Skip to main content

EclecticIQ Intelligence Center v3

This Integration is part of the EclecticIQ Platform Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

Threat Intelligence Platform that connects and interprets intelligence data from open sources, commercial suppliers and industry partnerships . This integration was integrated and tested with version 2.14 and 3.0 of EclecticIQ Intelligence Center v3.

Some changes have been made that might affect your existing content. If you are upgrading from a previous version of this integration, see Breaking Changes.

Configure EclecticIQ Intelligence Center v3 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for EclecticIQ Intelligence Center v3.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    EclecticIQ Intelligence Center URL (e.g. https://eclecticiq-platform.local)True
    API user token to authenticate in EclecticIQ Intelligence CenterTrue
    EclecticIQ Intelligence Center public API versionTrue
    IP threshold. Minimum maliciousness confidence level to consider the IP address malicious: High, Medium, Low, Safe, UnknownFalse
    URL threshold. Minimum maliciousness confidence level to consider the URL malicious: High, Medium, Low, Safe, UnknownFalse
    File threshold. Minimum maliciousness confidence level to consider the file malicious: High, Medium, Low, Safe, UnknownFalse
    Email threshold. Minimum maliciousness confidence level to consider the email address malicious: High, Medium, Low, Safe, UnknownFalse
    Domain threshold. Minimum maliciousness confidence level to consider the domain malicious: High, Medium, Low, Safe, UnknownFalse
    Group name in EclecticIQ Intelligence Center to use as entities sourceFalse
    Create sightings automatically in EclecticIQ Intelligence Center when reputation check command executed.False
    Fetch indicators
    Indicator ReputationIndicators from this integration instance will be marked with this reputationFalse
    Source ReliabilityReliability of the source providing the intelligence dataTrue
    False
    False
    Feed Fetch IntervalFalse
    Bypass exclusion listWhen selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.False
    Feed IDs to fetche.g. 12,14,22False
    False
    Traffic Light Protocol ColorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Get reputation of IP address observable.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipIPv4 to get the reputation of.Required

Context Output#

PathTypeDescription
EclecticIQ.IP.CreatedDateObservable creation time.
EclecticIQ.IP.LastUpdatedDateObservable last update time.
EclecticIQ.IP.MaliciousnessStringObservable maliciousness.
EclecticIQ.IP.ObservableStringObservable value.
EclecticIQ.IP.SourceNameStringObservable source name.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringHow reliable the score is (for example, "C - fairly reliable").
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
IP.AddressStringIP address.

Command example#

!ip ip="8.8.8.8"

Context Example#

{
"DBotScore": {
"Indicator": "8.8.8.8",
"Score": 0,
"Type": "ip",
"Vendor": "EclecticIQ Intelligence Center v3"
},
"EclecticIQ": {
"IP": {
"Created": "2023-10-09T18:00",
"LastUpdated": "2023-11-13T15:35",
"Maliciousness": "unknown",
"Observable": "8.8.8.8",
"SourceName": "enricher_task: VirusTotal APIv3 File Hash (Contacted Infrastructure) Enricher; enricher_task: Recorded Future Enricher; group: Testing Group; "
}
},
"IP": {
"Address": "8.8.8.8"
}
}

Human Readable Output#

EclecticIQ IP reputation - 8.8.8.8#

createdidlast_updatedmaliciousnessplatform_linksource_nametypevalue
2023-10-09T18:004661272023-11-13T15:35unknownhttps://ic-playground.eclecticiq.com/main/intel/all/browse/observable?tab=overview&id=466127enricher_task: VirusTotal APIv3 File Hash (Contacted Infrastructure) Enricher; enricher_task: Recorded Future Enricher; group: Testing Group;ipv48.8.8.8

url#


Gets the reputation of a URL observable.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlURL observable to get the reputation of.Required

Context Output#

PathTypeDescription
EclecticIQ.URL.CreatedDateObservable creation time.
EclecticIQ.URL.LastUpdatedDateObservable last update time.
EclecticIQ.URL.MaliciousnessStringObservable maliciousness.
EclecticIQ.URL.ObservableStringObservable value.
EclecticIQ.URL.SourceNameStringObservable source name.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringHow reliable the score is (for example, "C - fairly reliable").
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
URL.DataStringURL requested.

