Knowledge packs#

Introduction #

Knowledge packs provide pre-defined configurations, or packs, that equip EclecticIQ Intelligence Center users with the ability to address their threat research and investigations through expert-curated workspaces and datasets.

Knowledge packs come with a set of packs created by EclecticIQ’s threat research team as a culmination of their vast research experience and expertise.

Requirements #

Permissions #

The following permissions are required to use knowledge packs. To see your permissions, go to, Settings () > User management > Permissions. See Permissions for more information on the permission settings for knowledge packs.

Permissions	Description
`install knowldege-packs`	Can install knowledge packs. Must have both this and `read knowldege-packs` permissions to install knowledge packs.
`read knowldege-packs`	Can view knowledge packs.
`modify knowldege-packs`	Can modify knowledge packs as a Producer.

Permissions

Description

install knowldege-packs

Can install knowledge packs.

Must have both this and read knowldege-packs permissions to install knowledge packs.

read knowldege-packs

Can view knowledge packs.

modify knowldege-packs

Can modify knowledge packs as a Producer.

Knowledge pack consumers and producers

Your Intelligence Center instance can be configured to be a knowledge pack consumer and producer.

By default, all Intelligence Center instances can consume knowledge packs. Knowledge pack producers can create knowledge packs and distribute them to other Intelligence Centers. To configure your Intelligence Center instance as a producer, see (EclecticIQ Labs) Knowledge pack creation.

Consumers #

This section describes how to configure your Intelligence Center instance to consume knowledge packs.

Add producers #

To see knowledge packs from a given producer, you must add that producer to your EclecticIQ Intelligence Center.

To add a producer:

In the MY LIBRARY tab, select Manage producers .

This opens the Producers management modal and displays a list of previously added producers.
Enter the knowledge packs endpoint URL of the producer you want to add.
Select ADD.

Tip

By default, the EclecticIQ producer is added on EclecticIQ Intelligence Center instances.

If the EclecticIQ producer is not present, add it by selecting Manage producers and adding https://cti.eclecticiq.com/configuration-bundles/.

To configure firewall to allow access to the EclecticIQ producer, see Outgoing connections to EclecticIQ producer.

Remove producers #

To remove producers:

Disable all packs associated with a producer.
In the MY LIBRARY tab, select Manage producers .

This opens the Producers management modal and displays a list of previously added producers.
Select (×) against the producer that you want to remove.
Confirm removal in the dialog that appears.

Enable a knowledge pack #

In the MY LIBRARY tab, locate a knowledge pack to enable.
On the right of that knowledge pack:
- Select the dimmed Enabled toggle, or
- Select More () > Enable.
Follow the instructions that appear.
When prompted, select one or more groups to grant access to the knowledge pack.

Note

This shares the knowledge pack itself with the members of that group. However, group members still need to be granted access to the underlying objects distributed by the knowledge packs.
Select DONE.

Disable a knowledge pack #

In the MY LIBRARY tab, locate a previously enabled knowledge pack to disable.
On the right of that knowledge pack:
- Select the Enabled toggle, or
- Select More () > Disable.
Follow the instructions that appear.
Select PROCEED.

(EclecticIQ Labs) Knowledge pack creation #

This section describes how to create and manage knowledge packs.

Enable (EclecticIQ Labs) Knowledge pack creation #

Note

This feature is still in preview.

Requirements:

User must have modify knowledge-packs permissions.
In addition, make sure external Intelligence Center instances can access your knowledge packs. See Firewall rules.

To enable knowledge pack creation and set up a producer:

From the left navigation bar, go to Settings()> System settings > General.
- You can also go to Data configuration ()> Knowledge packs > CREATED PACKS, and then select SETUP PRODUCER. You will see this option only when you set up a producer for the first time and you have not created any packs.
Select EDIT SETTINGS.
Select the Enable knowledge packs creation checkbox.
- The Producer name field appears.
Enter the producer’s name.
- Producer name is a mandatory field.
- The name entered here is shown as a producer on the consumer’s EclecticIQ Intelligence Center instance.
Select SAVE.

Create knowledge packs #

To create a knowledge pack:

From the left navigation bar, go to Data configuration ()> Knowledge packs > CREATED PACKS.
Select Create Knowledge Pack (+).
Fill out these fields:

Field name

Description

Name

Name of knowledge pack.

