Configure content types#

Overview#

Generic transport types support a broader range of content types than vendor-specific transport types (such as Intel 471 and MISP feeds).

Tip

Examples of generic transport types are:

  • HTTP download

  • SFTP download

  • Syslog push

For a quick reference table, see Table of all generic content types.

Table of outgoing feed content types#

The following table describes the available generic content types for outgoing feeds:

Content type

Description

ArcSight CEF (Common Event Format)

For ArcSignt ESM (Enterprise Security Manager)

EclecticIQ Entities CSV

CSV files containing records describing EIQ entities.

EclecticIQ Observables CSV

CSV files containing records describing EIQ observables.

Note

When creating an outgoing feed using this content type, you must set at least:

  • one observable type in the Observable types field

  • one observable type in the Enrichment observable types field

EclecticIQ HTML Report

Creates a HTML package for each Report entity exported.

You can customize the appearance of your HTML reports. See Customize EclecticIQ HTML Report below.

EclecticIQ HTML Report Digest

Creates a HTML package that contains a summary of all Report entities exported by the feed.

You can customize the appearance of your HTML reports. See Customize EclecticIQ HTML Report below.

EclecticIQ JSON

EclecticIQ entities and observables in JSON. Typically used when sharing data between Intelligence Center instances.

Selecting Override producer sets the Producer for all entities going through this feed as the value set in Settings (Settings) > STIX and TAXII > STIX > Add STIX settings > Producer.

PAN-OS External Dynamic List

For sending Palo Alto firewall blocklists containing IP, domain, and URL sightings.

See PAN-OS External Dynamic List.

Plain text value

Produces a plain text file that contains one value per line, extracted from entities in your feed’s datasets.

See Plain text value below.

STIX 1.2

See STIX 1.2 below.

STIX 2.1

See STIX 2.1

Appendix#

Table of all generic content types#

The following table describes content types available for generic transport types:

Send email

FTP upload

HTTP download

Mount point upload

Syslog push

SFTP upload

TAXII inbox

TAXII Poll

TAXII 2.1 push

TAXII 2.1 Inbox

TAXII 2.1 Poll

Amazon S3 push

ArcSight CEF

EclecticIQ Entities CSV

EclecticIQ HTML Report

EclecticIQ HTML Report Digest

EclecticIQ JSON

EclecticIQ Observables CSV

EclecticIQ PDF

PAN-OS External Dynamic List

Plain text value

STIX 1.2

STIX 2.1

Customize EclecticIQ HTML Report#

You can customize the appearance of your HTML reports with the following fields in the Content configuration section of your outgoing feed configuration:

Note

Required fields are marked with an asterisk (*).

Field

Description

Include following tags and taxonomy*

Tags or taxonomies added here are added as “Tags” to the HTML report.

Type tag names or select one or more tags from the drop-down menu.

Selecting a “parent” tag from the drop-down menu, such as Admiralty code, adds all its children.

Include terms of use

Select to add a “Terms of use” section to the report.

The “Terms of use” section is filled with the contents of the Default terms of use field in your Intel report settings. Set it by going to Settings (Settings) > System settings > Intel report > Edit settings and adding your terms of use to the Default terms of use field.

Include logo

Select to add your organization’s logo to the generated report.

This uses the image specified in your Intel report settings to brand your reports.

Set it by going to Settings (Settings) > System settings > Intel report > Edit settings and adding a URL to your logo image in the Specify a URL for your company logo used in the email template field.

Your image must:

  • Be in .png or .jpg format

  • Have a maximum size of 200 x 200 px

  • Be less than 320 KB

  • Be accessible from EclecticIQ Intelligence Center host

Include contact information

Select to add contact details to your report.

This uses the information specified in your Intel report settings to brand your reports.

Set it by going to Settings (Settings) > System settings > Intel report > Edit settings and adding contact details to the Default contact information field.

Root URL of EclecticIQ platform installation

Set this to the URL at which you can access the platform at.

Defaults to the host name set in Settings (Settings) > System settings > General > Hostname if left empty.

Additional information

Add information you want to include with your reports.

The contents of this field is included at the end of each generated report.

Example HTML report#

Example HTML report.

Example HTML digest report#

Example digest report.

PAN-OS External Dynamic List#

When setting PAN-OS external Dynamic List as the content type of an outgoing feed, you must also set for this feed the Content configuration > Palo Alto PAN-OS External Dynamic List field to one of the following:

  • PAN-OS IP External Dynamic List: packs outgoing feed as a list of IP (v4 and v6) addresses for Palo Alto firewall blocklists.

  • PAN-OS Domain External Dynamic List: packs outgoing feed as a list of domains for Palo Alto firewall blocklists.

  • PAN-OS URL External Dynamic List: packs outgoing feed as a list of URLs for Palo Alto firewall blocklists.

    For PAN-OS URL External Dynamic List feeds, URLs from your dataset:

    • must not contain a scheme (e.g. ‘https://’, ‘ftp://’)

    • can contain wildcards

    • are case-insensitive

Plain text value#

The Plain text value content type extracts a single value from each entity in your outgoing feed’s dataset.

It writes to the resulting text file one value per line for each entity in your dataset(s).

To use this content type, you must set three fields in the Content configuration section of your feed configuration:

Field name

Description

Field to take values from*

Specify an EclecticIQ JSON field name to extract values from.

This should be written in dot notation. For example, to access the Title of an Indicator entity, set this field to:

data.title

Caution

  • Only supports extracting values from fields whose top-level fields (“parent” fields) are:

    • data

    • meta

    • extracts

  • Does not support field indices (e.g. extracts[0].value)

Field to check a conditional value in*

Specify an EclecticIQ JSON field name.

For a given entity processed by this outgoing feed:

  • check the contents of the field specified here.

  • if the contents of this field matches the value specified in Only use entities that match this conditional value, then include the contents of the field specified in Field to take values from.

This should be written in dot notation. For example, to access the Title of an Indicator entity, set this field to:

data.title

Caution

  • Only supports extracting values from fields whose top-level fields (“parent” fields) are:

    • data

    • meta

    • extracts

  • Does not support field indices (e.g. extracts[0].value)

Only use entities that match this conditional value*

Value to match in Field to check conditional value in.

This must be an exact match.

Example: Include only indicators with SNORT rules

To configure this feed to only pack SNORT rules from indicators in this feed:

Tip

Only Indicator entities can contain test mechanisms, such as SNORT rules.

Content configuration field

Value

Field to check a conditional value in

data.test_mechanisms.test_mechanism_type

Only use entities that match this conditional value

snort

Field to take values from

data.test_mechanisms.rules.value

STIX 1.2#

Typical use cases include feeding a STIX 1.2-format outgoing feed to an external STIX-compatible device to instrument further processing or to trigger a response action.

Under Content configuration, do the following:

  1. Selecting Override producer sets the Producer for all entities going through this feed as the value set in Settings (Settings) > STIX and TAXII > STIX > Add STIX settings > Producer.

    This setting changes the following nested XML element in the entity STIX structure:

    … code-block:: xml

    <stixCommon:Identity>
      <!-- Producer identity, for example 'EclecticIQ' -->
      <stixCommon:Name>EclecticIQ</stixCommon:Name>
    </stixCommon:Identity>
    
  2. Select the Include EclecticIQ-specific STIX extensions checkbox to enable EclecticIQ STIX extensions for the entities and the observables included in the outgoing feed content.

    Warning

    Select only if feed recipients cannot validate and parse STIX 1.2 content with EclecticIQ STIX extensions.

Tip

To validate STIX 1.x content, use the following projects: