EclecticIQ Intelligence Center v3
EclecticIQ Platform Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.6.0 and later.
Threat Intelligence Platform that connects and interprets intelligence data from open sources, commercial suppliers and industry partnerships . This integration was integrated and tested with version 2.14 and 3.0 of EclecticIQ Intelligence Center v3.
Some changes have been made that might affect your existing content. If you are upgrading from a previous version of this integration, see Breaking Changes.
#
Configure EclecticIQ Intelligence Center v3 on Cortex XSOARNavigate to Settings > Integrations > Servers & Services.
Search for EclecticIQ Intelligence Center v3.
Click Add instance to create and configure a new integration instance.
Parameter Description Required EclecticIQ Intelligence Center URL (e.g. https://eclecticiq-platform.local) True API user token to authenticate in EclecticIQ Intelligence Center True EclecticIQ Intelligence Center public API version True IP threshold. Minimum maliciousness confidence level to consider the IP address malicious: High, Medium, Low, Safe, Unknown False URL threshold. Minimum maliciousness confidence level to consider the URL malicious: High, Medium, Low, Safe, Unknown False File threshold. Minimum maliciousness confidence level to consider the file malicious: High, Medium, Low, Safe, Unknown False Email threshold. Minimum maliciousness confidence level to consider the email address malicious: High, Medium, Low, Safe, Unknown False Domain threshold. Minimum maliciousness confidence level to consider the domain malicious: High, Medium, Low, Safe, Unknown False Group name in EclecticIQ Intelligence Center to use as entities source False Create sightings automatically in EclecticIQ Intelligence Center when reputation check command executed. False Fetch indicators Indicator Reputation Indicators from this integration instance will be marked with this reputation False Source Reliability Reliability of the source providing the intelligence data True False False Feed Fetch Interval False Bypass exclusion list When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system. False Feed IDs to fetch e.g. 12,14,22 False False Traffic Light Protocol Color The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed Trust any certificate (not secure) False Use system proxy settings False Click Test to validate the URLs, token, and connection.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
ipGet reputation of IP address observable.
#
Base Commandip
#
InputArgument Name | Description | Required |
---|---|---|
ip | IPv4 to get the reputation of. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
EclecticIQ.IP.Created | Date | Observable creation time. |
EclecticIQ.IP.LastUpdated | Date | Observable last update time. |
EclecticIQ.IP.Maliciousness | String | Observable maliciousness. |
EclecticIQ.IP.Observable | String | Observable value. |
EclecticIQ.IP.SourceName | String | Observable source name. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | How reliable the score is (for example, "C - fairly reliable"). |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
IP.Address | String | IP address. |
#
Command example!ip ip="8.8.8.8"
#
Context Example#
Human Readable Output#
EclecticIQ IP reputation - 8.8.8.8
created id last_updated maliciousness platform_link source_name type value 2023-10-09T18:00 466127 2023-11-13T15:35 unknown https://ic-playground.eclecticiq.com/main/intel/all/browse/observable?tab=overview&id=466127 enricher_task: VirusTotal APIv3 File Hash (Contacted Infrastructure) Enricher; enricher_task: Recorded Future Enricher; group: Testing Group; ipv4 8.8.8.8
#
urlGets the reputation of a URL observable.
#
Base Commandurl
#
InputArgument Name | Description | Required |
---|---|---|
url | URL observable to get the reputation of. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
EclecticIQ.URL.Created | Date | Observable creation time. |
EclecticIQ.URL.LastUpdated | Date | Observable last update time. |
EclecticIQ.URL.Maliciousness | String | Observable maliciousness. |
EclecticIQ.URL.Observable | String | Observable value. |
EclecticIQ.URL.SourceName | String | Observable source name. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | How reliable the score is (for example, "C - fairly reliable"). |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
URL.Data | String | URL requested. |
#
Command example!url url="https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/"
#
Context Example#
Human Readable Output//www.ultimatewindowssecurity.com/securitylog/encyclopedia/#
EclecticIQ URL reputation - https:
created id last_updated maliciousness platform_link source_name type value 2023-06-02T08:14 119519 2023-06-02T08:14 unknown https://ic-playground.eclecticiq.com/main/intel/all/browse/observable?tab=overview&id=119519 incoming_feed: Elemendar; uri https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/
#
fileGets the reputation of a file hash observable.
#
Base Commandfile
#
InputArgument Name | Description | Required |
---|---|---|
file | File hash observable to get the reputation of. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
EclecticIQ.File.Created | Date | Observable creation time. |
EclecticIQ.File.LastUpdated | Date | Observable last update time. |
EclecticIQ.File.Maliciousness | String | Observable maliciousness. |
EclecticIQ.File.Observable | String | Observable value. |
EclecticIQ.File.SourceName | String | Observable source name. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | How reliable the score is (for example, "C - fairly reliable"). |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
File.MD5 | String | Bad MD5 hash. |
File.SHA1 | String | Bad SHA1 hash. |
File.SHA256 | String | Bad SHA256 hash. |
#
Command example!file file=ae5f156a6f5052494a295c597389dbee
#
Context Example#
Human Readable Output#
EclecticIQ File reputation - ae5f156a6f5052494a295c597389dbee
created id last_updated maliciousness platform_link source_name type value 2023-05-26T09:20 13 2023-05-26T09:20 unknown https://ic-playground.eclecticiq.com/main/intel/all/browse/observable?tab=overview&id=13 enricher_task: Threatcrowd API V2; hash-md5 ae5f156a6f5052494a295c597389dbee
#
eclecticiq-get-entityQuery EIC for entity.
#
Base Commandeclecticiq-get-entity
#
InputArgument Name | Description | Required |
---|---|---|
observable_value | Observable value to query related entities. | Optional |
entity_title | Text to search inside entity title. | Optional |
entity_type | Type of entity to limit query. Possible values are: all, campaign, course-of-action, exploit-target, incident, indicator, sighting, threat-actor, ttp. Default is all. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
EclecticIQ.Entity.confidence | String | Entity confidence. |
EclecticIQ.Entity.created_at | Date | Entity creation time. |
EclecticIQ.Entity.description | String | Entity description. |
EclecticIQ.Entity.entity_title | String | Entity title. |
EclecticIQ.Entity.entity_type | String | Entity type. |
EclecticIQ.Entity.impact.type | String | Entity impact type. |
EclecticIQ.Entity.impact.value | String | Entity impact value. |
EclecticIQ.Entity.impact.value_vocab | String | Entity impact STIX vocabulary. |
EclecticIQ.Entity.observables_list.maliciousness | String | Related observable maliciousness. |
EclecticIQ.Entity.observables_list.type | String | Related observable type. |
EclecticIQ.Entity.observables_list.value | String | Related observable value. |
EclecticIQ.Entity.observables_output | String | Related observables string. |
EclecticIQ.Entity.relationships_list | Unknown | Entity relationships list. |
EclecticIQ.Entity.relationships_output | String | Entity relationships string. |
EclecticIQ.Entity.source_name | String | Entity source. |
EclecticIQ.Entity.tags_list | Unknown | Entity tags and taxonomies. |
#
emailGets the reputation of an email address observable.
#
Base Commandemail
#
InputArgument Name | Description | Required |
---|---|---|
Email address observable to get the reputation of. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
EclecticIQ.Email.Created | Date | Observable creation time. |
EclecticIQ.Email.LastUpdated | Date | Observable last update time. |
EclecticIQ.Email.Maliciousness | String | Observable maliciousness. |
EclecticIQ.Email.Observable | String | Observable value. |
EclecticIQ.Email.SourceName | String | Observable source name. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | How reliable the score is (for example, "C - fairly reliable"). |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
#
Command example!email email=domains@twitter.com
#
Context Example#
Human Readable Outputdomains@twitter.com#
EclecticIQ Email reputation -
created id last_updated maliciousness platform_link source_name type value 2023-05-26T09:22 1028 2023-05-26T09:22 unknown https://ic-playground.eclecticiq.com/main/intel/all/browse/observable?tab=overview&id=1028 enricher_task: Threatcrowd API V2; domains@twitter.com
#
domainGets the reputation of a domain observable.
#
Base Commanddomain
#
InputArgument Name | Description | Required |
---|---|---|
domain | Domain observable to get the reputation of. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
EclecticIQ.Domain.Created | Date | Observable creation time. |
EclecticIQ.Domain.LastUpdated | Date | Observable last update time. |
EclecticIQ.Domain.Maliciousness | String | Observable maliciousness. |
EclecticIQ.Domain.Observable | String | Observable value. |
EclecticIQ.Domain.SourceName | String | Observable source name. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | How reliable the score is (for example, "C - fairly reliable"). |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
Domain.Name | String | Requested Domain. |
#
Command example!domain domain=urlz.fr
#
Context Example#
Human Readable Output#
EclecticIQ Domain reputation - urlz.fr
created id last_updated maliciousness platform_link source_name type value 2023-05-26T09:20 43 2023-05-26T09:20 low https://ic-playground.eclecticiq.com/main/intel/all/browse/observable?tab=overview&id=43 domain urlz.fr
#
eclecticiq-create-sightingCreate a sighting entity on EIC. Must contain at least one observable.
#
Base Commandeclecticiq-create-sighting
#
InputArgument Name | Description | Required |
---|---|---|
observable_value | Observable value to connect to Sighting. | Required |
observable_type | Observable type. Possible values are: domain, email, email-subject, file, hash, hash-md5, hash-sha1, hash-sha256, hash-sha512, host, ipv4, ipv6, mutex, port, process, uri, winregistry. | Required |
observable_maliciousness | Observable maliciousness. Possible values are: Malicious (High confidence), Malicious (Medium confidence), Malicious (Low confidence), Safe, Unknown. | Required |
sighting_title | Sighting title. | Required |
sighting_description | Sighting description. | Optional |
sighting_confidence | Sighting confidence. Possible values are: None, Unknown, Low, Medium, High. | Required |
sighting_impact | Sighting impact. Possible values are: None, Unknown, Low, Medium, High. | Required |
sighting_tag | Sighting tags, use comma (",") as delimeter between tags. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
EclecticIQ.Sightings.SightingDetails.ObservableMaliciousness | String | Sighting related observable maliciousness. |
EclecticIQ.Sightings.SightingDetails.ObservableType | String | Sighting related observable type. |
EclecticIQ.Sightings.SightingDetails.ObservableValue | String | Sighting related observable value. |
EclecticIQ.Sightings.SightingDetails.SightingTitle | String | Sighting title. |
EclecticIQ.Sightings.SightingId | String | Sighting entity ID. |
#
eclecticiq-create-indicatorCreate an indicator entity on EIC. Must contain at least one observable.
#
Base Commandeclecticiq-create-indicator
#
InputArgument Name | Description | Required |
---|---|---|
indicator_title | Indicator title. | Required |
indicator_description | Indicator description. | Optional |
indicator_confidence | Indicator confidence. Possible values are: None, Unknown, Low, Medium, High. | Required |
indicator_impact | Indicator impact. Possible values are: None, Unknown, Low, Medium, High. | Required |
indicator_tag | Indicator tags, use comma (",") as delimeter between tags. | Optional |
observable_value | Observable value to connect to Indicator. | Required |
observable_type | Observable type. Possible values are: domain, email, email-subject, file, hash, hash-md5, hash-sha1, hash-sha256, hash-sha512, host, ipv4, ipv6, mutex, port, process, uri, winregistry. | Required |
observable_maliciousness | Observable maliciousness. Possible values are: Malicious (High confidence), Malicious (Medium confidence), Malicious (Low confidence), Safe, Unknown. | Required |
observable_dictionary | Any amount observables in format: [{"value":"192.168.0.192", "type":"ipv4", "maliciousness":"medium"}]. Observable types use as in EclecticIQ. Observable maliciousness could be: high, medium, low, safe, unknown. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
EclecticIQ.Indicators.IndicatorId | String | Indicator entity ID. |
EclecticIQ.Indicators.IndicatorTitle | String | Indicator entity title. |
EclecticIQ.Indicators.ObservablesList.observable_classification | String | Indicator related observable classification. |
EclecticIQ.Indicators.ObservablesList.observable_maliciousness | String | Indicator related observable maliciousness. |
EclecticIQ.Indicators.ObservablesList.observable_type | String | Indicator related observable type. |
EclecticIQ.Indicators.ObservablesList.observable_value | String | Indicator related observable value. |
#
eclecticiq-get-entity-by-idQuery EclecticIQ Intelligence Center for entity by its ID.
