Create and configure outgoing feeds#
This page describes how to create and configure outgoing feeds, and the common configuration options that are available.
For configuration options for specific feeds, see their documentation at EclecticIQ Integrations.
Create an outgoing feed#
In the in the left navigation bar, go to Data configuration > Outgoing feeds.
In the top-left corner of the view, click the plus icon at the top-left corner of the page.
This opens a view where you can configure your outgoing feed. See Configure outgoing feed for the configuration options that follow.
Edit an outgoing feed#
In the in the left navigation bar, go to Data configuration > outgoing feeds.
Locate an outgoing feed you want to edit. On the right, select More > Edit.
Or:
Select the feed to open it. At the top right, select More > Edit.
This opens a view where you can configure your outgoing feed. See Configure outgoing feed for the configuration options that follow.
Configure outgoing feed#
The following describes sections you can configure in an outgoing feed.
Note
Required fields are marked with an asterisk (*).
General#
In this section, set these options:
Field |
Description |
---|---|
Feed name* |
Enter a name for this feed. |
Feed content*#
In this section, set these options:
Field |
Description |
---|---|
Datasets* |
Default: (Not set) Select at least one dataset. A feed only packs data from datasets included in this list. |
Update strategy* |
Select an Update strategy. Some update strategies are only available after you select a Transport type and Content type. Specific content types may implement specific behavior for certain update strategies. See EclecticIQ Integrations. |
Transport and content#
In this section, set these options:
Field |
Description |
---|---|
Transport type* |
Select a transport type. |
Content type* |
Select a content type. |
Transport configuration* |
Configure the feed for a given Transport type and Content type. See individual integration documentation at EclecticIQ Integrations. |
Public |
Select to allow unauthenticated access to endpoints created by this feed. Available only for these transport types:
Remove this selection to require authenticated access to endpoints created by this feed. |
Authorized groups |
Available only when Public is not selected. Select at least one group. Members of this group can use their API tokens to access this feed. |
Schedule#
Set an Execution schedule to have your feed run automatically.
Option |
Description |
---|---|
None |
Default. Feeds must be manually run. |
Every [n] minutes |
Run this feed automatically every [n] minutes. Select a value for [n]. |
Every hour, [n] minutes past the hour |
Run this feed automatically every hour + [n] minutes. For example, setting [n] to
|
Every [n] hours |
Run this feed automatically at the start of every [n] hours. Select a value for [n]. |
Every day at [time] |
Run this feed automatically at the specified time, once a day. Set a value for [time]. |
Every [n] days |
Run this feed automatically at the start of every [n] days. Select a value for [n]. |
Every week on [day of the week] at [time] |
Run this feed automatically once every week, on a specific day of the week at a specific time. Set values for [day of the week] and [time]. |
Every month on [day of the month] at [time] |
Run this feed automatically once every month, on a specific day of the month at a specific time. Set values for [day of the month] and [time] Caution Avoid setting [day of month] to |
Advanced options#
Select Show advanced options to display more configuration options.
Processing#
Options here allow you to filter and apply pre-processing options to data from your selected datasets when the feed runs.
In this section, set these options:
Override TLP*#
Default: (Not set)
Leave empty keep TLP unchanged.
Select a TLP color to set an overriding TLP value on all objects packed by this feed.
The following table describes how this affects the data in an entity:
Entity JSON field |
Description. |
---|---|
|
The incoming feed sets the half life value you configure here in this entity field. |
|
These fields are not changed.
|
Filter TLP*#
Default: (Not Set)
Leave empty to disregard TLP when packing intelligence for this feed.
Select a TLP to set the most restrictive TLP color this feed includes. All objects with TLP colors more restrictive than this are excluded from the feed.
For example, setting this to Green and below sets this feed to only include objects with TLP Green and White in its outgoing packages.
Source reliability filter#
Default: (Not set)
Leave empty to disregard source reliability when packing intelligence for this feed.
Select a minimum Source reliability value for objects to include in this feed. Only objects with a source reliability value that is equally or more reliable than the selected value are packed by this feed.
For example:
Selecting A - Completely reliable would allow this feed to only pack objects with a source reliability of A - Completely reliable.
Selecting C - Fairly reliable would allow this feed to only pack objects with a source reliability of A - Completely reliable, B - Usually reliable, and C - Fairly reliable.
Relevancy threshold (%)#
Default: (Not set)
Leave unset to disregard half-life relevancy of entities when packing intelligence for this feed.
Only pack entities that have a half-life relevancy value that is equal or higher than the value set here.
For more information about half-life relevancy, see Entities: Common properties
Sign content with private key#
Select this option to sign all packages produced by this feed with the PGP private key set in Settings > System settings > Private key.
