Configure content types#
Overview#
Generic transport types support a broader range of content types than vendor-specific transport types (such as Intel 471 and MISP feeds).
Tip
Examples of generic transport types are:
HTTP download
SFTP download
Syslog push
For a quick reference table, see Table of all generic content types.
Table of outgoing feed content types#
The following table describes the available generic content types for outgoing feeds:
Content type |
Description |
|---|---|
Advanced Entities CSV |
New in version 3.3.0. Pack entities as CSV files. Allows you to specify which entity fields to export. For more information, see Advanced Entities CSV configuration. |
Advanced Observables CSV |
New in version 3.3.0. Pack observables as CSV files. Allows you to specify which observable fields to export. For more information, see Advanced Observables CSV configuration. |
EclecticIQ Entities CSV |
CSV files containing records describing EIQ entities. |
EclecticIQ Observables CSV |
CSV files containing records describing EIQ observables. Note When creating an outgoing feed using this content type, you must set at least:
|
EclecticIQ HTML Report |
Creates a HTML package for each Report entity exported. You can customize the appearance of your HTML reports. See Customize EclecticIQ HTML Report below. |
EclecticIQ HTML Report Digest |
Creates a HTML package that contains a summary of all Report entities exported by the feed. You can customize the appearance of your HTML reports. See Customize EclecticIQ HTML Report below. |
EclecticIQ JSON |
EclecticIQ entities and observables in JSON. Typically used when sharing data between Intelligence Center instances. Selecting Override producer sets the
Producer for all entities going through this feed
as the value set in
Settings ( |
PAN-OS External Dynamic List |
For sending Palo Alto firewall blocklists containing IP, domain, and URL sightings. |
Plain text value |
Produces a plain text file that contains one value per line, extracted from entities in your feed’s datasets. See Plain text value below. |
STIX 1.2 |
See STIX 1.2 below. |
STIX 2.1 |
Appendix#
Table of all generic content types#
The following table describes content types available for generic transport types:
Send email |
FTP upload |
HTTP download |
Mount point upload |
Syslog push |
SFTP upload |
TAXII inbox |
TAXII Poll |
TAXII 2.1 push |
TAXII 2.1 Inbox |
TAXII 2.1 Poll |
Amazon S3 push |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
Advanced Entities CSV |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
||||
Advanced Observables CSV |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
||||
ArcSight CEF |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
|||
EclecticIQ Entities CSV |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
|||
EclecticIQ HTML Report |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
||||
EclecticIQ HTML Report Digest |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
||||
EclecticIQ JSON |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
||||
EclecticIQ Observables CSV |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
|||
EclecticIQ PDF |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
||||
PAN-OS External Dynamic List |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
||||
Plain text value |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
||||
STIX 1.2 |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
||||
STIX 2.1 |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
Advanced Entities CSV configuration#
Select the Advanced Entities CSV content type to pack entities as CSV files for distribution.
The following Content configuration fields are available for this content type:
Note
Required fields are marked with an asterisk (*).
Field name |
Description |
|---|---|
Include Fields* |
Select at least one field to include in the resulting CSV files. These correspond to entity fields. Note Only generic entity fields are available. Fields specific to a given entity type are not available e.g. Analysis (for report entities), Characteristics. Tip You can export an entity’s related observables by selecting Related observables in this field. This is saved as a semicolon ( uri: https://git.kernel.org/stable/c/1ffec389a6431782a8a28805830b6fae9bf00af1; hash-sha1: 1ffec389a6431782a8a28805830b6fae9bf00af1; hash-sha1: 2a3a8bbca28b899806844c00d49ed1b7ccb50957; uri: https://git.kernel.org/stable/c/07f86aa8f4fe077be1b018cc177eb8c6573e5671; hash-sha1: 07f86aa8f4fe077be1b018cc177eb8c6573e5671; domain: git.kernel.org; uri: https://git.kernel.org/stable/c/2a3a8bbca28b899806844c00d49ed1b7ccb50957; name: nvd; cve: 2021-47039
|
Advanced Observables CSV configuration#
Select the Advanced Observables CSV content type to pack observables as CSV files for distribution.
The following Content configuration fields are available for this content type:
Note
Required fields are marked with an asterisk (*).
