EclecticIQ Platform (Deprecated)
This Integration is part of the EclecticIQ Platform Pack.#
Deprecated
No available replacement.
Deprecated. No available replacement.
Use Cases
- Get reputation of IOCs (observables).
- Get observables’ related entities.
Configure EclecticIQ Platform on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for integration-EclecticIQ_Platform.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g. https://192.168.0.1 )
- Username
- Trust any certificate (not secure)
- Use system proxy
- IP threshold. Minimum maliciousness confidence level to consider the IP address malicious: High, Medium, Low, Safe, Unknown
- URL threshold. Minimum maliciousness confidence level to consider the URL malicious: High, Medium, Low, Safe, Unknown
- File threshold. Minimum maliciousness confidence level to consider the file malicious: High, Medium, Low, Safe, Unknown
- Email threshold. Minimum maliciousness confidence level to consider the email address malicious: High, Medium, Low, Safe, Unknown
- Domain threshold. Minimum maliciousness confidence level to consider the domain malicious: High, Medium, Low, Safe, Unknown
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Get the reputation of an IP address observable: ip
- Get the reputation of a URL observable: url
- Get the reputation of a file observable: file
- Get related entities of an observable: eclecticiq-get-observable-related-entity
- Get the reputation of an email observable: email
- Get the reputation of a domain observable: domain
1. Get the reputation of an IP address observable
Gets the reputation of an IP address observable.
Base Command
ip
Input
| Argument Name | Description | Required |
|---|---|---|
| ip | IPv4 to get the reputation of | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| EclecticIQ.IP.Address | String | IP address that was tested |
| EclecticIQ.IP.Created | Date | Observable creation date |
| EclecticIQ.IP.LastUpdate | Date | Observable last updated date |
| EclecticIQ.IP.ID | Number | Observable ID |
| EclecticIQ.IP.Maliciousness | String | Maliciousness confidence level |
| IP.Address | String | IP address that was tested |
| IP.Malcious.Vendor | String | For malicious IPs, the vendor that made the decision |
| IP.Malcious.Description | String | For malicious IPs, the reason that the vendor made the decision |
| DBotScore.Type | String | Indicator type |
| DBotScore.Vendor | String | Vendor used to calculate the score |
| DBotScore.Score | Number | The actual score |
| DBotScore.Indicator | String | The indicator that was tested |
Command Example
ip ip=8.8.8.8
Context Example
{
"IP": [
{
"Address": "8.8.8.8"
}
],
"DBotScore": {
"Vendor": "EclecticIQ",
"Indicator": "8.8.8.8",
"Score": 1,
"Type": "ip"
},
"EclecticIQ.IP": [
{
"Maliciousness": "safe",
"Created": "2019-01-16T11:55:11.732145+00:00",
"ID": 86,
"LastUpdated": "2019-01-16T11:55:11.708640+00:00",
"Address": "8.8.8.8"
}
]
}
Human Readable Output
EclecticIQ IP reputation - 8.8.8.8
| Maliciousness | Created | ID | LastUpdated | Address |
|---|---|---|---|---|
| safe | 2019-01-16T11:55:11.732145+00:00 | 86 | 2019-01-16T11:55:11.708640+00:00 | 8.8.8.8 |
2. Get the reputation of a URL observable
Gets the reputation of a URL observable.
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
Base Command
url
Input
| Argument Name | Description | Required |
|---|---|---|
| url | URL observable to get the reputation of | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| EclecticIQ.URL.Data | String | URL that was tested |
| EclecticIQ.URL.Created | Date | Observable creation date |
| EclecticIQ.URL.LastUpdate | Date | Observable last updated date |
| EclecticIQ.URL.ID | Number | Observable ID |
| EclecticIQ.URL.Maliciousness | String | Maliciousness confidence level |
| URL.Data | String | URL that was tested |
| URL.Malcious.Vendor | String | For malicious URLs, the vendor that made the decision |
| URL.Malcious.Description | String | For malicious URLs, the reason that the vendor made the decision |
| DBotScore.Type | String | Indicator type |
| DBotScore.Vendor | String | Vendor used to calculate the score |
| DBotScore.Score | Number | The actual score |
| DBotScore.Indicator | String | The indicator that was tested |
Command Example
url url=http://chstarkeco.com
Context Example
{
"DBotScore": {
"Vendor": "OpenPhish",
"Indicator": "http://chstarkeco.com",
"Score": 0,
"Type": "url"
}
}{
"URL": {
"Data": "http://chstarkeco.com"
},
"DBotScore": {
"Vendor": "PhishTank",
"Indicator": "http://chstarkeco.com",
"Score": 0,
"Type": "url"
}
}{
"URL": [
{
"Data": "http://chstarkeco.com"
}
],
"DBotScore": {
"Vendor": "EclecticIQ",
"Indicator": "http://chstarkeco.com",
"Score": 2,
"Type": "url"
},
"EclecticIQ.URL": [
{
"Maliciousness": "medium",
"Data": "http://chstarkeco.com",
"ID": 83,
"LastUpdated": "2019-01-16T11:53:51.128167+00:00",
"Created": "2019-01-16T11:52:49.993110+00:00"
}
]
}
Human Readable Output
OpenPhish Database - URL Query
No matches for URL http://chstarkeco.com
PhishTank Database - URL Query
No matches for URL http://chstarkeco.com
EclecticIQ URL reputation - http://chstarkeco.com
| Maliciousness | Data | ID | LastUpdated | Created |
|---|---|---|---|---|
| medium | http://chstarkeco.com | 83 | 2019-01-16T11:53:51.128167+00:00 | 2019-01-16T11:52:49.993110+00:00 |
3. Get the reputation of a file observable
Gets the reputation of a file hash observable.
