Create and configure incoming feeds#
This page describes how to create and configure incoming feeds, and the common configuration options that are available.
For configuration options for specific feeds, see their documentation at EclecticIQ Integrations.
Create an incoming feed#
In the in the left navigation bar, go to Data configuration > Incoming feeds.
In the top-left corner of the view, click the plus icon at the top-left corner of the page.
This opens a view where you can configure your incoming feed. See Configure incoming feed for the configuration options that follow.
Edit an incoming feed#
In the in the left navigation bar, go to Data configuration > Incoming feeds.
Locate an incoming feed you want to edit. On the right, select More > Edit.
Or:
Select the feed to open it. At the top right, select More > Edit.
This opens a view where you can configure your incoming feed. See Configure incoming feed for the configuration options that follow.
Configure incoming feed#
The following describes sections you can configure in an incoming feed.
Note
Required fields are marked with an asterisk (*).
General#
In the General section, set the following fields:
Field |
Description |
---|---|
Feed name* |
Set a unique name for this feed. |
Select Show advanced options to display the following options:
Field |
Description |
||||||
---|---|---|---|---|---|---|---|
Organization |
Enter an organization name. Use this to associate an organization name with this feed. Has no effect on ingested data. |
||||||
Source reliability |
Assign a level of source reliability to the feed. Data ingested through this feed can inherit this value. See Entities: Common properties. |
||||||
Override TLP |
Default: Not set. Does not change TLP values of ingested objects. Sets an overriding TLP value for all objects ingested by this feed. The following table describes how this affects the data in an entity:
|
||||||
Require valid signature |
Checks if downloaded packages have a signature that can be verified by known PGP public keys in Trusted keys Packages with no signature that EclecticIQ Intelligence Center can verify are discarded and not processed. Caution Selecting this option will reject packages if:
|
||||||
Extract observables from unstructured text |
Select this option to process ingested entities to extract observables from unstructured text using known patterns. |
||||||
Accept only valid STIX 1.2 |
Runs all incoming content through a STIX 1.2 validator, and discards content it cannot validate. |
||||||
Groups |
Add one or more groups to allow their members to access
data ingested by this feed.
|
For more information about groups and permissions, see Intelligence Center permissions
Transport and content#
Configure the feed for a given Transport type and Content type. Transport types and content types are provided by extensions listed in Extensions documentation.
Schedule#
Set an Execution schedule to have your feed run automatically.
Option |
Description |
---|---|
None |
Default. Feeds must be manually run. |
Every [n] minutes |
Run this feed automatically every [n] minutes. Select a value for [n]. |
Every hour, [n] minutes past the hour |
Run this feed automatically every hour + [n] minutes. For example, setting [n] to
|
Every [n] hours |
Run this feed automatically at the start of every [n] hours. Select a value for [n]. |
Every day at [time] |
Run this feed automatically at the specified time, once a day. Set a value for [time]. |
Every [n] days |
Run this feed automatically at the start of every [n] days. Select a value for [n]. |
Every week on [day of the week] at [time] |
Run this feed automatically once every week, on a specific day of the week at a specific time. Set values for [day of the week] and [time]. |
Every month on [day of the month] at [time] |
Run this feed automatically once every month, on a specific day of the month at a specific time. Set values for [day of the month] and [time] Caution Avoid setting [day of month] to |
Half life#
You can set a half life for each entity type ingested by this incoming feed. This overrides the half life originally set on the entity if it has one.
The following table describes how this affects the data in an entity:
Entity JSON field |
Description. |
---|---|
|
The incoming feed sets the half life value you configure here in this entity field. |
|
These fields are not changed.
|
Save#
Select Save to store your changes,
Or, select next to the Save button to view additional save options:
Save and run: Saves this incoming feed and runs it immediately.
Save and new: Saves the current incoming feed and opens an empty form for new feed.
Save and duplicate: Saves this incoming feed, and then create and start editing a new feed configuration which is a copy of your saved incoming feed.