Fortinet black logo

EclecticIQ v1.1.0

1.1.0
Copy Link
Copy Doc ID ae8d5946-ca9f-11eb-97f7-00505692583a:129

About the connector

EclecticIQ Platform is a Threat Intelligence Platform that empowers threat analysts to perform faster, better, and deeper investigations while disseminating intelligence at machine speed.

This document provides information about the EclecticIQ connector, which facilitates automated interactions, with the EclecticIQ platform using FortiSOAR™ playbooks. Add the EclecticIQ connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving reputations of domains, URLs, IP addresses, etc., from EclecticIQ, querying the EclecticIQ platform for entities, and creating sighting in the EclecticIQ platform.

Version information

Connector Version: 1.1.0

FortiSOAR™ Version Tested on: 7.0.0-480

Authored By: EclecticIQ

Certified: Yes

Release Notes for version 1.1.0

Following enhancements have been made to the EclecticIQ connector in version 1.1.0:

  • Certified this version of the connector.
  • Added the following pagination parameters to the "Query Entities" operation:
    • Number of Entities to Fetch
    • Fetch Entities From

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:

yum install cyops-connector-eclecticiq

Prerequisites to configuring the connector

  • You must have the IP address or FQDN of the EclecticIQ platform to which you will connect and perform automated operations and credentials (username-password pair) to access that platform.
  • The FortiSOAR™ server should have outbound connectivity to port 443 on the EclecticIQ platform.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the EclecticIQ connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:

Parameter Description
EclecticIQ Platform URL IP address or FQDN of the EclecticIQ Platform to which you will connect and perform the automated operations.
Username Username to access the EclecticIQ platform to which you will connect and perform the automated operations.
Password Password to access the EclecticIQ platform to which you will connect and perform the automated operations.
Group Name Name of the group that you will use to create 'Sightings' in the EclecticIQ Platform.
Note: The group name is case-sensitive.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
Get IP Address reputation Retrieves the reputation of the specified IP address from the EclecticIQ Platform. get_ip_reputation
Investigation
Get Domain reputation Retrieves the reputation of the specified domain name from the EclecticIQ Platform. get_domain_reputation
Investigation
Get Email reputation Retrieves the reputation of the specified email address from the EclecticIQ Platform. get_email_reputation
Investigation
Get Filename or Hash reputation Retrieves the reputation of the specified file name of hash from the EclecticIQ Platform. get_file_reputation
Investigation
Get URL reputation Retrieves the reputation of the specified URL from the EclecticIQ Platform. get_uri_reputation
Investigation
Query entities Queries EclecticIQ Platform for entities based on the entity type and other input parameters you have specified. query_entities
Investigation
Create Sighting Creates a sighting in the EclecticIQ Platform based on the title, observable type, confidence value, and other input parameters you have specified. create_sighting
Investigation

operation: Get IP Address reputation

Input parameters

Parameter Description
IP Address IP address that you want to hunt in the EclecticIQ Platform and whose reputation you want to retrieve from the EclecticIQ Platform.

Output

The output contains the following populated JSON schema:
{
"result": {
"last_updated": "",
"value": "",
"maliciousness": "",
"source_name": "",
"platform_link": "",
"created": ""
},
"status": ""
}

operation: Get Domain reputation

Input parameters

Parameter Description
Domain Name of the domain that you want to hunt in the EclecticIQ Platform and whose reputation you want to retrieve from the EclecticIQ Platform.

Output

The output contains the following populated JSON schema:
{
"result": {
"last_updated": "",
"value": "",
"maliciousness": "",
"source_name": "",
"platform_link": "",
"created": ""
},
"status": ""
}

operation: Get Email reputation

Input parameters

Parameter Description
Email Email address that you want to hunt in the EclecticIQ Platform and whose reputation you want to retrieve from the EclecticIQ Platform.

Output

The output contains the following populated JSON schema:
{
"result": {
"last_updated": "",
"value": "",
"maliciousness": "",
"source_name": "",
"platform_link": "",
"created": ""
},
"status": ""
}

operation: Get Filename or Hash reputation

Input parameters

Parameter Description
File Name or Hash File name or file hash value that you want to hunt in the EclecticIQ Platform and whose reputation you want to retrieve from the EclecticIQ Platform.

Output

The output contains the following populated JSON schema:
{
"result": {
"last_updated": "",
"value": "",
"maliciousness": "",
"source_name": "",
"platform_link": "",
"created": ""
},
"status": ""
}

operation: Get URL reputation

Input parameters

Parameter Description
URL URL value that you want to hunt in the EclecticIQ Platform and whose reputation you want to retrieve from the EclecticIQ Platform.