Include/Exclude observable states*#
Select Include or Exclude on the right of this option, and then set these options:
Important
This has changed in EclecticIQ Intelligence Center 3.2.
By default, outgoing feeds do not include Safe
and Unknown
observable states.
Field |
Description |
---|---|
Include |
Default:
Include only observables that have these states. |
Exclude |
Default: (None) Exclude only observables that have these states. Set to none by default, thus includes observable with any state. |
Include/Exclude only observables with link names*#
Note
This filter does not affect enrichment observables.
Select Include or Exclude on the right of this option, and then set these options:
Field |
Description |
---|---|
Include |
Default: (All link types) Only pack observables that have link types that match at least one of the values selected here. |
Exclude |
Default: (None) Exclude only observables that have these link types. Set to none by default, thus includes observable with any link type. |
Include observables without a link name |
Default: (Selected) Allow observables without link names to be packed by this feed. |
Include source metadata#
Default: (None selected)
Select one or more sources. Leave empty to keep original source metadata.
Intelligence packed by this feed will only contain source metadata for sources selected here.
Include tag metadata#
Default: (None selected)
Select one or more items. Leave empty to keep original tags and taxonomies.
Intelligence packed by this feed will only contain tags and taxonomies selected here.
Exclude invalid STIX 1.2#
Default: (Not selected)
Select this option to exclude objects with invalid STIX 1.2 content from being packed by this feed.
Observable and Enrichment Observable types#
Options here allow you to filter observables to include or exclude from your feed.
Include/Exclude observable types#
Select Include or Exclude on the right of this option, and then set these options:
Field |
Description |
---|---|
Include |
Default: (All observable types) Select observable types to include in this feed. Only observables types selected here are packed for this feed. |
Exclude |
Default: (None) Exclude only observables that have these types. Set to none by default, thus includes observable with any type. |
Include/Exclude enrichment observable types#
Note
Enrichment observables are observables that result from running Enrichers.
Select Include or Exclude on the right of this option, and then set these options:
Field |
Description |
---|---|
Include |
Default: (All observable types) Select enrichment observable types to include in this feed. Only enrichment observables types selected here are packed for this feed. |
Exclude |
Default: (None) Exclude only enrichment observables that have these types. Set to none by default, thus includes enrichment observable with any type. |
Include/Exclude enrichments from the following sources#
Include or exclude results from enrichments based on their source.
Select Include or Exclude on the right of this option, and then set these options:
Field |
Description |
---|---|
Include |
Default: (All enrichment sources) Select sources to include observables from in this feed. |
Exclude |
Default: (None) Exclude only observables from these sources. Set to none by default, thus includes observable from any source. |
Default: (None selected)
Select one or more enrichers. This feed excludes intelligence that come from these enrichers.
Anonymization#
Use these fields to remove specific pieces of data from intelligence packed by this outgoing feed. Options here only apply to entities.
In these fields, enter an EIQ JSON path.
For example, to target the following fields:
TLP colors:
meta.tlp_color
Entity title:
data.title
Known issue
Pre-defined paths do not work. Manually enter EIQ JSON paths instead.
Skip paths#
Default: (Not set)
Exclude specific fields in entities from intelligence packed by this feed.
You can set one or more fields to exclude by manually entering an EIQ JSON path:
Select the field.
Start typing.
Press ENTER to finish adding the path.
Replace paths#
Default: (Not set)
Replace the value of a specific field to “mask” it in the resulting packed entity.
Set a value to replace in all entities packed by this feed:
Select + Add or + More.
In the fields that appear, enter values as follows:
Field name
Description
Path*:
Enter an EIQ JSON path and press ENTER.
Pattern*:
Enter a regex pattern. This can match:
a substring (
C2\s
matchesC2
inC2 Behavior
).or all content in the field (
.*
).
Value*:
Enter a value to replace the pattern matched by Pattern.
For example, entering the following values:
Path*:
data.title
Pattern*:
C2\s
Value*:
APT
Replaces C2
in the “Title” field in all entities with APT
.
So an entity with the title C2 Behavior
is packed and renamed
to APT Behavior
.
Package settings#
Customize feed-level packaging options:
Field |
Description |
---|---|
Number of entities to be included in a package |
Default: Set the maximum number of entities packed per outgoing feed package. |
Number of relations to be included in a package |
Default: Set the maximum number of relations packed per outgoing feed package. |
Save#
Select Save to store your changes,
Or, select next to the Save button to view additional save options:
Save and run: Saves this incoming feed and runs it immediately.
Save and new: Saves the current incoming feed and opens an empty form for new feed.
Save and duplicate: Saves this incoming feed, and then create and start editing a new feed configuration which is a copy of your saved incoming feed.