Command example#

!url url="https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/"

Context Example#

{
"DBotScore": {
"Indicator": "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/",
"Score": 0,
"Type": "url",
"Vendor": "EclecticIQ Intelligence Center v3"
},
"EclecticIQ": {
"URL": {
"Created": "2023-06-02T08:14",
"LastUpdated": "2023-06-02T08:14",
"Maliciousness": "unknown",
"Observable": "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/",
"SourceName": "incoming_feed: Elemendar; "
}
},
"URL": {
"Data": "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/"
}
}

Human Readable Output#

EclecticIQ URL reputation - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/#

createdidlast_updatedmaliciousnessplatform_linksource_nametypevalue
2023-06-02T08:141195192023-06-02T08:14unknownhttps://ic-playground.eclecticiq.com/main/intel/all/browse/observable?tab=overview&id=119519incoming_feed: Elemendar;urihttps://www.ultimatewindowssecurity.com/securitylog/encyclopedia/

file#


Gets the reputation of a file hash observable.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileFile hash observable to get the reputation of.Required

Context Output#

PathTypeDescription
EclecticIQ.File.CreatedDateObservable creation time.
EclecticIQ.File.LastUpdatedDateObservable last update time.
EclecticIQ.File.MaliciousnessStringObservable maliciousness.
EclecticIQ.File.ObservableStringObservable value.
EclecticIQ.File.SourceNameStringObservable source name.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringHow reliable the score is (for example, "C - fairly reliable").
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
File.MD5StringBad MD5 hash.
File.SHA1StringBad SHA1 hash.
File.SHA256StringBad SHA256 hash.

Command example#

!file file=ae5f156a6f5052494a295c597389dbee

Context Example#

{
"DBotScore": {
"Indicator": "ae5f156a6f5052494a295c597389dbee",
"Score": 0,
"Type": "file",
"Vendor": "EclecticIQ Intelligence Center v3"
},
"EclecticIQ": {
"File": {
"Created": "2023-05-26T09:20",
"LastUpdated": "2023-05-26T09:20",
"Maliciousness": "unknown",
"Observable": "ae5f156a6f5052494a295c597389dbee",
"SourceName": "enricher_task: Threatcrowd API V2; "
}
},
"File": {
"Hashes": [
{
"type": "MD5",
"value": "ae5f156a6f5052494a295c597389dbee"
}
],
"MD5": "ae5f156a6f5052494a295c597389dbee"
}
}

Human Readable Output#

EclecticIQ File reputation - ae5f156a6f5052494a295c597389dbee#

createdidlast_updatedmaliciousnessplatform_linksource_nametypevalue
2023-05-26T09:20132023-05-26T09:20unknownhttps://ic-playground.eclecticiq.com/main/intel/all/browse/observable?tab=overview&id=13enricher_task: Threatcrowd API V2;hash-md5ae5f156a6f5052494a295c597389dbee

eclecticiq-get-entity#


Query EIC for entity.

Base Command#

eclecticiq-get-entity

Input#

Argument NameDescriptionRequired
observable_valueObservable value to query related entities.Optional
entity_titleText to search inside entity title.Optional
entity_typeType of entity to limit query. Possible values are: all, campaign, course-of-action, exploit-target, incident, indicator, sighting, threat-actor, ttp. Default is all.Optional

