Create and configure outgoing feeds#

Create an outgoing feed#

  1. In the in the left navigation bar, go to Data configuration Data configuration icon > Outgoing feeds.

  2. In the top-left corner of the view, click the plus icon Plus at the top-left corner of the page.

This opens a view where you can configure your outgoing feed. See Configure outgoing feed for the configuration options that follow.

Edit an outgoing feed#

  1. In the in the left navigation bar, go to Data configuration Data configuration icon > outgoing feeds.

  2. Locate an outgoing feed you want to edit. On the right, select More More > Edit.

    Or:

    Select the feed to open it. At the top right, select More More > Edit.

This opens a view where you can configure your outgoing feed. See Configure outgoing feed for the configuration options that follow.

Configure outgoing feed#

The following describes sections you can configure in an outgoing feed.

Note

Required fields are marked with an asterisk (*).

General#

In the General section, set the following fields:

Field

Description

Feed name*

Enter a name for this feed.

Sign content with private key

Select this option to sign all packages produced by this feed with the PGP private key set in Settings Settings > System settings > Private key.

Transport and content#

Configure the feed for a given Transport type and Content type. Transport types and content types are provided by extensions listed in Extensions documentation.

Public#

Note

Only for transport types that support authenticated access to EclecticIQ Intelligence Center.

Default: (Not selected)

Select to allow unauthenticated access to published packages.

See individual transport type documentation in Extensions documentation.

Authorized groups*#

Default: (Not set)

Only appears if Public is not selected.

Select at least one group. User accounts that belong to this group can authenticate with EclecticIQ Intelligence Center to access content published by this feed.

This is commonly used with transport types that publish an endpoint on EclecticIQ Intelligence Center, such as the HTTP download feed. See individual transport type documentation in Extensions documentation.

Feed content*#

Datasets*#

Default: (Not set)

Select at least one Datasets. A feed only packs data from datasets included in this list.

Update strategy#

Default: (Not set)

Select an update strategy.

Each time a feed is run, it needs to decide how much data it packs and publishes. A feed’s Update strategy allows you to select three categories of behavior each time it runs:

Update strategy

Description

Append

(Recommended) Pack only new objects in datasets since the last time this feed was run.

Does not retract data that has already been published.

Replace

Pack all objects in datasets, regardless of the last feed run.

Not recommended. Can be resource intensive and cause heavy network traffic.

Diff

(Not supported for some transport and content types) Reads data that has been already packed, and then:

  • If object no longer exists on EclecticIQ Intelligence Center, remove it from the published destination.

  • If object exists on EclecticIQ Intelligence Center, but does not exist on the published destination, then publish object to destination.

Note

Actual effect depends on transport type and content type used. See Extensions documentation.

Note

This section is a generic description of feed behavior for each update strategy.

Actual effects of each update strategy depends on the transport type and content type used. Not all update strategies are supported for every transport type/content type.

Schedule#

Set an Execution schedule to have your feed run automatically.

Option

Description

None

Default. Feeds must be manually run.

Every [n] minutes

Run this feed automatically every [n] minutes.

Select a value for [n].

Every hour, [n] minutes past the hour

Run this feed automatically every hour + [n] minutes.

For example, setting [n] to 4 will cause this feed to run at:

  • 00:04

  • 01:04

  • etc.

Every [n] hours

Run this feed automatically at the start of every [n] hours.

Select a value for [n].

Every day at [time]

Run this feed automatically at the specified time, once a day.

Set a value for [time].

Every [n] days

Run this feed automatically at the start of every [n] days.

Select a value for [n].

Every week on [day of the week] at [time]

Run this feed automatically once every week, on a specific day of the week at a specific time.

Set values for [day of the week] and [time].

Every month on [day of the month] at [time]

Run this feed automatically once every month, on a specific day of the month at a specific time.

Set values for [day of the month] and [time]

Caution

Avoid setting [day of month] to 30 or 31. Doing so will set the feed to run only on months where there is a 30th or 31st day.

Processing#

The options here allow you to select sub-sets of data from your selected datasets to publish.

Override TLP*#

Default: (Not set)

Leave empty keep TLP unchanged.

Select a TLP color to set an overriding TLP value on all objects packed by this feed.

The following table describes how this affects the data in an entity:

Entity JSON field

Description.

