Create and configure outgoing feeds#

This page describes how to create and configure outgoing feeds, and the common configuration options that are available.

For configuration options for specific feeds, see their documentation at EclecticIQ Integrations.

Create an outgoing feed#

  1. In the in the left navigation bar, go to Data configuration Data configuration icon > Outgoing feeds.

  2. In the top-left corner of the view, click the plus icon Plus at the top-left corner of the page.

This opens a view where you can configure your outgoing feed. See Configure outgoing feed for the configuration options that follow.

Edit an outgoing feed#

  1. In the in the left navigation bar, go to Data configuration Data configuration icon > outgoing feeds.

  2. Locate an outgoing feed you want to edit. On the right, select More More > Edit.

    Or:

    Select the feed to open it. At the top right, select More More > Edit.

This opens a view where you can configure your outgoing feed. See Configure outgoing feed for the configuration options that follow.

Configure outgoing feed#

The following describes sections you can configure in an outgoing feed.

Note

Required fields are marked with an asterisk (*).

General#

In this section, set these options:

Field

Description

Feed name*

Enter a name for this feed.

Feed content*#

In this section, set these options:

Field

Description

Datasets*

Default: (Not set)

Select at least one dataset. A feed only packs data from datasets included in this list.

Update strategy*

Select an Update strategy.

Some update strategies are only available after you select a Transport type and Content type.

Specific content types may implement specific behavior for certain update strategies. See EclecticIQ Integrations.

Transport and content#

In this section, set these options:

Field

Description

Transport type*

Select a transport type.

Content type*

Select a content type.

Transport configuration*

Configure the feed for a given Transport type and Content type. See individual integration documentation at EclecticIQ Integrations.

Public

Select to allow unauthenticated access to endpoints created by this feed.

Available only for these transport types:

  • HTTP download

  • TAXII 2.1 poll

  • TAXII poll

Remove this selection to require authenticated access to endpoints created by this feed.

Authorized groups

Available only when Public is not selected.

Select at least one group. Members of this group can use their API tokens to access this feed.

Schedule#

Set an Execution schedule to have your feed run automatically.

Option

Description

None

Default. Feeds must be manually run.

Every [n] minutes

Run this feed automatically every [n] minutes.

Select a value for [n].

Every hour, [n] minutes past the hour

Run this feed automatically every hour + [n] minutes.

For example, setting [n] to 4 will cause this feed to run at:

  • 00:04

  • 01:04

  • etc.

Every [n] hours

Run this feed automatically at the start of every [n] hours.

Select a value for [n].

Every day at [time]

Run this feed automatically at the specified time, once a day.

Set a value for [time].

Every [n] days

Run this feed automatically at the start of every [n] days.

Select a value for [n].

Every week on [day of the week] at [time]

Run this feed automatically once every week, on a specific day of the week at a specific time.

Set values for [day of the week] and [time].

Every month on [day of the month] at [time]

Run this feed automatically once every month, on a specific day of the month at a specific time.

Set values for [day of the month] and [time]

Caution

Avoid setting [day of month] to 30 or 31. If you want a schedule to run monthly, use 1 to run at the beginning of the month instead.

Advanced options#

Select Show advanced options to display more configuration options.

Processing#

Options here allow you to filter and apply pre-processing options to data from your selected datasets when the feed runs.

In this section, set these options:

Override TLP*#

Default: (Not set)

Leave empty keep TLP unchanged.

Select a TLP color to set an overriding TLP value on all objects packed by this feed.

The following table describes how this affects the data in an entity:

Entity JSON field

Description.

  • meta.tlp_color_override

The incoming feed sets the half life value you configure here in this entity field.

  • meta.tlp_color_original

  • sources.tlp_color_override

These fields are not changed. meta.tlp_color_override supersedes these fields when deciding the TLP color of a given entity.

Filter TLP*#

Default: (Not Set)

Leave empty to disregard TLP when packing intelligence for this feed.

Select a TLP to set the most restrictive TLP color this feed includes. All objects with TLP colors more restrictive than this are excluded from the feed.

For example, setting this to Green and below sets this feed to only include objects with TLP Green and White in its outgoing packages.

Source reliability filter#

Default: (Not set)

Leave empty to disregard source reliability when packing intelligence for this feed.

Select a minimum Source reliability value for objects to include in this feed. Only objects with a source reliability value that is equally or more reliable than the selected value are packed by this feed.

For example:

  • Selecting A - Completely reliable would allow this feed to only pack objects with a source reliability of A - Completely reliable.

  • Selecting C - Fairly reliable would allow this feed to only pack objects with a source reliability of A - Completely reliable, B - Usually reliable, and C - Fairly reliable.