Context Output#

PathTypeDescription
EclecticIQ.Entity.confidenceStringEntity confidence.
EclecticIQ.Entity.created_atDateEntity creation time.
EclecticIQ.Entity.descriptionStringEntity description.
EclecticIQ.Entity.entity_titleStringEntity title.
EclecticIQ.Entity.entity_typeStringEntity type.
EclecticIQ.Entity.impact.typeStringEntity impact type.
EclecticIQ.Entity.impact.valueStringEntity impact value.
EclecticIQ.Entity.impact.value_vocabStringEntity impact STIX vocabulary.
EclecticIQ.Entity.observables_list.maliciousnessStringRelated observable maliciousness.
EclecticIQ.Entity.observables_list.typeStringRelated observable type.
EclecticIQ.Entity.observables_list.valueStringRelated observable value.
EclecticIQ.Entity.observables_outputStringRelated observables string.
EclecticIQ.Entity.relationships_listUnknownEntity relationships list.
EclecticIQ.Entity.relationships_outputStringEntity relationships string.
EclecticIQ.Entity.source_nameStringEntity source.
EclecticIQ.Entity.tags_listUnknownEntity tags and taxonomies.

email#


Gets the reputation of an email address observable.

Base Command#

email

Input#

Argument NameDescriptionRequired
emailEmail address observable to get the reputation of.Required

Context Output#

PathTypeDescription
EclecticIQ.Email.CreatedDateObservable creation time.
EclecticIQ.Email.LastUpdatedDateObservable last update time.
EclecticIQ.Email.MaliciousnessStringObservable maliciousness.
EclecticIQ.Email.ObservableStringObservable value.
EclecticIQ.Email.SourceNameStringObservable source name.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringHow reliable the score is (for example, "C - fairly reliable").
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.

Command example#

!email email=domains@twitter.com

Context Example#

{
"DBotScore": {
"Indicator": "domains@twitter.com",
"Score": 0,
"Type": "email",
"Vendor": "EclecticIQ Intelligence Center v3"
},
"EclecticIQ": {
"Email": {
"Created": "2023-05-26T09:22",
"LastUpdated": "2023-05-26T09:22",
"Maliciousness": "unknown",
"Observable": "domains@twitter.com",
"SourceName": "enricher_task: Threatcrowd API V2; "
}
},
"Email": {
"Address": "domains@twitter.com"
}
}

Human Readable Output#

EclecticIQ Email reputation - domains@twitter.com#

createdidlast_updatedmaliciousnessplatform_linksource_nametypevalue
2023-05-26T09:2210282023-05-26T09:22unknownhttps://ic-playground.eclecticiq.com/main/intel/all/browse/observable?tab=overview&id=1028enricher_task: Threatcrowd API V2;emaildomains@twitter.com

domain#


Gets the reputation of a domain observable.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainDomain observable to get the reputation of.Required

Context Output#

PathTypeDescription
EclecticIQ.Domain.CreatedDateObservable creation time.
EclecticIQ.Domain.LastUpdatedDateObservable last update time.
EclecticIQ.Domain.MaliciousnessStringObservable maliciousness.
EclecticIQ.Domain.ObservableStringObservable value.
EclecticIQ.Domain.SourceNameStringObservable source name.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringHow reliable the score is (for example, "C - fairly reliable").
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
Domain.NameStringRequested Domain.

Command example#

!domain domain=urlz.fr

Context Example#

{
"DBotScore": {
"Indicator": "urlz.fr",
"Score": 3,
"Type": "domain",
"Vendor": "EclecticIQ Intelligence Center v3"
},
"Domain": {
"Malicious": {
"Description": "EclecticIQ maliciousness confidence level: low",
"Vendor": "EclecticIQ Intelligence Center v3"
},
"Name": "urlz.fr"
},
"EclecticIQ": {
"Domain": {
"Created": "2023-05-26T09:20",
"LastUpdated": "2023-05-26T09:20",
"Maliciousness": "low",
"Observable": "urlz.fr",
"SourceName": ""
}
}
}

Human Readable Output#

EclecticIQ Domain reputation - urlz.fr#

createdidlast_updatedmaliciousnessplatform_linksource_nametypevalue
2023-05-26T09:20432023-05-26T09:20lowhttps://ic-playground.eclecticiq.com/main/intel/all/browse/observable?tab=overview&id=43domainurlz.fr

eclecticiq-create-sighting#


Create a sighting entity on EIC. Must contain at least one observable.

