EclecticIQ Platform is a Threat Intelligence Platform that empowers threat analysts to perform faster, better, and deeper investigations while disseminating intelligence at machine speed.
This document provides information about the EclecticIQ connector, which facilitates automated interactions, with the EclecticIQ platform using FortiSOAR™ playbooks. Add the EclecticIQ connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving reputations of domains, URLs, IP addresses, etc., from EclecticIQ, querying the EclecticIQ platform for entities, and creating sighting in the EclecticIQ platform.
Connector Version: 1.1.0
FortiSOAR™ Version Tested on: 7.0.0-480
Authored By: EclecticIQ
Certified: Yes
Following enhancements have been made to the EclecticIQ connector in version 1.1.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-eclecticiq
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the EclecticIQ connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
EclecticIQ Platform URL | IP address or FQDN of the EclecticIQ Platform to which you will connect and perform the automated operations. |
Username | Username to access the EclecticIQ platform to which you will connect and perform the automated operations. |
Password | Password to access the EclecticIQ platform to which you will connect and perform the automated operations. |
Group Name | Name of the group that you will use to create 'Sightings' in the EclecticIQ Platform. Note: The group name is case-sensitive. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get IP Address reputation | Retrieves the reputation of the specified IP address from the EclecticIQ Platform. | get_ip_reputation Investigation |
Get Domain reputation | Retrieves the reputation of the specified domain name from the EclecticIQ Platform. | get_domain_reputation Investigation |
Get Email reputation | Retrieves the reputation of the specified email address from the EclecticIQ Platform. | get_email_reputation Investigation |
Get Filename or Hash reputation | Retrieves the reputation of the specified file name of hash from the EclecticIQ Platform. | get_file_reputation Investigation |
Get URL reputation | Retrieves the reputation of the specified URL from the EclecticIQ Platform. | get_uri_reputation Investigation |
Query entities | Queries EclecticIQ Platform for entities based on the entity type and other input parameters you have specified. | query_entities Investigation |
Create Sighting | Creates a sighting in the EclecticIQ Platform based on the title, observable type, confidence value, and other input parameters you have specified. | create_sighting Investigation |
Parameter | Description |
---|---|
IP Address | IP address that you want to hunt in the EclecticIQ Platform and whose reputation you want to retrieve from the EclecticIQ Platform. |
The output contains the following populated JSON schema:
{
"result": {
"last_updated": "",
"value": "",
"maliciousness": "",
"source_name": "",
"platform_link": "",
"created": ""
},
"status": ""
}
Parameter | Description |
---|---|
Domain | Name of the domain that you want to hunt in the EclecticIQ Platform and whose reputation you want to retrieve from the EclecticIQ Platform. |
The output contains the following populated JSON schema:
{
"result": {
"last_updated": "",
"value": "",
"maliciousness": "",
"source_name": "",
"platform_link": "",
"created": ""
},
"status": ""
}
Parameter | Description |
---|---|
Email address that you want to hunt in the EclecticIQ Platform and whose reputation you want to retrieve from the EclecticIQ Platform. |
The output contains the following populated JSON schema:
{
"result": {
"last_updated": "",
"value": "",
"maliciousness": "",
"source_name": "",
"platform_link": "",
"created": ""
},
"status": ""
}
Parameter | Description |
---|---|
File Name or Hash | File name or file hash value that you want to hunt in the EclecticIQ Platform and whose reputation you want to retrieve from the EclecticIQ Platform. |
The output contains the following populated JSON schema:
{
"result": {
"last_updated": "",
"value": "",
"maliciousness": "",
"source_name": "",
"platform_link": "",
"created": ""
},
"status": ""
}
Parameter | Description |
---|---|
URL | URL value that you want to hunt in the EclecticIQ Platform and whose reputation you want to retrieve from the EclecticIQ Platform. |
The output contains the following populated JSON schema:
{
"result": {
"last_updated": "",
"value": "",
"maliciousness": "",
"source_name": "",
"platform_link": "",
"created": ""
},
"status": ""
}
Parameter | Description |
---|---|
Observable value to search | (Optional) Observable value that you want to use to query related entities in the EclecticIQ platform. |
Text to search inside entity title | (Optional)Text that you want to search in the title of the entity. To find the exact phrase wrap it within double-quotes (\"). |