Base Command
file
Input
| Argument Name | Description | Required |
|---|---|---|
| file | File hash observable to get the reputation of | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| EclecticIQ.File.MD5 | String | File MD5 hash that was tested |
| EclecticIQ.File.SHA1 | String | File SHA-1 hash that was tested |
| EclecticIQ.File.SHA256 | String | File SHA-256 hash that was tested |
| EclecticIQ.File.SHA512 | String | File SHA-512 hash that was tested |
| EclecticIQ.File.Created | Date | Observable creation date |
| EclecticIQ.File.LastUpdate | Date | Observable last updated date |
| EclecticIQ.File.ID | Number | Observable ID |
| EclecticIQ.File.Maliciousness | String | Maliciousness confidence level |
| File.MD5 | String | File MD5 hash that was tested |
| File.SHA1 | String | File SHA-1 hash that was tested |
| File.SHA256 | String | File SHA-256 hash that was tested |
| File.SHA512 | String | File SHA-512 hash that was tested |
| File.Malcious.Vendor | String | For malicious files, the vendor that made the decision |
| File.Malcious.Description | String | For malicious files, the reason that the vendor made the decision |
| DBotScore.Type | String | Indicator type |
| DBotScore.Vendor | String | Vendor used to calculate the score |
| DBotScore.Score | Number | The actual score |
| DBotScore.Indicator | String | The indicator that was tested |
Command Example
file file=00112233445566778899aabbccddeeff
4. Get related entities of an observable
Returns related entities of a single observable.
Base Command
eclecticiq-get-observable-related-entity
Input
| Argument Name | Description | Required |
|---|---|---|
| observable_id | Observable ID to get entity information for (can be retrieved from one of the IOCs commands) | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| EclecticIQ.Entity.Analysis | String | Entity analysis description |
| EclecticIQ.Entity.EstimatedObservedTime | Date | Entity estimated observed time |
| EclecticIQ.Entity.EstimatedStartTime | Date | Entity estimated start time |
| EclecticIQ.Entity.Exposure.Community | Boolean | Is entity in the community feed |
| EclecticIQ.Entity.Exposure.Detection | Boolean | Is entity detected |
| EclecticIQ.Entity.Exposure.Exposed | Boolean | Is entity exposed |
| EclecticIQ.Entity.Exposure.Prevention | Boolean | Is entity in prevented feed |
| EclecticIQ.Entity.Exposure.Sighting | Boolean | Is entity sighted |
| EclecticIQ.Entity.HalfLife | String | The time it takes an entity to decay in intelligence value, expressed in the number of days until a 50% decay |
| EclecticIQ.Entity.ID | String | Entity ID |
| EclecticIQ.Entity.Source.Name | String | Entity source name |
| EclecticIQ.Entity.Source.Reliability | String | Entity source reliability |
| EclecticIQ.Entity.Title | String | Entity title |
| EclecticIQ.Entity.Source.Type | string | Entity source type |
Command Example
eclecticiq-get-observable-related-entity observable_id=63
Context Example
{
"EclecticIQ.Entity": [
{
"HalfLife": "30 Days",
"Title": "Indicator containing malicious file hashes",
"EstimatedObservedTime": "2018-11-21T13:34:35.890076+00:00",
"Analysis": "Indicator that contains malicious file hashes.",
"Source": [
{
"Reliability": null,
"Type": "incoming_feed",
"Name": "TAXII Stand Samples"
}
],
"EstimatedStartTime": "2014-05-08T09:00:00+00:00",
"ID": "56e218b0-3f6b-4237-beca-3b39ab8e96c2",
"Exposure": {
"Detection": false,
"Sighting": false,
"Prevention": false,
"Community": false,
"Exposed": true
}
}
]
}
Human Readable Output
Observable ID 63 related entities
| HalfLife | Title | EstimatedObservedTime | Analysis | EstimatedStartTime | ID |
|---|---|---|---|---|---|
| 30 Days | Indicator containing malicious file hashes | 2018-11-21T13:34:35.890076+00:00 | Indicator that contains malicious file hashes. | 2014-05-08T09:00:00+00:00 | 56e218b0-3f6b-4237-beca-3b39ab8e96c2 |
Sources
| Type | Name |
|---|---|
| incoming_feed | TAXII Stand Samples |
Exposure
| Detection | Sighting | Community | Prevention | Exposed |
|---|---|---|---|---|
| false | false | false | false | true |
5. Get the reputation of an email observable: email
Gets the reputation of an email address observable.