  • meta.tlp_color_override

The incoming feed sets the half life value you configure here in this entity field.

  • meta.tlp_color_original

  • sources.tlp_color_override

These fields are not changed. meta.tlp_color_override supersedes these fields when deciding the TLP color of a given entity.

Filter TLP*#

Default: (Not Set)

Leave empty to disregard TLP when packing intelligence for this feed.

Select a TLP to set the most restrictive TLP color this feed includes. All objects with TLP colors more restrictive than this are excluded from the feed.

For example, setting this to Green and below sets this feed to only include objects with TLP Green and White in its outgoing packages.

Source reliability filter#

Default: (Not set)

Leave empty to disregard source reliability when packing intelligence for this feed.

Select a minimum Source reliability value for objects to include in this feed. Only objects with a source reliability value that is equally or more reliable than the selected value are packed by this feed.

For example:

  • Selecting A - Completely reliable would allow this feed to only pack objects with a source reliability of A - Completely reliable.

  • Selecting C - Fairly reliable would allow this feed to only pack objects with a source reliability of A - Completely reliable, B - Usually reliable, and C - Fairly reliable.

Relevancy threshold (%)#

Default: (Not set)

Leave unset to disregard half-life relevancy of entities when packing intelligence for this feed.

Only pack entities that have a half-life relevancy value that is equal or higher than the value set here.

For more information about half-life relevancy, see Entities: Common properties

Allowed observable states*#

Default: (All states)

Only pack observables that have a Maliciousness value that matches at least one of the states selected here.

See Observable maliciousness.

Include source metadata#

Default: (None selected)

Select one or more sources. Leave empty to keep original source metadata.

Intelligence packed by this feed will only contain source metadata for sources selected here.

Include tag metadata#

Default: (None selected)

Select one or more items. Leave empty to keep original tags and taxonomies.

Intelligence packed by this feed will only contain tags and taxonomies selected here.

Exclude invalid STIX 1.2#

Default: (Not selected)

Select this option to exclude objects with invalid STIX 1.2 content from being packed by this feed.

Observable and Enrichment Observable types#

Observable types#

Default: (All types)

Select observable types to include in this feed. Only observables types selected here are packed for this feed.

Enrichment observable types#

Default: (All types)

Select observable types to include in this feed. Only observables types selected here are packed for this feed.

Exclude enrichments from the following sources#

Default: (None selected)

Select one or more enrichers. This feed excludes intelligence that come from these enrichers.

Anonymization#

Use these fields to remove specific pieces of data from intelligence packed by this outgoing feed. Options here only apply to entities.

In these fields, enter an EIQ JSON path.

For example, to target the following fields:

  • TLP colors: meta.tlp_color

  • Entity title: data.title

Known issue

Pre-defined paths do not work. Manually enter EIQ JSON paths instead.

Skip paths#

Default: (Not set)

Exclude specific fields in entities from intelligence packed by this feed.

You can set one or more fields to exclude by manually entering an EIQ JSON path:

  1. Select the field.

  2. Start typing.

  3. Press ENTER to finish adding the path.

Replace paths#

Default: (Not set)

Replace the value of a specific field to “mask” it in the resulting packed entity.

Set a value to replace in all entities packed by this feed:

  1. Select + Add or + More.

  2. In the fields that appear, enter values as follows:

    Field name

    Description

    Path*:

    Enter an EIQ JSON path and press ENTER.

    Pattern*:

    Enter a regex pattern. This can match:

    • a substring (C2\s matches C2 in C2 Behavior).

    • or all content in the field (.*).

    Value*:

    Enter a value to replace the pattern matched by Pattern.

For example, entering the following values:

  • Path*: data.title

  • Pattern*: C2\s

  • Value*: APT

Replaces C2 in the “Title” field in all entities with APT . So an entity with the title C2 Behavior is packed and renamed to APT Behavior.

Save#

Select Save to store your changes,

Or, select Drop-down menu arrow next to the Save button to view additional save options:

  • Save and run: Saves this incoming feed and runs it immediately.

  • Save and new: Saves the current incoming feed and opens an empty form for new feed.

  • Save and duplicate: Saves this incoming feed, and then create and start editing a new feed configuration which is a copy of your saved incoming feed.