Type of entity to query | Choose the type of entity that you want to query in the EclecticIQ platform. You can choose from entity types such as: all, campaign, incident, ttp, etc. |
Number of Entities to Fetch | (Optional) Maximum number of entries that this operation should return. |
Fetch Entities From | (Optional) Index of the first entity to be returned by this operation. This parameter is useful for pagination and if you want to get a subset of the response, say entities starting from the 10th entity. |
The output contains the following populated JSON schema:
{
"status": "",
"actual_result_size": "",
"reported_results": "",
"result": [
{
"extract_kind": "",
"extract_value": "",
"extract_classification": "",
"extract_confidence": "",
"title": "",
"type": "",
"description": "",
"threat_start": "",
"tags": "",
"source_name": ""
}
]
}
Parameter | Description |
---|---|
Sighting Title | Title of the sighting that you want to create in the EclecticIQ platform. |
Sighting Description | (Optional) Description of the sighting that you want to create in the EclecticIQ platform. |
Observable value | Specify the Observable value of the sighting that you want to create in the EclecticIQ platform. |
Observable Type | Select the observable type of the sighting that you want to create in the EclecticIQ platform. You can choose from options such as: domain, email, host, ipv6, mutex, etc. |
Observable maliciousness | Select the observable maliciousness value of the sighting that you want to create in the EclecticIQ platform. You can choose from options such as: Unknown, Safe, Malicious (High confidence), Malicious (Medium confidence), or Malicious (Low confidence) |
Confidence value | Select the confidence value of the sighting that you want to create in the EclecticIQ platform. You can choose from the following options: None, Unknown, Low, Medium, or High. |
Impact value | Select the impact value of the sighting that you want to create in the EclecticIQ platform. You can choose from the following options: None, Unknown, Low, Medium, or High. |
Sighting Tags | Tags that you want to associate with the sighting that you want to create in the EclecticIQ platform. Each tag is delimited by ','. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
The Sample - EclecticIQ - 1.1.0
playbook collection comes bundled with the EclecticIQ connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the EclecticIQ connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
EclecticIQ Platform is a Threat Intelligence Platform that empowers threat analysts to perform faster, better, and deeper investigations while disseminating intelligence at machine speed.
This document provides information about the EclecticIQ connector, which facilitates automated interactions, with the EclecticIQ platform using FortiSOAR™ playbooks. Add the EclecticIQ connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving reputations of domains, URLs, IP addresses, etc., from EclecticIQ, querying the EclecticIQ platform for entities, and creating sighting in the EclecticIQ platform.
Connector Version: 1.1.0
FortiSOAR™ Version Tested on: 7.0.0-480
Authored By: EclecticIQ
Certified: Yes
Following enhancements have been made to the EclecticIQ connector in version 1.1.0:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-eclecticiq
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the EclecticIQ connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
EclecticIQ Platform URL | IP address or FQDN of the EclecticIQ Platform to which you will connect and perform the automated operations. |
Username | Username to access the EclecticIQ platform to which you will connect and perform the automated operations. |
Password | Password to access the EclecticIQ platform to which you will connect and perform the automated operations. |
Group Name | Name of the group that you will use to create 'Sightings' in the EclecticIQ Platform. Note: The group name is case-sensitive. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get IP Address reputation | Retrieves the reputation of the specified IP address from the EclecticIQ Platform. | get_ip_reputation Investigation |
Get Domain reputation | Retrieves the reputation of the specified domain name from the EclecticIQ Platform. | get_domain_reputation Investigation |
Get Email reputation | Retrieves the reputation of the specified email address from the EclecticIQ Platform. | get_email_reputation Investigation |
Get Filename or Hash reputation | Retrieves the reputation of the specified file name of hash from the EclecticIQ Platform. | get_file_reputation Investigation |
Get URL reputation | Retrieves the reputation of the specified URL from the EclecticIQ Platform. | get_uri_reputation Investigation |
Query entities | Queries EclecticIQ Platform for entities based on the entity type and other input parameters you have specified. | query_entities Investigation |