Base Command#

eclecticiq-create-sighting

Input#

Argument NameDescriptionRequired
observable_valueObservable value to connect to Sighting.Required
observable_typeObservable type. Possible values are: domain, email, email-subject, file, hash, hash-md5, hash-sha1, hash-sha256, hash-sha512, host, ipv4, ipv6, mutex, port, process, uri, winregistry.Required
observable_maliciousnessObservable maliciousness. Possible values are: Malicious (High confidence), Malicious (Medium confidence), Malicious (Low confidence), Safe, Unknown.Required
sighting_titleSighting title.Required
sighting_descriptionSighting description.Optional
sighting_confidenceSighting confidence. Possible values are: None, Unknown, Low, Medium, High.Required
sighting_impactSighting impact. Possible values are: None, Unknown, Low, Medium, High.Required
sighting_tagSighting tags, use comma (",") as delimeter between tags.Optional

Context Output#

PathTypeDescription
EclecticIQ.Sightings.SightingDetails.ObservableMaliciousnessStringSighting related observable maliciousness.
EclecticIQ.Sightings.SightingDetails.ObservableTypeStringSighting related observable type.
EclecticIQ.Sightings.SightingDetails.ObservableValueStringSighting related observable value.
EclecticIQ.Sightings.SightingDetails.SightingTitleStringSighting title.
EclecticIQ.Sightings.SightingIdStringSighting entity ID.

eclecticiq-create-indicator#


Create an indicator entity on EIC. Must contain at least one observable.

Base Command#

eclecticiq-create-indicator

Input#

Argument NameDescriptionRequired
indicator_titleIndicator title.Required
indicator_descriptionIndicator description.Optional
indicator_confidenceIndicator confidence. Possible values are: None, Unknown, Low, Medium, High.Required
indicator_impactIndicator impact. Possible values are: None, Unknown, Low, Medium, High.Required
indicator_tagIndicator tags, use comma (",") as delimeter between tags.Optional
observable_valueObservable value to connect to Indicator.Required
observable_typeObservable type. Possible values are: domain, email, email-subject, file, hash, hash-md5, hash-sha1, hash-sha256, hash-sha512, host, ipv4, ipv6, mutex, port, process, uri, winregistry.Required
observable_maliciousnessObservable maliciousness. Possible values are: Malicious (High confidence), Malicious (Medium confidence), Malicious (Low confidence), Safe, Unknown.Required
observable_dictionaryAny amount observables in format: [{"value":"192.168.0.192", "type":"ipv4", "maliciousness":"medium"}]. Observable types use as in EclecticIQ. Observable maliciousness could be: high, medium, low, safe, unknown.Optional

Context Output#

PathTypeDescription
EclecticIQ.Indicators.IndicatorIdStringIndicator entity ID.
EclecticIQ.Indicators.IndicatorTitleStringIndicator entity title.
EclecticIQ.Indicators.ObservablesList.observable_classificationStringIndicator related observable classification.
EclecticIQ.Indicators.ObservablesList.observable_maliciousnessStringIndicator related observable maliciousness.
EclecticIQ.Indicators.ObservablesList.observable_typeStringIndicator related observable type.
EclecticIQ.Indicators.ObservablesList.observable_valueStringIndicator related observable value.

eclecticiq-get-entity-by-id#


Query EclecticIQ Intelligence Center for entity by its ID.

