Knowledge packs#

Introduction#

Knowledge packs provide pre-defined configurations or packs, that equip Intelligence Center (IC) users with the ability to address their threat research and investigations through expert-curated workspaces and datasets.

Knowledge packs come with a set of packs created by EclecticIQ’s threat research team as a culmination of their vast research experience and expertise.

As of version 2.11, Intelligence Center users can create their own knowledge packs. Users can create these knowledge packs and share them with their consumers.

Requirements#

Permissions#

The following permissions are required to use knowledge packs. To see your permissions, go to, Settings (Settings) > User management > Permissions. See Permissions for more information on the permission settings for knowledge packs.

Permissions

Description

install knowldege-packs

Can install knowledge packs.

Must have both this and read knowldege-packs permissions to install knowledge packs.

read knowldege-packs

Can view knowledge packs.

modify knowldege-packs

Can modify knowledge packs as a Producer.

Allow outgoing connections to EclecticIQ#

To allow your IC instance to retrieve knowledge packs from the EclecticIQ producer, allow outgoing requests to:

  • https://cti.eclecticiq.com/configuration-bundles/producer

  • https://cti.eclecticiq.com/configuration-bundles/published

Knowledge pack consumers and producers#

Intelligence Center users can create their own knowledge packs for dissemination to their users, fully customized to their own requirements and priorities. Knowledge pack creators are designated as producers. Users that install and use the packs created by producers are called consumers.

To be a producer, you must:

  • Enable (Beta) Producer. See below for more information.

  • Have modify knowledge-packs permissions

Note

The CREATED PACKS tab is visible only if (Beta) Producer is enabled, and you have modify knowledge-packs permissions.

(Beta) Producers#

This section describes how to create and manage knowledge packs.

Enable the producer beta#

Note

This feature is still in beta.

To enable knowledge pack creation and set up a producer:

  1. From the left navigation bar, go to Settings(Settings)> System settings > General.

    • You can also go to Data configuration (Data configuration icon)> Knowledge packs > CREATED PACKS, and then select SETUP PRODUCER. You will see this option only when you set up a producer for the first time and you have not created any packs.

  2. Select EDIT SETTINGS.

  3. Select the Enable knowledge packs creation checkbox.

    • The Producer name field appears.

  4. Enter the producer’s name.

    • Producer name is a mandatory field.

    • The name entered here is shown as a producer on the consumer’s IC instance.

  5. Select SAVE.

Create knowledge packs#

To create a knowledge pack:

  1. From the left navigation bar, go to Data configuration (Data configuration icon)> Knowledge packs > CREATED PACKS.

  2. Select Create Knowledge Pack (+).

  3. Fill out these fields:

    Field name

    Description

    Name

    Name of knowledge pack.

    Description

    Enter a description for this knowledge pack.

  4. Select ADD EXISTING.

  5. In the Select objects window that appears, select the objects to add to your knowledge pack.

  6. Select CONFIRM.

  7. Select SAVE.

The knowledge pack created is listed in the CREATED PACKS tab.

Publish knowledge packs#

To make a knowledge pack available to consumers, you must:

  1. Publish the knowledge pack.

  2. Share the knowledge packs endpoint URL for your Intelligence Center instance.

To publish a knowledge pack:

  1. Select a knowledge pack in the CREATED PACKS tab to open it.

  2. Select PUBLISH.

To share your knowledge packs endpoint URL:

  1. Go to the CREATED PACKS tab.

  2. Select Share Share.

  3. Copy the link displayed and share it with your consumers.

Edit and update knowledge packs#

To edit and update a knowledge pack:

  1. Unpublish the pack if it is in the published state.

  2. Add or remove the objects as required.

  3. Publish the pack again.

Unpublish knowledge packs#

To unpublish a knowledge pack:

  1. Select More (More) on the right of the knowledge pack you want to unpublish.

  2. Select Unpublish.

Note

When you unpublish a pack:

  • The pack becomes unavailable to the consumers. It is no longer displayed in MY LIBRARY in their IC instance.

  • Consumers that have already enabled the pack can continue to use it in their Intelligence Center instances.

Consumers#

This section describes the operations available for the consumers and the producers.

Add producers#

To see knowledge packs from a given producer, you must add that producer to your IC.

To add a producer:

  1. In the MY LIBRARY tab, select Manage producers Settings.

    This opens the Producers management modal and displays a list of previously added producers.

  2. Enter the knowledge packs endpoint URL of the producer you want to add.

  3. Select ADD.

Tip

By default, the EclecticIQ producer is added on IC instances.

To allow your IC instance to retrieve knowledge packs from the EclecticIQ producer, allow outgoing requests to:

  • https://cti.eclecticiq.com/configuration-bundles/producer

  • https://cti.eclecticiq.com/configuration-bundles/published

Remove producers#

To remove producers:

  1. Disable all packs associated with a producer.

  2. In the MY LIBRARY tab, select Manage producers Settings.

    This opens the Producers management modal and displays a list of previously added producers.

  3. Select (×) against the producer that you want to remove.

  4. Confirm removal in the dialog that appears.

Enable a knowledge pack#

  1. In the MY LIBRARY tab, locate a knowledge pack to enable.

  2. On the right of that knowledge pack:

    • Select the dimmed Enabled toggle, or

    • Select More (More) > Enable.

  3. Follow the instructions that appear.

  4. When prompted, select one or more groups to grant access to the knowledge pack.

    Note

    This shares the knowledge pack itself with the members of that group. However, group members still need to be granted access to the underlying objects distributed by the knowledge packs.

  5. Select DONE.

Disable a knowledge pack#

  1. In the MY LIBRARY tab, locate a previously enabled knowledge pack to disable.

  2. On the right of that knowledge pack:

    • Select the Enabled toggle, or

    • Select More (More) > Disable.

  3. Follow the instructions that appear.

  4. Select PROCEED.

Known limitations#

Knowledge packs is considered a beta feature. The following is a list of known limitations that EclecticIQ intends to address in the upcoming releases:

  • No authentication

    • At present, knowledge packs are unauthenticated.

  • Synchronizing updates to consumers.

    • Producers cannot synchronize updates to a consumer when:

      • A pack has been published by a producer.

        In order to synchronize updates for a published pack, producers must unpublish and then publish the pack.

      • The pack is already enabled on a consumer.

        In order to receive an updated version of a pack, the consumer must disable and then enable it.

  • Versioning knowledge packs is not possible at present.

  • Deleting an object from EclecticIQ Intelligence Center does not remove it from a knowledge pack.

    • When a producer deletes an object (e.g. a rule, a dataset, or a workspace) that is part of a knowledge pack, the object is not removed from the knowledge pack.