Relevancy threshold (%)#

Default: (Not set)

Leave unset to disregard half-life relevancy of entities when packing intelligence for this feed.

Only pack entities that have a half-life relevancy value that is equal or higher than the value set here.

For more information about half-life relevancy, see Entities: Common properties

Sign content with private key#

Select this option to sign all packages produced by this feed with the PGP private key set in Settings Settings > System settings > Private key.

Include/Exclude observable states*#

Select Include or Exclude on the right of this option, and then set these options:

Important

This has changed in EclecticIQ Intelligence Center 3.2. By default, outgoing feeds do not include Safe and Unknown observable states.

Field

Description

Include

Default: Malicious/High Confidence, Malicious/Medium Confidence, Malicious/Low Confidence.

Include only observables that have these states.

Exclude

Default: (None)

Exclude only observables that have these states. Set to none by default, thus includes observable with any state.

See Observable maliciousness.

Include source metadata#

Default: (None selected)

Select one or more sources. Leave empty to keep original source metadata.

Intelligence packed by this feed will only contain source metadata for sources selected here.

Include tag metadata#

Default: (None selected)

Select one or more items. Leave empty to keep original tags and taxonomies.

Intelligence packed by this feed will only contain tags and taxonomies selected here.

Exclude invalid STIX 1.2#

Default: (Not selected)

Select this option to exclude objects with invalid STIX 1.2 content from being packed by this feed.

Observable and Enrichment Observable types#

Options here allow you to filter observables to include or exclude from your feed.

Include/Exclude observable types#

Select Include or Exclude on the right of this option, and then set these options:

Field

Description

Include

Default: (All observable types)

Select observable types to include in this feed. Only observables types selected here are packed for this feed.

Exclude

Default: (None)

Exclude only observables that have these types. Set to none by default, thus includes observable with any type.

Include/Exclude enrichment observable types#

Note

Enrichment observables are observables that result from running Enrichers.

Select Include or Exclude on the right of this option, and then set these options:

Field

Description

Include

Default: (All observable types)

Select enrichment observable types to include in this feed. Only enrichment observables types selected here are packed for this feed.

Exclude

Default: (None)

Exclude only enrichment observables that have these types. Set to none by default, thus includes enrichment observable with any type.

Include/Exclude enrichments from the following sources#

Include or exclude results from enrichments based on their source.

Select Include or Exclude on the right of this option, and then set these options:

Field

Description

Include

Default: (All enrichment sources)

Select sources to include observables from in this feed.

Exclude

Default: (None)

Exclude only observables from these sources. Set to none by default, thus includes observable from any source.

Default: (None selected)

Select one or more enrichers. This feed excludes intelligence that come from these enrichers.

Anonymization#

Use these fields to remove specific pieces of data from intelligence packed by this outgoing feed. Options here only apply to entities.

In these fields, enter an EIQ JSON path.

For example, to target the following fields:

  • TLP colors: meta.tlp_color

  • Entity title: data.title

Known issue

Pre-defined paths do not work. Manually enter EIQ JSON paths instead.

Skip paths#

Default: (Not set)

Exclude specific fields in entities from intelligence packed by this feed.

You can set one or more fields to exclude by manually entering an EIQ JSON path:

  1. Select the field.

  2. Start typing.

  3. Press ENTER to finish adding the path.

Replace paths#

Default: (Not set)

Replace the value of a specific field to “mask” it in the resulting packed entity.

Set a value to replace in all entities packed by this feed:

  1. Select + Add or + More.

  2. In the fields that appear, enter values as follows:

    Field name

    Description

    Path*:

    Enter an EIQ JSON path and press ENTER.

    Pattern*:

    Enter a regex pattern. This can match:

    • a substring (C2\s matches C2 in C2 Behavior).

    • or all content in the field (.*).

    Value*:

    Enter a value to replace the pattern matched by Pattern.

For example, entering the following values:

  • Path*: data.title

  • Pattern*: C2\s

  • Value*: APT

Replaces C2 in the “Title” field in all entities with APT . So an entity with the title C2 Behavior is packed and renamed to APT Behavior.

Package settings#

Customize feed-level packaging options:

Field

Description

Number of entities to be included in a package

Default: 25

Set the maximum number of entities packed per outgoing feed package.

Number of relations to be included in a package

Default: 125

Set the maximum number of relations packed per outgoing feed package.

Save#

Select Save to store your changes,

Or, select Drop-down menu arrow next to the Save button to view additional save options:

  • Save and run: Saves this incoming feed and runs it immediately.

  • Save and new: Saves the current incoming feed and opens an empty form for new feed.

  • Save and duplicate: Saves this incoming feed, and then create and start editing a new feed configuration which is a copy of your saved incoming feed.