Base Command#

eclecticiq-get-entity-by-id

Input#

Argument NameDescriptionRequired
entity_idEntity ID in EclecticIQ format, for example: a86f8393-eff6-4b31-b203-f63152be5a43.Required

Context Output#

PathTypeDescription
EclecticIQ.EntityById.confidenceStringEntity confidence.
EclecticIQ.EntityById.created_atDateEntity creation time.
EclecticIQ.EntityById.descriptionStringEntity description.
EclecticIQ.EntityById.entity_titleStringEntity title.
EclecticIQ.EntityById.entity_typeStringEntity type.
EclecticIQ.EntityById.impactStringEntity impact.
EclecticIQ.EntityById.observables_list.maliciousnessStringRelated observable maliciousness.
EclecticIQ.EntityById.observables_list.typeStringRelated observable type.
EclecticIQ.EntityById.observables_list.valueStringRelated observable value.
EclecticIQ.EntityById.relationships_listUnknownEntity relationships list.
EclecticIQ.EntityById.source_nameStringEntity source.
EclecticIQ.EntityById.tags_listUnknownEntity tags and taxonomies.

eclecticiq-request-get#


Make HTTP GET request to EclecticIQ Intelligence Center.

Base Command#

eclecticiq-request-get

Input#

Argument NameDescriptionRequired
uriEclecticIQ URI excluding Intelligence Cetner address but including API version and params if needed. e.g. /private/status.Required

Context Output#

PathTypeDescription
EclecticIQ.GET.ReplyBodyUnknownGET reply body.
EclecticIQ.GET.ReplyStatusStringGET reply status code.
EclecticIQ.GET.URIStringGET reply requested URI.

Command example#

!eclecticiq-request-get uri=/api/v2/datasets

Context Example#

{
"EclecticIQ": {
"GET": {
"ReplyBody": {
"count": 100,
"data": [...],
"limit": 100,
"offset": 0,
"total_count": 113
},
"ReplyStatus": "200",
"URI": "/api/v2/datasets"
}
}
}

Human Readable Output#

EclecticIQ GET action to endpoint /api/v2/datasets exectued. Reply status: 200#

eclecticiq-request-post#


Make HTTP POST request to EclecticIQ Intelligence Center.

Base Command#

eclecticiq-request-post

Input#

Argument NameDescriptionRequired
uriEclecticIQ URI excluding Intelligence Cetner address but including API version and params if needed.Required
bodyJSON payload.Optional

Context Output#

PathTypeDescription
EclecticIQ.POST.ReplyBodyStringPOST reply body.
EclecticIQ.POST.ReplyStatusStringPOST reply status code.
EclecticIQ.POST.URIStringPOST reply requested URI.

Command example#

``!eclecticiq-request-post uri=/api/v2/datasets body={"data": {"workspaces": "1", "name": "test11112"}}````

Context Example#

{
"EclecticIQ": {
"POST": {
"ReplyBody": {
"data": {...}
},
"ReplyStatus": "201",
"URI": "/api/v2/datasets"
}
}
}

Human Readable Output#

EclecticIQ POST action to endpoint /api/v2/datasets exectued. Reply status: 201#

eclecticiq-request-delete#


Make HTTP DELETE request to EclecticIQ Intelligence Center.

Base Command#

eclecticiq-request-delete

Input#

Argument NameDescriptionRequired
uriEclecticIQ URI excluding Intelligence Cetner address but including API version and params if needed.Required

Context Output#

PathTypeDescription
EclecticIQ.DELETE.ReplyStatusStringDELETE reply status code.
EclecticIQ.DELETE.URIStringDELETE reply requested URI.

eclecticiq-get-indicators#


Get last block of Indicators from configured to fetch Outgoing feed.

Base Command#

eclecticiq-get-indicators

Input#

Argument NameDescriptionRequired

Context Output#

There is no context output for this command.

Command example#

!eclecticiq-get-indicators

Human Readable Output#

Indicators collected from first block of feed:[{'id': '11', 'created_at': '2023-06-26T15:23:19.737166+00:00', 'update_strategy': 'REPLACE', 'packaging_status': 'SUCCESS', 'name': 'splunk-test'}]#

No entries.

Breaking changes from the previous version of this integration - EclecticIQ Intelligence Center v3#

Integration rebuild with added functionality to fetch indicators from outgoing feeds and with many new commands. Integration is not compatible with EclecticIQ integration v2.