Output

The output contains the following populated JSON schema:
{
"result": {
"last_updated": "",
"value": "",
"maliciousness": "",
"source_name": "",
"platform_link": "",
"created": ""
},
"status": ""
}

operation: Query entities

Input parameters

Parameter Description
Observable value to search (Optional) Observable value that you want to use to query related entities in the EclecticIQ platform.
Text to search inside entity title (Optional)Text that you want to search in the title of the entity. To find the exact phrase wrap it within double-quotes (\").
Type of entity to query Choose the type of entity that you want to query in the EclecticIQ platform. You can choose from entity types such as: all, campaign, incident, ttp, etc.
Number of Entities to Fetch (Optional) Maximum number of entries that this operation should return.
Fetch Entities From (Optional) Index of the first entity to be returned by this operation. This parameter is useful for pagination and if you want to get a subset of the response, say entities starting from the 10th entity.

Output

The output contains the following populated JSON schema:
{
"status": "",
"actual_result_size": "",
"reported_results": "",
"result": [
{
"extract_kind": "",
"extract_value": "",
"extract_classification": "",
"extract_confidence": "",
"title": "",
"type": "",
"description": "",
"threat_start": "",
"tags": "",
"source_name": ""
}
]
}

operation: Create Sighting

Input parameters

Parameter Description
Sighting Title Title of the sighting that you want to create in the EclecticIQ platform.
Sighting Description (Optional) Description of the sighting that you want to create in the EclecticIQ platform.
Observable value Specify the Observable value of the sighting that you want to create in the EclecticIQ platform.
Observable Type Select the observable type of the sighting that you want to create in the EclecticIQ platform. You can choose from options such as: domain, email, host, ipv6, mutex, etc.
Observable maliciousness Select the observable maliciousness value of the sighting that you want to create in the EclecticIQ platform. You can choose from options such as: Unknown, Safe, Malicious (High confidence), Malicious (Medium confidence), or Malicious (Low confidence)
Confidence value Select the confidence value of the sighting that you want to create in the EclecticIQ platform. You can choose from the following options: None, Unknown, Low, Medium, or High.
Impact value Select the impact value of the sighting that you want to create in the EclecticIQ platform. You can choose from the following options: None, Unknown, Low, Medium, or High.
Sighting Tags Tags that you want to associate with the sighting that you want to create in the EclecticIQ platform. Each tag is delimited by ','.

Output

The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}

Included playbooks

The Sample - EclecticIQ - 1.1.0 playbook collection comes bundled with the EclecticIQ connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the EclecticIQ connector.

  • Create Sighting
  • Get Domain reputation
  • Get Email reputation
  • Get Filename or Hash reputation
  • Get IP Address reputation
  • Get URL reputation
  • Query entities

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

Previous
Next

About the connector

EclecticIQ Platform is a Threat Intelligence Platform that empowers threat analysts to perform faster, better, and deeper investigations while disseminating intelligence at machine speed.

This document provides information about the EclecticIQ connector, which facilitates automated interactions, with the EclecticIQ platform using FortiSOAR™ playbooks. Add the EclecticIQ connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving reputations of domains, URLs, IP addresses, etc., from EclecticIQ, querying the EclecticIQ platform for entities, and creating sighting in the EclecticIQ platform.

Version information

Connector Version: 1.1.0

FortiSOAR™ Version Tested on: 7.0.0-480

Authored By: EclecticIQ

Certified: Yes

Release Notes for version 1.1.0

Following enhancements have been made to the EclecticIQ connector in version 1.1.0:

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:

yum install cyops-connector-eclecticiq

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the EclecticIQ connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:

Parameter Description
EclecticIQ Platform URL IP address or FQDN of the EclecticIQ Platform to which you will connect and perform the automated operations.
Username Username to access the EclecticIQ platform to which you will connect and perform the automated operations.
Password Password to access the EclecticIQ platform to which you will connect and perform the automated operations.
Group Name Name of the group that you will use to create 'Sightings' in the EclecticIQ Platform.
Note: The group name is case-sensitive.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
Get IP Address reputation Retrieves the reputation of the specified IP address from the EclecticIQ Platform. get_ip_reputation
Investigation
Get Domain reputation Retrieves the reputation of the specified domain name from the EclecticIQ Platform. get_domain_reputation
Investigation
Get Email reputation Retrieves the reputation of the specified email address from the EclecticIQ Platform. get_email_reputation
Investigation
Get Filename or Hash reputation Retrieves the reputation of the specified file name of hash from the EclecticIQ Platform. get_file_reputation
Investigation
Get URL reputation Retrieves the reputation of the specified URL from the EclecticIQ Platform. get_uri_reputation
Investigation
Query entities Queries EclecticIQ Platform for entities based on the entity type and other input parameters you have specified. query_entities
Investigation
Create Sighting Creates a sighting in the EclecticIQ Platform based on the title, observable type, confidence value, and other input parameters you have specified. create_sighting
Investigation

operation: Get IP Address reputation

Input parameters

Parameter Description
IP Address IP address that you want to hunt in the EclecticIQ Platform and whose reputation you want to retrieve from the EclecticIQ Platform.

