eiq-platform command line

Danger

Changes you make using this tool are irreversible.

Tip

To gain root privileges, run sudo -i.

Requirements: Root-level terminal access to EclecticIQ Intelligence Center instance.

Run all commands here as root.

Before you start

Before you start, activate EclecticIQ Intelligence Center Python virtual environment:

source /opt/eclecticiq-platform-backend/bin/activate

General Usage

Run:

• eiq-platform --help to display help text.

• eiq-platform <command> --help to display help text for <command>.

Usage: eiq-platform [OPTIONS] COMMAND [ARGS]...

  Umbrella command for administrative tasks for the EclecticIQ platform.

  All functionality is available as subcommands, e.g.

    eiq-platform database upgrade

  All commands provide a `--help` flag for compact usage information. Refer to
  the documentation for detailed instructions.

Options:
  --help  Show this message and exit.

Commands:
  blob                       Blob related commands.
  create-fake-stix-packages  This script generates fake STIX packages.
  database                   Database (PostgreSQL) related commands.
  diagnose                   Diagnostic commands.
  entity                     Entity related commands.
  extensions                 Extensions related commands.
  ingestion                  Ingestion related commands.
  list-commands              List all commands.
  oauth                      OAuth related commands.
  observable                 Observable related commands.
  outgoing-feed              Outgoing Feed related commands.
  purge-incoming-feed        Delete all data related to an incoming feed.
  run-script                 Execute a script.
  saml                       SAML related commands.
  search                     Search (Elasticsearch) related commands.
  shell                      Launch an interactive Python shell.
  stix                       STIX related commands.
  user                       User related commands.

Create EclecticIQ Intelligence Center administrator account with CLI

You can create an EclecticIQ Intelligence Center user account with admin privileges with eiq-platform user create.

Usage

Usage: eiq-platform user create [OPTIONS]

  Create a new user.

  When the user name and password are not provided, this commands works
  interactively.

Options:
  --name TEXT
  --password TEXT
  --help           Show this message and exit.

Delete incoming feed with CLI

For more information about deleting incoming feeds, see Delete incoming feed content and configuration.

Usage

Usage: eiq-platform purge-incoming-feed [OPTIONS]

  Delete all data related to an incoming feed.

  Either an incoming feed ID must be provided, for example:

  eiq-platform purge-incoming-feed --incoming-feed-id=3

  Or provide a source UUID, for example:

  --source-id="54cce073-7a04-49d7-9def-28b39438db37"

Options:
  -l, --list                      Print all available incoming feeds
  -i, --incoming-feed-id INTEGER  ID of the feed to be purged
  --source-id UUID                UUID of the source to be purged
  --help                          Show this message and exit.

Tip

Enter root mode with sudo -i

To delete an incoming feed using the command line, run as root:

1. Activate virtual environment:

   source /opt/eclecticiq-platform-backend/bin/activate
   

2. List existing incoming feeds:

   eiq-platform purge-incoming-feed --list
   

   Example output:

   This command removes all data related to an incoming feed.
   That includes all downloaded packages, entities, and observables.
   
   Available incoming feeds:
   
     ID  Source ID                               Entity Count  Feed Name
   ----  ------------------------------------  --------------  ----------------------------------
     1  0aff8e51-4c4c-4849-9340-b02b1798bfca               0  EclecticIQ Open Sources Feed
     2  66d33b8c-bbd6-4281-bf6b-d9818874ee52               0  EclecticIQ Commercial Sources Feed
     3  0b7c8b6a-7de5-4f80-ba57-498c75d4f05a              62  TAXII Stand Samples
     4  af53c91c-7515-422b-b88a-4c52d2fd956f             258  AlienVault
     5  645cfe07-c304-4317-92db-6ebdb52ef942               1  Delete me
   

3. Delete the feed:

   # To delete the feed "Delete me" using ID
   eiq-platform purge-incoming-feed --incoming-feed-id=5
   
   # To delete using Source ID
   eiq-platform purge-incoming-feed --source-id=645cfe07-c304-4317-92db-6ebdb52ef942
   

4. You will be prompted twice:

   1. '<Feed Name>' has 1 entities, are you sure you want to delete all? [y/N]:

      • y to continue.

      • N to abort.

   2. Do you want to delete the incoming feed configuration? [y/N]:

      • y to remove both data and feed configuration. Behaves like Delete and purge for incoming feeds.

        See Delete incoming feed content and configuration.

      • N to remove only data downloaded and ingested through this feed. Behaves like Delete for incoming feeds.

        See Delete incoming feed content and configuration.

Once done, the tool prints details of the delete tasks being executed:

{"event": "task.sent", "level": "info", "logger": "eiq.platform.taskrunner.signals", "run": "UUID('b7c94c87-7e06-494e-94bb-d3260fa5869c')", "task_type": "eiq.utilities.delete_incoming_feed", "timestamp": "2023-02-14T13:35:35.967486Z"}
{"event": "Queued background task to delete incoming feed. See log of task worker 'utilities-priority' for purging details.", "level": "info", "logger": "eiq.platform.purging", "timestamp": "2023-02-14T13:35:35.968006Z"}