip uninstall command.

  2. Specify only the name of the extension, without Intelligence Center release number, and without extension archive file type:

    pip uninstall eclecticiq-extension-${extension-name}
    
    # Example: uninstall eclecticiq-extension-arcsight-2.0.tar.gz
    pip uninstall eclecticiq-extension-arcsight
    

Extension naming cheatsheet

Default naming format

eclecticiq-extension-${extension-name}-${platform-release}.tar.gz

Install extension

eclecticiq-extension-${extension-name}-${platform-release}.tar.gz

Uninstall extension

eclecticiq-extension-${extension-name}

Create custom extensions with the SDK#

You can extend EclecticIQ Intelligence Center functionality — for example, by integrating EclecticIQ Intelligence Center with an external system such as a SIEM, or by hooking it up to a custom intel provider service.

EclecticIQ Intelligence Center SDK is the companion development kit to create integration extensions, such as feeds and enrichers.

The SDK provides a structured framework to build your extensions, to implement transport and content types for custom feeds, as well as to create new enrichers, based on your organization needs and requirements.

The SDK includes documentation and examples to help you along the way.

The documentation is included in the downloadable SDK archive file.

To request a download link to the SDK, open a support request ticket, or contact our support team.

To open it the SDK package and to access the dcumentation:

  1. Decompress the SDK archive to a local working directory.

  2. Browse to the /docs sub-directory.

  3. Open the index.html index file in a web browser to access the SDK documentation and the main navigation.

In the /examples sub-directory you can find reference examples of:

  • A transformer,that is, a content type parser

  • A provider, that is, a transport type handler

  • An enricher.

When you create a custom transformer to parse an input content type to JSON for ingestion into EclecticIQ Intelligence Center, stress-test it to gauge its ingestion limit.

For example, ingesting a package containing 10,000 entities may slow down the process to a crawl.

Therefore, it is a good practice to feed transformers packages containing less than 10,000 entities.

API endpoints#

EclecticIQ Intelligence Center includes a public API with a number of endpoints exposing services such as the authentication mechanism, as well as access to EclecticIQ Intelligence Center assets and resources, such as entities, observables, enrichment tasks, and data sources.

The API accepts JSON requests and it returns JSON responses in UTF-8 encoding:

Content-Type:application/json; charset=utf-8

The authentication mechanism is based on JWT (JSON Web Tokens).

The public API methods and their arguments are documented, and you can familiarize yourself with the API calls and responses in a safe playground.

To access it, sing in to EclecticIQ Intelligence Center, and then append /private/static/swagger/ to your Intelligence Center instance base URL.

Example

https://${my.platform.instance.org} + /private/static/swagger/ --> https://${my.platform.instance.org}/private/static/swagger/

This overview sums up the public API endpoints for reference:

{
  "data": {
    "/api/": [
      "GET",
      "HEAD",
      "OPTIONS"
    ],
    "/api/auth": [
      "OPTIONS",
      "POST"
    ],
    "/api/datasets/": [
      "GET",
      "HEAD",
      "OPTIONS"
    ],
    "/api/datasets/<int:id>": [
      "GET",
      "HEAD",
      "OPTIONS"
    ],
    "/api/enrichers/": [
      "GET",
      "HEAD",
      "OPTIONS"
    ],
    "/api/enrichers/<int:id>": [
      "GET",
      "HEAD",
      "OPTIONS"
    ],
    "/api/enrichment-tasks/<uuid:id>": [
      "GET",
      "HEAD",
      "OPTIONS"
    ],
    "/api/entities/": [
      "GET",
      "HEAD",
      "OPTIONS"
    ],
    "/api/entities/<uuid:id>": [
      "GET",
      "HEAD",
      "OPTIONS"
    ],
    "/api/entities/<uuid:id>/enrich": [
      "OPTIONS",
      "POST"
    ],
    "/api/entities/<uuid:id>/enrichers": [
      "GET",
      "HEAD",
      "OPTIONS"
    ],
    "/api/entities/latest": [
      "GET",
      "HEAD",
      "OPTIONS"
    ],
    "/api/healthcheck": [
      "GET",
      "HEAD",
      "OPTIONS"
    ],
    "/api/observables/": [
      "GET",
      "HEAD",
      "OPTIONS",
      "POST"
    ],
    "/api/observables/<int:id>": [
      "GET",
      "HEAD",
      "OPTIONS",
      "PATCH"
    ],
    "/api/observables/<int:id>/enrich": [
      "OPTIONS",
      "POST"
    ],
    "/api/observables/<int:id>/enrichers": [
      "GET",
      "HEAD",
      "OPTIONS"
    ],
    "/api/sources/": [
      "GET",
      "HEAD",
      "OPTIONS"
    ],
    "/api/sources/<uuid:id>": [
      "GET",
      "HEAD",
      "OPTIONS"
    ],
    "/api/users/self": [
      "GET",
      "HEAD",
      "OPTIONS"
    ]
  }
}