Create Sighting | Creates a sighting in the EclecticIQ Platform based on the title, observable type, confidence value, and other input parameters you have specified. | create_sighting Investigation |
Parameter | Description |
---|---|
IP Address | IP address that you want to hunt in the EclecticIQ Platform and whose reputation you want to retrieve from the EclecticIQ Platform. |
The output contains the following populated JSON schema:
{
"result": {
"last_updated": "",
"value": "",
"maliciousness": "",
"source_name": "",
"platform_link": "",
"created": ""
},
"status": ""
}
Parameter | Description |
---|---|
Domain | Name of the domain that you want to hunt in the EclecticIQ Platform and whose reputation you want to retrieve from the EclecticIQ Platform. |
The output contains the following populated JSON schema:
{
"result": {
"last_updated": "",
"value": "",
"maliciousness": "",
"source_name": "",
"platform_link": "",
"created": ""
},
"status": ""
}
Parameter | Description |
---|---|
Email address that you want to hunt in the EclecticIQ Platform and whose reputation you want to retrieve from the EclecticIQ Platform. |
The output contains the following populated JSON schema:
{
"result": {
"last_updated": "",
"value": "",
"maliciousness": "",
"source_name": "",
"platform_link": "",
"created": ""
},
"status": ""
}
Parameter | Description |
---|---|
File Name or Hash | File name or file hash value that you want to hunt in the EclecticIQ Platform and whose reputation you want to retrieve from the EclecticIQ Platform. |
The output contains the following populated JSON schema:
{
"result": {
"last_updated": "",
"value": "",
"maliciousness": "",
"source_name": "",
"platform_link": "",
"created": ""
},
"status": ""
}
Parameter | Description |
---|---|
URL | URL value that you want to hunt in the EclecticIQ Platform and whose reputation you want to retrieve from the EclecticIQ Platform. |
The output contains the following populated JSON schema:
{
"result": {
"last_updated": "",
"value": "",
"maliciousness": "",
"source_name": "",
"platform_link": "",
"created": ""
},
"status": ""
}
Parameter | Description |
---|---|
Observable value to search | (Optional) Observable value that you want to use to query related entities in the EclecticIQ platform. |
Text to search inside entity title | (Optional)Text that you want to search in the title of the entity. To find the exact phrase wrap it within double-quotes (\"). |
Type of entity to query | Choose the type of entity that you want to query in the EclecticIQ platform. You can choose from entity types such as: all, campaign, incident, ttp, etc. |
Number of Entities to Fetch | (Optional) Maximum number of entries that this operation should return. |
Fetch Entities From | (Optional) Index of the first entity to be returned by this operation. This parameter is useful for pagination and if you want to get a subset of the response, say entities starting from the 10th entity. |
The output contains the following populated JSON schema:
{
"status": "",
"actual_result_size": "",
"reported_results": "",
"result": [
{
"extract_kind": "",
"extract_value": "",
"extract_classification": "",
"extract_confidence": "",
"title": "",
"type": "",
"description": "",
"threat_start": "",
"tags": "",
"source_name": ""
}
]
}
Parameter | Description |
---|---|
Sighting Title | Title of the sighting that you want to create in the EclecticIQ platform. |
Sighting Description | (Optional) Description of the sighting that you want to create in the EclecticIQ platform. |
Observable value | Specify the Observable value of the sighting that you want to create in the EclecticIQ platform. |
Observable Type | Select the observable type of the sighting that you want to create in the EclecticIQ platform. You can choose from options such as: domain, email, host, ipv6, mutex, etc. |
Observable maliciousness | Select the observable maliciousness value of the sighting that you want to create in the EclecticIQ platform. You can choose from options such as: Unknown, Safe, Malicious (High confidence), Malicious (Medium confidence), or Malicious (Low confidence) |
Confidence value | Select the confidence value of the sighting that you want to create in the EclecticIQ platform. You can choose from the following options: None, Unknown, Low, Medium, or High. |
Impact value | Select the impact value of the sighting that you want to create in the EclecticIQ platform. You can choose from the following options: None, Unknown, Low, Medium, or High. |
Sighting Tags | Tags that you want to associate with the sighting that you want to create in the EclecticIQ platform. Each tag is delimited by ','. |
The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}
The Sample - EclecticIQ - 1.1.0
playbook collection comes bundled with the EclecticIQ connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the EclecticIQ connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.