#
Base Commandeclecticiq-get-entity-by-id
#
InputArgument Name | Description | Required |
---|---|---|
entity_id | Entity ID in EclecticIQ format, for example: a86f8393-eff6-4b31-b203-f63152be5a43. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
EclecticIQ.EntityById.confidence | String | Entity confidence. |
EclecticIQ.EntityById.created_at | Date | Entity creation time. |
EclecticIQ.EntityById.description | String | Entity description. |
EclecticIQ.EntityById.entity_title | String | Entity title. |
EclecticIQ.EntityById.entity_type | String | Entity type. |
EclecticIQ.EntityById.impact | String | Entity impact. |
EclecticIQ.EntityById.observables_list.maliciousness | String | Related observable maliciousness. |
EclecticIQ.EntityById.observables_list.type | String | Related observable type. |
EclecticIQ.EntityById.observables_list.value | String | Related observable value. |
EclecticIQ.EntityById.relationships_list | Unknown | Entity relationships list. |
EclecticIQ.EntityById.source_name | String | Entity source. |
EclecticIQ.EntityById.tags_list | Unknown | Entity tags and taxonomies. |
#
eclecticiq-request-getMake HTTP GET request to EclecticIQ Intelligence Center.
#
Base Commandeclecticiq-request-get
#
InputArgument Name | Description | Required |
---|---|---|
uri | EclecticIQ URI excluding Intelligence Cetner address but including API version and params if needed. e.g. /private/status. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
EclecticIQ.GET.ReplyBody | Unknown | GET reply body. |
EclecticIQ.GET.ReplyStatus | String | GET reply status code. |
EclecticIQ.GET.URI | String | GET reply requested URI. |
#
Command example!eclecticiq-request-get uri=/api/v2/datasets
#
Context Example#
Human Readable Output#
EclecticIQ GET action to endpoint /api/v2/datasets exectued. Reply status: 200
#
eclecticiq-request-postMake HTTP POST request to EclecticIQ Intelligence Center.
#
Base Commandeclecticiq-request-post
#
InputArgument Name | Description | Required |
---|---|---|
uri | EclecticIQ URI excluding Intelligence Cetner address but including API version and params if needed. | Required |
body | JSON payload. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
EclecticIQ.POST.ReplyBody | String | POST reply body. |
EclecticIQ.POST.ReplyStatus | String | POST reply status code. |
EclecticIQ.POST.URI | String | POST reply requested URI. |
#
Command example``!eclecticiq-request-post uri=/api/v2/datasets body=
{"data": {"workspaces": "1", "name": "test11112"}}````
#
Context Example#
Human Readable Output#
EclecticIQ POST action to endpoint /api/v2/datasets exectued. Reply status: 201
#
eclecticiq-request-deleteMake HTTP DELETE request to EclecticIQ Intelligence Center.
#
Base Commandeclecticiq-request-delete
#
InputArgument Name | Description | Required |
---|---|---|
uri | EclecticIQ URI excluding Intelligence Cetner address but including API version and params if needed. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
EclecticIQ.DELETE.ReplyStatus | String | DELETE reply status code. |
EclecticIQ.DELETE.URI | String | DELETE reply requested URI. |
#
eclecticiq-get-indicatorsGet last block of Indicators from configured to fetch Outgoing feed.
#
Base Commandeclecticiq-get-indicators
#
InputArgument Name | Description | Required |
---|
#
Context OutputThere is no context output for this command.
#
Command example!eclecticiq-get-indicators
#
Human Readable Output#
Indicators collected from first block of feed:[{'id': '11', 'created_at': '2023-06-26T15:23:19.737166+00:00', 'update_strategy': 'REPLACE', 'packaging_status': 'SUCCESS', 'name': 'splunk-test'}]No entries.
#
Breaking changes from the previous version of this integration - EclecticIQ Intelligence Center v3Integration rebuild with added functionality to fetch indicators from outgoing feeds and with many new commands. Integration is not compatible with EclecticIQ integration v2.