Configure Intelligence Center#

  1. Log in to EclecticIQ Platform.

  2. Configure one or more Incoming feeds.

  3. Search for intelligence of interest.

    For example, search for phishing indicators in the last 24 hours.

  4. Create a Dataset using the previous search query.

Create an outgoing feed#

  1. In the top navigation bar, click Data configurations > Outgoing feeds >

Step 1 - The General section#

  1. In the Feed name field, enter a descriptive name that is easy to remember.

Step 2 - The Transport and content section#

  1. From the Transport type drop-down menu, select Syslog push.

  2. From the Content type drop-down menu, select ArcSight CEF.

  3. From the Datasets drop-down menu, select the dataset you created earlier.

  4. From the Update strategy drop-down menu, select Append.

  5. In the Syslog server host field, enter the address of your ArcSight ESM server.

  6. In the Syslog server port field, enter 1514.

  7. From the Protocol drop-down menu, select TCP.

Step 3 - Schedule section#

  1. From the Execution schedule drop-down menu, select how often you want to run the outgoing feed task:

    Set an Execution schedule to have your feed run automatically.

    Option

    Description

    None

    Default. Feeds must be manually run.

    Every [n] minutes

    Run this feed automatically every [n] minutes.

    Select a value for [n].

    Every hour, [n] minutes past the hour

    Run this feed automatically every hour + [n] minutes.

    For example, setting [n] to 4 will cause this feed to run at:

    • 00:04

    • 01:04

    • etc.

    Every [n] hours

    Run this feed automatically at the start of every [n] hours.

    Select a value for [n].

    Every day at [time]

    Run this feed automatically at the specified time, once a day.

    Set a value for [time].

    Every [n] days

    Run this feed automatically at the start of every [n] days.

    Select a value for [n].

    Every week on [day of the week] at [time]

    Run this feed automatically once every week, on a specific day of the week at a specific time.

    Set values for [day of the week] and [time].

    Every month on [day of the month] at [time]

    Run this feed automatically once every month, on a specific day of the month at a specific time.

    Set values for [day of the month] and [time]

    Caution

    Avoid setting [day of month] to 30 or 31. Doing so will set the feed to run only on months where there is a 30th or 31st day.

Step 4 - The Processing section#

  1. From the Override TLP drop-down menu, select with what TLP color you want to overwrite the TLP color code associated to the outgoing feed entities.

    The selected TLP value is assigned to all the entities in the outgoing feed.

  2. From the Filter TLP color drop-down menu, select which entities you want to include in the outgoing feed data, based on the selected TLP value.

    Only the entities that are flagged with the selected TLP color code are included in the outgoing feed.

  3. From the Source reliability filter drop-down menu, select the minimum reliability level an entity must have in order to be send out in the feed

  4. In the Relevancy threshold (%) field, set a filter to include in the outgoing feed data only the entities whose relevancy value is higher than the one defined here.

  5. From the Allowed observable states drop-down menu, select one or more observable states to include in the outgoing feed data only the entities whose observable states match the selections defined here.

  6. From the Observable types drop-down menu, select all the observable types that you want to send out in the feed.

  7. From the Enrichment observable types drop-down menu, select all the observable types that you want to send out in the feed.

  8. Click Save to store your changes, or Cancel to discard them.