Configure content types#
Overview#
Generic transport types support a broader range of content types than vendor-specific transport types (such as Intel 471 and MISP feeds).
Tip
Examples of generic transport types are:
HTTP download
SFTP download
Syslog push
For a quick reference table, see Table of all generic content types.
Table of outgoing feed content types#
The following table describes the available generic content types for outgoing feeds:
Content type |
Description |
---|---|
EclecticIQ Entities CSV |
CSV files containing records describing EIQ entities. |
EclecticIQ Observables CSV |
CSV files containing records describing EIQ observables. Note When creating an outgoing feed using this content type, you must set at least:
|
EclecticIQ HTML Report |
Creates a HTML package for each Report entity exported. You can customize the appearance of your HTML reports. See Customize EclecticIQ HTML Report below. |
EclecticIQ HTML Report Digest |
Creates a HTML package that contains a summary of all Report entities exported by the feed. You can customize the appearance of your HTML reports. See Customize EclecticIQ HTML Report below. |
EclecticIQ JSON |
EclecticIQ entities and observables in JSON. Typically used when sharing data between Intelligence Center instances. Selecting Override producer sets the Producer for all entities going through this feed as the value set in Settings () > STIX and TAXII > STIX > Add STIX settings > Producer. |
PAN-OS External Dynamic List |
For sending Palo Alto firewall blocklists containing IP, domain, and URL sightings. |
Plain text value |
Produces a plain text file that contains one value per line, extracted from entities in your feed’s datasets. See Plain text value below. |
STIX 1.2 |
See STIX 1.2 below. |
STIX 2.1 |
See STIX 2.1 |
Appendix#
Table of all generic content types#
The following table describes content types available for generic transport types:
Send email |
FTP upload |
HTTP download |
Mount point upload |
Syslog push |
SFTP upload |
TAXII inbox |
TAXII Poll |
TAXII 2.1 push |
TAXII 2.1 Inbox |
TAXII 2.1 Poll |
Amazon S3 push |
|
---|---|---|---|---|---|---|---|---|---|---|---|---|
ArcSight CEF |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
|||
EclecticIQ Entities CSV |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
|||
EclecticIQ HTML Report |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
||||
EclecticIQ HTML Report Digest |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
||||
EclecticIQ JSON |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
||||
EclecticIQ Observables CSV |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
|||
EclecticIQ PDF |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
||||
PAN-OS External Dynamic List |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
||||
Plain text value |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
||||
STIX 1.2 |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
||||
STIX 2.1 |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
Customize EclecticIQ HTML Report#
You can customize the appearance of your HTML reports with the following fields in the Content configuration section of your outgoing feed configuration:
Note
Required fields are marked with an asterisk (*).
Field |
Description |
---|---|
Include following tags and taxonomy* |
Tags or taxonomies added here are added as “Tags” to the HTML report. Type tag names or select one or more tags from the drop-down menu. Selecting a “parent” tag from the drop-down menu,
such as |
Include terms of use |
Select to add a “Terms of use” section to the report. The “Terms of use” section is filled with the contents of the Default terms of use field in your Intel report settings. Set it by going to Settings () > System settings > Intel report > Edit settings and adding your terms of use to the Default terms of use field. |
Include logo |
Select to add your organization’s logo to the generated report. This uses the image specified in your Intel report settings to brand your reports. Set it by going to Settings () > System settings > Intel report > Edit settings and adding a URL to your logo image in the Specify a URL for your company logo used in the email template field. Your image must:
|
Include contact information |
Select to add contact details to your report. This uses the information specified in your Intel report settings to brand your reports. Set it by going to Settings () > System settings > Intel report > Edit settings and adding contact details to the Default contact information field. |
Root URL of EclecticIQ platform installation |
Set this to the URL at which you can access the platform at. Defaults to the host name set in Settings () > System settings > General > Hostname if left empty. |
Additional information |
Add information you want to include with your reports. The contents of this field is included at the end of each generated report. |
Example HTML report#
Example HTML digest report#
PAN-OS External Dynamic List#
When setting PAN-OS external Dynamic List as the content type of an outgoing feed, you must also set for this feed the Content configuration > Palo Alto PAN-OS External Dynamic List field to one of the following:
PAN-OS IP External Dynamic List: packs outgoing feed as a list of IP (v4 and v6) addresses for Palo Alto firewall blocklists.
PAN-OS Domain External Dynamic List: packs outgoing feed as a list of domains for Palo Alto firewall blocklists.
PAN-OS URL External Dynamic List: packs outgoing feed as a list of URLs for Palo Alto firewall blocklists.
For PAN-OS URL External Dynamic List feeds, URLs from your dataset:
must not contain a scheme (e.g. ‘https://’, ‘ftp://’)
can contain wildcards
are case-insensitive
Plain text value#
The Plain text value content type extracts a single value from each entity in your outgoing feed’s dataset.
It writes to the resulting text file one value per line for each entity in your dataset(s).
To use this content type, you must set three fields in the Content configuration section of your feed configuration:
Field name |
Description |
---|---|
Field to take values from* |
Specify an EclecticIQ JSON field name to extract values from. This should be written in dot notation. For example, to access the Title of an Indicator entity, set this field to: data.title
Caution
|
Field to check a conditional value in* |
Specify an EclecticIQ JSON field name. For a given entity processed by this outgoing feed:
This should be written in dot notation. For example, to access the Title of an Indicator entity, set this field to: data.title
Caution
|
Only use entities that match this conditional value* |
Value to match in Field to check conditional value in. This must be an exact match. |
Example: Include only indicators with SNORT rules
To configure this feed to only pack SNORT rules from indicators in this feed:
Tip
Only Indicator entities can contain test mechanisms, such as SNORT rules.
Content configuration field |
Value |
---|---|
Field to check a conditional value in |
|
Only use entities that match this conditional value |
|
Field to take values from |
|
STIX 1.2#
Typical use cases include feeding a STIX 1.2-format outgoing feed to an external STIX-compatible device to instrument further processing or to trigger a response action.
Under Content configuration, do the following:
Selecting Override producer sets the Producer for all entities going through this feed as the value set in Settings () > STIX and TAXII > STIX > Add STIX settings > Producer.
This setting changes the following nested XML element in the entity STIX structure:
… code-block:: xml
<stixCommon:Identity> <!-- Producer identity, for example 'EclecticIQ' --> <stixCommon:Name>EclecticIQ</stixCommon:Name> </stixCommon:Identity>
Select the Include EclecticIQ-specific STIX extensions checkbox to enable EclecticIQ STIX extensions for the entities and the observables included in the outgoing feed content.
Warning
Select only if feed recipients cannot validate and parse STIX 1.2 content with EclecticIQ STIX extensions.