Field name |
Description |
|---|---|
Include Fields* |
Select at least one field to include in the resulting CSV files. These correspond to observable fields. Tip You can export an observables’ related entities by selecting Related Entities in this field. This is saved as a semicolon ( |
Customize EclecticIQ HTML Report#
You can customize the appearance of your HTML reports with the following fields in the Content configuration section of your outgoing feed configuration:
Note
Required fields are marked with an asterisk (*).
Field |
Description |
|---|---|
Include following tags and taxonomy* |
Tags or taxonomies added here are added as “Tags” to the HTML report. Type tag names or select one or more tags from the drop-down menu. Selecting a “parent” tag from the drop-down menu,
such as |
Include terms of use |
Select to add a “Terms of use” section to the report. The “Terms of use” section is filled with the
contents of the Default terms of use field in
your Intel report settings. Set it by going to
Settings ( |
Include logo |
Select to add your organization’s logo to the generated report. This uses the image specified in your Intel report settings to brand your reports. Set it by
going to Settings ( Your image must:
|
Include contact information |
Select to add contact details to your report. This uses the information specified in your Intel report settings to brand your reports. Set it by
going to Settings ( |
Root URL of EclecticIQ platform installation |
Set this to the URL at which you can access the platform at. Defaults to the
host name
set in Settings
( |
Additional information |
Add information you want to include with your reports. The contents of this field is included at the end of each generated report. |
Example HTML report#
Example HTML digest report#
PAN-OS External Dynamic List#
When setting PAN-OS external Dynamic List as the content type of an outgoing feed, you must also set for this feed the Content configuration > Palo Alto PAN-OS External Dynamic List field to one of the following:
PAN-OS IP External Dynamic List: packs outgoing feed as a list of IP (v4 and v6) addresses for Palo Alto firewall blocklists.
PAN-OS Domain External Dynamic List: packs outgoing feed as a list of domains for Palo Alto firewall blocklists.
PAN-OS URL External Dynamic List: packs outgoing feed as a list of URLs for Palo Alto firewall blocklists.
For PAN-OS URL External Dynamic List feeds, URLs from your dataset:
must not contain a scheme (e.g. ‘https://’, ‘ftp://’)
can contain wildcards
are case-insensitive
Plain text value#
The Plain text value content type extracts a single value from each entity in your outgoing feed’s dataset.
It writes to the resulting text file one value per line for each entity in your dataset(s).
To use this content type, you must set three fields in the Content configuration section of your feed configuration:
Field name |
Description |
|---|---|
Field to take values from* |
Specify an EclecticIQ JSON field name to extract values from. This should be written in dot notation. For example, to access the Title of an Indicator entity, set this field to: data.title
Caution
|
Field to check a conditional value in* |
Specify an EclecticIQ JSON field name. For a given entity processed by this outgoing feed:
This should be written in dot notation. For example, to access the Title of an Indicator entity, set this field to: data.title
Caution
|
Only use entities that match this conditional value* |
Value to match in Field to check conditional value in. This must be an exact match. |
Example: Include only indicators with SNORT rules
To configure this feed to only pack SNORT rules from indicators in this feed:
Tip
Only Indicator entities can contain test mechanisms, such as SNORT rules.
Content configuration field |
Value |
|---|---|
Field to check a conditional value in |
|
Only use entities that match this conditional value |
|
Field to take values from |
|
STIX 1.2#
Sets your outgoing feed to pack Intelligence Center data as STIX 1.2 XML.
When using this content type, these options are available for your outgoing feed:
Override producer |
Sets the Producer for all entities
to the value set in
Settings ( This setting changes the following nested XML element in the entity STIX structure: <stixCommon:Identity>
<!-- Producer identity, for example 'EclecticIQ' -->
<stixCommon:Name>EclecticIQ</stixCommon:Name>
</stixCommon:Identity>
|
|---|---|
Include EclecticIQ-specific STIX extensions |
Enables EclecticIQ STIX extensions for data packed by this outgoing feed. Warning Select this only if feed recipients can validate and parse STIX 1.2 content with EclecticIQ STIX extensions. |
Force CybOX Observables ID generation based on UUID |
Select to generate UUIDs for all packed observables. Select this if the recipient of this feed expects UUID-based CybOX observable IDs. By default, EclecticIQ Observables have integer-based IDs, which is then used in the corresponding CybOX ID fields. Selecting this option generates a UUID for each packed EclecticIQ observable if it doesn’t already have one. |