Getting started#
The EclecticIQ Browser Extension speeds up your intelligence collection process by allowing you to create observables and entities and send them to the EclecticIQ Intelligence Center (IC) while you search for threat intelligence on the web.
Note
Before using the browser extension, see Requirements and Limitations.
This article uses IPv4 addresses that have been identified as Indicators of Compromise (IoC) in Investigating Phishing Attacks Exploiting Coronavirus Themes (EclecticIQ Blog) as examples.
Below is a partial list of IPv4 addresses found in Investigating Phishing Attacks Exploiting Coronavirus Themes:
23.253.207\[.\]142
60.152.212\[.\]149
61.204.119\[.\]188
78.186.102\[.\]195
78.188.170\[.\]128
85.109.190\[.\]235
109.236.109\[.\]159
125.209.114\[.\]180
149.202.153\[.\]251
177.144.130\[.\]105
182.187.137\[.\]199
186.147.245\[.\]204
You can use these IoCs when trying out the EclecticIQ Browser Extension.
Requirements#
Platform: EclecticIQ Intelligence Center 2.3 and newer.
Network: You must be able to access the web interface for the EclecticIQ Intelligence Center through the browser.
User permissions: Use a user account that has been assigned:
A user role that gives at least “modify entities” permissions.
A user group that allows access to the appropriate data sources.
Note
LDAP and SAML
The browser extension does not support LDAP or SAML authentication. Create a new user account with the appropriate roles and groups and use it with the browser extension.
Limitations#
The browser extension is designed to help you quickly process IoCs that you find while browsing the web. If you need to collect and process a large number of IoCs, set up Incoming feeds instead.
In the browser extension, you can have:
Up to 1000 created observables at any one time. Once you have 1000 observables created in the browser extension, it ignores any new observables you try to add. To continue creating new observables in the browser extension, ingest or remove observables that are already created in the browser extension.
Entities with up to 99 observables attached. Once an entity created in the browser extension has 99 observables attached to it, it rejects attempts to attach more observables to it. To add more observables to an entity created in the browser extension, you must ingest that entity and then manage those connections on the IC.
Install the browser extension#
Google Chrome#
To install the EclecticIQ Browser Extension for Google Chrome:
Go to the Chrome web store.
Select Add to Chrome.
A dialog box opens in Google Chrome asking if you would like to Add “EclecticIQ”?. Click Add extension to finish installing the browser extension.
Firefox#
The EclecticIQ Browser Extension for Firefox can be downloaded directly from our servers here: EclecticIQ Browser Extension for Firefox
To install the EclecticIQ Browser Extension for Firefox:
Using the Firefox browser, and click on this link to have Firefox download and check the extension package.
A dialog box opens in Firefox asking if you would like to Add EclecticIQ. Click Add to finish installing the browser extension.
Connect to EclecticIQ Intelligence Center#
After installing the browser extension, sign in to EclecticIQ Intelligence Center:
Click the EclecticIQ Browser Extension icon on your browser toolbar.
In the open browser extension window, select the gear icon to open the Settings page.
With the Settings page open, select the Credentials tab. Fill out these fields:
Platform URL: The fully qualified domain name (FQDN) or IP address you use to access EclecticIQ Intelligence Center. Make sure to include
https://
at the start of your IC URL.Username: User name of a user on EclecticIQ Intelligence Center who is assigned:
A user role that gives at least “modify entities” permissions.
A user group that allows the user access to the appropriate data sources.
Note
For more information about user permissions, see User permissions.
Password: Password for the user.
Once done, select Save options.
Create new observables#
Using the browser extension, you can create new observables while browsing the web.
Create new observables using the extension in two ways:
Extract observables from a web page#
You can add observables by selecting text on a web page, and using the browser extension to extract observables from the selected text automatically. Observables extracted this way are automatically assigned a type. This also works with any document that you can open in the browser, such as PDF documents.
The browser extension can extract these observable types:
IPv4
URI
Domain
E-mail
Hash-MD5
Hash-SHA256
Hash-SHA512
Hash-SHA1
File name
To use the browser extension to extract observables from a web page:
Open Google Chrome and navigate to a web page that contains information about a threat that you want to add to EclecticIQ Intelligence Center.
On the web page, highlight the text that contains a description of the threat.
Right-click the highlighted text to open the context menu. There, select EclecticIQ to display the options available.
Select an option from the context menu to extract observables from the highlighted text. You can select from the following options:
Option
Description
Collect all known observables
The browser extension:
Creates observables for each extracted data type.
Automatically sets the name of the created observable and its type.
Displays these extracted observables on the left of the browser extension window.
Collect all known observables and create entities
Does the same thing as Collect all known observables. In addition, it automatically:
Creates an entity for each extracted observable. This entity is given same name as the extracted observable.
Adds each observable to its corresponding entity.
Caution
You must set the Source group for your new entities after creating them with Collect all known observables. Without a set Source group, the browser extension displays an error when try to ingest the entity.
Set the Source group for your new entities by editing multiple entities at the same time.
Collect IPv4 observables
Extracts only IPv4 observables.
Collect URI observables
Extracts only URI observables.
Collect Domain observables
Extracts only Domain observables.
Collect E-mail observables
Extracts only E-mail observables.
Collect Hash-MD5 observables
Extracts only Hash-MD5 observables.
Collect Hash-SHA256 observables
Extracts only Hash-SHA256 observables.
Collect Hash-SHA512 observables
Extracts only Hash-SHA512 observables.
Collect Hash-SHA1 observables
Extracts only Hash-SHA1 observables.
Collect File name observables
Extracts only File name observables.
Each observable type is extracted using a pre-defined regular expression. To customize these regular expressions, see Regular expressions for extracting observables.
Manually#
To create observables in the browser extension:
Click the EclecticIQ Browser Extension icon on your browser toolbar.
In the open extension window, select the plus icon at the top-left corner to open the Create observable window.
In the Type field, select a type of observable to create. The EIQ Clipboard extension allows you to create the following observable types:
IPv4
URI
Domain
E-mail
Hash-MD5
Hash-SHA1
Hash-SHA256
Hash-SHA512
File Name
(Optional) In the Maliciousness field, select the level of maliciousness the observable presents. This defaults to “Unknown”.
Once done, select Create.
This adds the observable to the list left of the extension window, but does not update EclecticIQ Intelligence Center yet.
To update EclecticIQ Intelligence Center with your new observables, you must add them to a new entity.
Create new entities#
To create a new entity in the browser extension:
Click the EclecticIQ Browser Extension icon on your browser toolbar.
In the open extension window, select the plus icon at the top-left corner to open the Create entity window.
Fill out the fields in the Create entity window. You must at least fill out these three fields:
Name
Sub-type
Source group
Select Create to save your settings and create the entity.
Add observables to entities#
Click the EclecticIQ Browser Extension icon on your browser toolbar.
In the open extension window, select the observables you want to add to an entity by selecting the checkbox on the left of each observable.
Select → Move to open a drop down menu containing a list of entities available in the browser extension.
From the list of entities available, select an entity to add your observables to.
Once done, you can see the observables you’ve added to the entity.
Ingest entity#
Click the EclecticIQ Browser Extension icon on your browser toolbar.
Select the entities that you want EclecticIQ Intelligence Center to ingest.
Select Ingest to update EclecticIQ Intelligence Center with the selected entities.