Work with EclecticIQ Fusion Center and Splunk#

Caution

This application is no longer supported.

From 22 August 2022, use both of the following apps instead:

Connect Splunk to the EclecticIQ Fusion Center using the Threat Intelligence EclecticIQ Platform App.

Requirements#

  • User name and password for EclecticIQ Fusion Center.

  • Threat Intelligence EclecticIQ Platform App for Splunk installed on your Splunk instance.

  • Network access between EclecticIQ Fusion Center and your Splunk instance.

Download and install the app on Splunk#

  1. Download the Threat Intelligence EclecticIQ Platform App from Splunkbase.

  2. Save the tar.gz package locally.

  3. Log into your Splunk instance.

  4. In the top navigation bar, open the Apps drop-down menu and select Manage Apps.

  5. In the top right corner, click Install app from file.

  6. In the Upload app page, click Browse and select the tar.gz package you just downloaded.

  7. Click Upload to install the package.

  8. When prompted, click Restart to restart your Splunk instance.

Configure the app#

Once the Threat Intelligence EclecticIQ Platform App is installed:

  1. In the top navigation bar of Splunk Web, click Apps > Manage Apps.

  2. Locate EclecticIQ Platform App in the list of apps.

  3. In the Actions column for EclecticIQ Platform App, click Set up.

  4. In the EclecticiIQ Platform App Configuration Page, fill out these fields:

    Field name

    Description

    EclecticIQ Platform url

    Enter: cti.eclecticiq.com.

    EclecticIQ Platform Version

    Enter: FC-Essentials.

    Verify the SSL Connection if SSL is used

    Select this option.

    ID of feeds for collection from EclecticIQ Platform

    Enter: 1, 3, unless otherwise instructed by your customer success manager.

    EclecticIQ Platform Source Group

    Leave empty.

    Username

    Enter your EclecticIQ Fusion Center user name.

    Password

    Enter your EclecticIQ Fusion Center password.

  5. Click Save Settings to finish configuring the app.

Optional app configuration#

(Optional) When configuring the app on the EclecticIQ Platform App Configuration Page, you can set up these options:

Proxy IP

If you’re using a proxy, enter its IP address here.

Proxy username

If required, enter the username for authenticating with your proxy.

Proxy password

Enter the password for your proxy.

Sightings query

Set to index=main by default.

Modify this to change the scope of the sightings query used by the app.

Send the following sightings types

All selected by default.

Select one or more sighting types to send to EclecticIQ Platform through the app.

Scripts Log Level

Set the log level for scripts run by the app. Change this only if you have issues with the app.

Possible values:

  • 0: Default. Sets log level to DEBUG.

  • 10: Default. Sets log level to INFO.

  • 30: Default. Sets log level to WARNING.

  • 40: Default. Sets log level to ERROR.

  • 50: Default. Sets log level to CRITICAL.