Output

The output contains the following populated JSON schema:
{
"result": {
"last_updated": "",
"value": "",
"maliciousness": "",
"source_name": "",
"platform_link": "",
"created": ""
},
"status": ""
}

operation: Get Domain reputation

Input parameters

Parameter Description
Domain Name of the domain that you want to hunt in the EclecticIQ Platform and whose reputation you want to retrieve from the EclecticIQ Platform.

Output

The output contains the following populated JSON schema:
{
"result": {
"last_updated": "",
"value": "",
"maliciousness": "",
"source_name": "",
"platform_link": "",
"created": ""
},
"status": ""
}

operation: Get Email reputation

Input parameters

Parameter Description
Email Email address that you want to hunt in the EclecticIQ Platform and whose reputation you want to retrieve from the EclecticIQ Platform.

Output

The output contains the following populated JSON schema:
{
"result": {
"last_updated": "",
"value": "",
"maliciousness": "",
"source_name": "",
"platform_link": "",
"created": ""
},
"status": ""
}

operation: Get Filename or Hash reputation

Input parameters

Parameter Description
File Name or Hash File name or file hash value that you want to hunt in the EclecticIQ Platform and whose reputation you want to retrieve from the EclecticIQ Platform.

Output

The output contains the following populated JSON schema:
{
"result": {
"last_updated": "",
"value": "",
"maliciousness": "",
"source_name": "",
"platform_link": "",
"created": ""
},
"status": ""
}

operation: Get URL reputation

Input parameters

Parameter Description
URL URL value that you want to hunt in the EclecticIQ Platform and whose reputation you want to retrieve from the EclecticIQ Platform.

Output

The output contains the following populated JSON schema:
{
"result": {
"last_updated": "",
"value": "",
"maliciousness": "",
"source_name": "",
"platform_link": "",
"created": ""
},
"status": ""
}

operation: Query entities

Input parameters

Parameter Description
Observable value to search (Optional) Observable value that you want to use to query related entities in the EclecticIQ platform.
Text to search inside entity title (Optional)Text that you want to search in the title of the entity. To find the exact phrase wrap it within double-quotes (\").
Type of entity to query Choose the type of entity that you want to query in the EclecticIQ platform. You can choose from entity types such as: all, campaign, incident, ttp, etc.
Number of Entities to Fetch (Optional) Maximum number of entries that this operation should return.
Fetch Entities From (Optional) Index of the first entity to be returned by this operation. This parameter is useful for pagination and if you want to get a subset of the response, say entities starting from the 10th entity.

Output

The output contains the following populated JSON schema:
{
"status": "",
"actual_result_size": "",
"reported_results": "",
"result": [
{
"extract_kind": "",
"extract_value": "",
"extract_classification": "",
"extract_confidence": "",
"title": "",
"type": "",
"description": "",
"threat_start": "",
"tags": "",
"source_name": ""
}
]
}

operation: Create Sighting

Input parameters

Parameter Description
Sighting Title Title of the sighting that you want to create in the EclecticIQ platform.
Sighting Description (Optional) Description of the sighting that you want to create in the EclecticIQ platform.
Observable value Specify the Observable value of the sighting that you want to create in the EclecticIQ platform.
Observable Type Select the observable type of the sighting that you want to create in the EclecticIQ platform. You can choose from options such as: domain, email, host, ipv6, mutex, etc.
Observable maliciousness Select the observable maliciousness value of the sighting that you want to create in the EclecticIQ platform. You can choose from options such as: Unknown, Safe, Malicious (High confidence), Malicious (Medium confidence), or Malicious (Low confidence)
Confidence value Select the confidence value of the sighting that you want to create in the EclecticIQ platform. You can choose from the following options: None, Unknown, Low, Medium, or High.
Impact value Select the impact value of the sighting that you want to create in the EclecticIQ platform. You can choose from the following options: None, Unknown, Low, Medium, or High.
Sighting Tags Tags that you want to associate with the sighting that you want to create in the EclecticIQ platform. Each tag is delimited by ','.

Output

The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}

Included playbooks

The Sample - EclecticIQ - 1.1.0 playbook collection comes bundled with the EclecticIQ connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the EclecticIQ connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

Previous
Next