Base Command
email
Input
| Argument Name | Description | Required |
|---|---|---|
| Email address observable to get the reputation of | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| EclecticIQ.Email.Address | String | Email that was tested |
| EclecticIQ.Email.Created | Date | Observable creation date |
| EclecticIQ.Email.LastUpdate | Date | Observable last updated date |
| EclecticIQ.Email.ID | Number | Observable ID |
| EclecticIQ.Email.Maliciousness | String | Maliciousness confidence level |
| Account.Email.Address | String | Email that was tested |
| Account.Email.Malcious.Vendor | String | For malicious email addresses, the vendor that made the decision |
| Account.Email.Malcious.Description | String | For malicious email addresses, the reason that the vendor made the decision |
| DBotScore.Type | String | Indicator type |
| DBotScore.Vendor | String | Vendor used to calculate the score |
| DBotScore.Score | Number | The actual score |
| DBotScore.Indicator | String | The indicator that was tested |
Command Example
email email=disco-team@stealthemail.com
Context Example
{
"EclecticIQ.Email": [
{
"Maliciousness": "unknown",
"Created": "2018-11-21T13:34:31.126027+00:00",
"ID": 42,
"LastUpdated": "2018-11-21T13:34:31.126027+00:00",
"Address": "disco-team@stealthemail.com"
},
{
"Maliciousness": "unknown",
"Created": "2018-11-21T13:34:31.134425+00:00",
"ID": 43,
"LastUpdated": "2018-11-21T13:34:31.134425+00:00",
"Address": "disco-team@stealthemail.com"
}
],
"DBotScore": {
"Vendor": "EclecticIQ",
"Indicator": "disco-team@stealthemail.com",
"Score": 0,
"Type": "email"
},
"Account.Email": [
{
"Address": "disco-team@stealthemail.com"
},
{
"Address": "disco-team@stealthemail.com"
}
]
}
Human Readable Output
EclecticIQ Email reputation - disco-team@stealthemail.com
| Maliciousness | Created | ID | LastUpdated | Address |
|---|---|---|---|---|
| unknown | 2018-11-21T13:34:31.126027+00:00 | 42 | 2018-11-21T13:34:31.126027+00:00 | disco-team@stealthemail.com |
| unknown | 2018-11-21T13:34:31.134425+00:00 | 43 | 2018-11-21T13:34:31.134425+00:00 | disco-team@stealthemail.com |
6. Get the reputation of a domain observable
Gets the reputation of a domain observable.
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
Base Command
domain
Input
| Argument Name | Description | Required |
|---|---|---|
| domain | Domain observable to get the reputation of | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| EclecticIQ.Domain.Name | String | Domain name that was tested |
| EclecticIQ.Domain.Created | Date | Observable creation date |
| EclecticIQ.Domain.LastUpdate | Date | Observable last updated date |
| EclecticIQ.Domain.ID | Number | Observable ID |
| EclecticIQ.Domain.Maliciousness | String | Maliciousness confidence level |
| Domain.Name | String | Domain name that was tested |
| Domain.Malcious.Vendor | String | For malicious domains, the vendor that made the decision |
| Domain.Malcious.Description | String | For malicious domains, the reason that the vendor made the decision |
| DBotScore.Type | String | Indicator type |
| DBotScore.Vendor | String | Vendor used to calculate the score |
| DBotScore.Score | Number | The actual score |
| DBotScore.Indicator | String | The indicator that was tested |
Command Example
domain domain=gooc.om
Context Example
{
"Domain": [
{
"Name": "gooc.om"
}
],
"DBotScore": {
"Vendor": "EclecticIQ",
"Indicator": "gooc.om",
"Score": 0,
"Type": "domain"
},
"EclecticIQ.Domain": [
{
"Maliciousness": "unknown",
"Name": "gooc.om",
"ID": 74,
"LastUpdated": "2018-11-21T13:34:38.964435+00:00",
"Created": "2018-11-21T13:34:38.964435+00:00"
}
]
}
Human Readable Output
EclecticIQ Domain reputation -Â gooc.om
| ID | Maliciousness | Name | LastUpdated | Created |
|---|---|---|---|---|
| 74 | unknown | gooc.om | 2018-11-21T13:34:38.964435+00:00 | 2018-11-21T13:34:38.964435+00:00 |