About outgoing feeds#
Configure outgoing feeds to publish cyber threat intelligence through the platform to instrument external tools and devices, and to share intelligence with selected recipients within the organization, as well as with external third-parties.
Outgoing feeds are a powerful tool to disseminate intelligence and to promote constructive collaboration, as well as to programmatically act on intelligence by automating tasks in your security toolchain.
For example, an external device can receive platform data through an outgoing feed, and it can react to it by initiating predefined actions such as closing open ports or blacklisting malicious IP addresses and domain names.
Once it is set up and it is running, an outgoing feed provides a data stream that the intended recipients can consume.
EclecticIQ Platform uses outgoing feeds to publish and share cyber threat intelligence in multiple formats through a number of configurable transport channels.
You can share intelligence with co-workers and teams within the organization, as well as with external recipients such as clients and consumers.
You can use outgoing feeds to route platform data to external devices to initiate follow-up actions based on the data type being transmitted, and on the receiving system or device.
A minimal outgoing feed configuration includes:
A data source: the data source of an outgoing feed is always a dataset.
You can configure as many datasets as necessary to act as sources for an outgoing feed.
Data sources can be existing incoming feeds and enrichers, as well as existing platform user groups.
A transport type: the vehicle carrying the data.
Typically, this is a communications protocol such as TAXII, HTTP, FTP, IMAP, or Syslog.
A content type: the outgoing data format the platform is publishing through the outgoing feed.
For example, STIX, JSON, CSV, or plain text.
An update strategy: the condition(s) defining how content is selected for inclusion in the outgoing feed.
For example, you can choose to include in an outgoing feed task run only new content, as well as both new and existing content.