Description

Enter a description for this knowledge pack.
Select ADD EXISTING.
In the Select objects window that appears, select the objects to add to your knowledge pack.
Select CONFIRM.
Select SAVE.

Field name	Description
Name	Name of knowledge pack.
Description	Enter a description for this knowledge pack.

The knowledge pack created is listed in the CREATED PACKS tab.

Publish knowledge packs #

To make a knowledge pack available to consumers, you must:

Publish the knowledge pack.
Share the knowledge packs endpoint URL for your Intelligence Center instance.

To publish a knowledge pack:

Select a knowledge pack in the CREATED PACKS tab to open it.
Select PUBLISH.

To share your knowledge packs endpoint URL:

Go to the CREATED PACKS tab.
Select Share .
Copy the link displayed and share it with your consumers.

Edit and update knowledge packs #

To edit and update a knowledge pack:

Unpublish the pack if it is in the published state.
Add or remove the objects as required.
Publish the pack again.

Unpublish knowledge packs #

To unpublish a knowledge pack:

Select More () on the right of the knowledge pack you want to unpublish.
Select Unpublish.

Note

When you unpublish a pack:

The pack becomes unavailable to the consumers. It is no longer displayed in MY LIBRARY in their EclecticIQ Intelligence Center instance.
Consumers that have already enabled the pack can continue to use it in their Intelligence Center instances.

Known limitations #

Knowledge pack creation is considered a preview feature. The following is a list of known limitations that EclecticIQ intends to address in the upcoming releases:

No authentication
- At present, knowledge packs are unauthenticated.
Synchronizing updates to consumers.
- Producers cannot synchronize updates to a consumer when:
  - A pack has been published by a producer.
    
    In order to synchronize updates for a published pack, producers must unpublish and then publish the pack.
  - The pack is already enabled on a consumer.
    
    In order to receive an updated version of a pack, the consumer must disable and then enable it.
Versioning knowledge packs is not possible at present.
Deleting an object from EclecticIQ Intelligence Center does not remove it from a knowledge pack.
- When a producer deletes an object (e.g. a rule, a dataset, or a workspace) that is part of a knowledge pack, the object is not removed from the knowledge pack.

Firewall rules #

In order to use knowledge packs, you must follow instructions here to enable traffic to and from your Intelligence Center.

Outgoing connections to EclecticIQ producer #

To allow your EclecticIQ Intelligence Center instance to retrieve knowledge packs from the EclecticIQ producer, allow outgoing requests to:

https://cti.eclecticiq.com/configuration-bundles/producer
https://cti.eclecticiq.com/configuration-bundles/published

Outgoing connections to external knowledge pack producer #

To allow your EclecticIQ Intelligence Center instance to connect to and consume knowledge packs from an another EclecticIQ Intelligence Center instance acting as a knowledge pack producer, you must allow outgoing connections to the following endpoints on the target EclecticIQ Intelligence Center knowledge pack producer:

Endpoint	Description
`/private/configuration-bundles/published`	List all created and published knowledge packs
`/private/configuration-bundles/producer`	Metadata describing the configured Producer for this EclecticIQ Intelligence Center instance.
`/api/configuration-bundles/published`	(Producer is 2.14 and older; available on 3.x for compatibility) List all created and published knowledge packs
`/api/configuration-bundles/producer`	(Producer is 2.14 and older; available on 3.x for compatibility) Metadata describing the configured Producer for this EclecticIQ Intelligence Center instance.

Incoming connections as knowledge pack producer #

To create and distribute knowledge packs with your EclecticIQ Intelligence Center instance, you must allow incoming connections for the following endpoints:

Endpoint	Description
`/private/configuration-bundles/published`	List all created and published knowledge packs
`/private/configuration-bundles/producer`	Metadata describing the configured Producer for this EclecticIQ Intelligence Center instance.

In addition, allow incoming traffic to the following endpoints to:

Allow knowledge pack consumers running EclecticIQ Intelligence Center 2.14 and older to connect and consume knowledge packs from this producer.
If this EclecticIQ Intelligence Center instance is behind a reverse proxy.

Endpoint	Description
`/api/configuration-bundles/published`	List all created and published knowledge packs
`/api/configuration-bundles/producer`	Metadata describing the configured Producer for this EclecticIQ Intelligence Center instance.