EclecticIQ app

Publisher: EclecticIQ
Connector Version: 1.3.1
Product Vendor: EclecticIQ
Product Name: TIP
Product Version Supported (regex): ".*"
Minimum Product Version: 4.6.19142

EclecticIQ Platform integration

Configuration Variables

The below configuration variables are required for this Connector to operate. These variables are specified when configuring a TIP asset in SOAR.

VARIABLE	REQUIRED	TYPE	DESCRIPTION
tip_uri	required	string	EclecticIQ Platform Address
tip_user	required	string	EclecticIQ Username
tip_password	required	password	EclecticIQ Password/Token
tip_group	optional	string	EclecticIQ Group Name for Entities
tip_of_id	optional	numeric	EclecticIQ Outgoing Feed ID # for Polling
tip_ssl_check	optional	boolean	EclecticIQ SSL Cert Check
tip_proxy_uri	optional	string	Proxy Server Address
tip_proxy_user	optional	string	Proxy Server Username
tip_proxy_password	optional	password	Proxy Server Password

Supported Actions

test connectivity - Validate the asset configuration for connectivity using supplied configuration
domain reputation - Queries domain info
email reputation - Queries email info
file reputation - Queries for file reputation info
ip reputation - Queries IP info
url reputation - Queries URL info
create sighting - Create sighting in EclecticIQ TIP
create indicator - Create an indicator in EclecticIQ TIP
query entities - Query EclecticIQ Platform for entities
on poll - Callback action for the on_poll ingest functionality

action: 'test connectivity'

Validate the asset configuration for connectivity using supplied configuration

Type: test
Read only: True

Action Parameters

No parameters are required for this action

Action Output

No Output

action: 'domain reputation'

Queries domain info

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
domain	required	Domain to query	string	`domain` `url`

Action Output

DATA PATH	TYPE	CONTAINS
action_result.status	string
action_result.parameter.domain	string	`domain` `url`
action_result.data.0	string
action_result.data.0.created	string
action_result.data.0.last_updated	string
action_result.data.0.maliciousness	string
action_result.data.0.platform_link	string
action_result.data.0.source_name	string
action_result.summary.important_data	string
action_result.message	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'email reputation'

Queries email info

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
email	required	Email to query	string	`email`

Action Output

DATA PATH	TYPE	CONTAINS
action_result.status	string
action_result.parameter.email	string	`email`
action_result.data.0	string
action_result.data.0.created	string
action_result.data.0.last_updated	string
action_result.data.0.maliciousness	string
action_result.data.0.platform_link	string
action_result.data.0.source_name	string
action_result.summary.important_data	string
action_result.message	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'file reputation'

Queries for file reputation info

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
hash	required	File hash to query	string	`hash` `sha256` `sha1` `md5`

Action Output

DATA PATH	TYPE	CONTAINS
action_result.status	string
action_result.parameter.hash	string	`hash` `sha256` `sha1` `md5`
action_result.data.0	string
action_result.data.0.created	string
action_result.data.0.last_updated	string
action_result.data.0.maliciousness	string
action_result.data.0.platform_link	string
action_result.data.0.source_name	string
action_result.summary.important_data	string
action_result.message	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'ip reputation'

Queries IP info

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
ip	required	IP to query	string	`ip`

Action Output

DATA PATH	TYPE	CONTAINS
action_result.status	string
action_result.parameter.ip	string	`ip`
action_result.data.0	string
action_result.data.0.created	string
action_result.data.0.last_updated	string
action_result.data.0.maliciousness	string
action_result.data.0.platform_link	string
action_result.data.0.source_name	string
action_result.summary.important_data	string
action_result.message	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'url reputation'

Queries URL info

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
url	required	URL to query	string	`url`

Action Output

DATA PATH	TYPE	CONTAINS
action_result.status	string
action_result.parameter.url	string	`url`
action_result.data.0	string
action_result.data.0.created	string
action_result.data.0.last_updated	string
action_result.data.0.maliciousness	string
action_result.data.0.platform_link	string
action_result.data.0.source_name	string
action_result.summary.important_data	string
action_result.message	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'create sighting'

Create sighting in EclecticIQ TIP

Type: contain
Read only: False

The TIP group name must be provided for this action to run successfully. Either in the source parameter or the asset configuration.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE
sighting_value	required	Observable value	string
sighting_type	required	Observable type	string
sighting_maliciousness	optional	Observalble maliciousness	string
confidence_value	required	Confidence value	string
sighting_description	optional	Sighting description	string
sighting_title	required	Sighting title	string
tags	required	Sighting tags delimited by ','	string
impact_value	required	Impact value	string
observable_2_maliciousness	optional	Observable 2 maliciousness	string
observable_2_type	optional	Observable 2 type	string
observable_2_value	optional	Observable 2 value	string
observable_3_maliciousness	optional	Observable 3 maliciousness	string
observable_3_type	optional	Observable 3 type	string
observable_3_value	optional	Observable 3 value	string

Action Output

DATA PATH	TYPE	CONTAINS
action_result.status	string
action_result.parameter.confidence_value	string
action_result.parameter.impact_value	string
action_result.parameter.observable_2_maliciousness	string
action_result.parameter.observable_2_type	string
action_result.parameter.observable_2_value	string
action_result.parameter.observable_3_maliciousness	string
action_result.parameter.observable_3_type	string
action_result.parameter.observable_3_value	string
action_result.parameter.sighting_description	string
action_result.parameter.sighting_maliciousness	string
action_result.parameter.sighting_title	string
action_result.parameter.sighting_type	string
action_result.parameter.sighting_value	string
action_result.parameter.tags	string
action_result.data.0	string
action_result.summary.important_data	string
action_result.message	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'create indicator'

Create an indicator in EclecticIQ TIP

Type: contain
Read only: False

The TIP group name must be provided for this action to run successfully. Either in the source parameter or the asset configuration.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE
observable_dictionary	required	Observable dictionary	string
indicator_type	required	Indicator type	string
confidence_value	required	Confidence value	string
indicator_description	optional	Indicator description	string
indicator_title	required	Indicator title	string
tags	required	Indicator tags delimited by ','	string
impact_value	required	Impact value	string

Action Output

DATA PATH	TYPE	CONTAINS
action_result.status	string
action_result.parameter.confidence_value	string
action_result.parameter.impact_value	string
action_result.parameter.indicator_description	string
action_result.parameter.indicator_title	string
action_result.parameter.indicator_type	string
action_result.parameter.observable_dictionary	string
action_result.parameter.tags	string
action_result.data.0	string
action_result.summary.important_data	string
action_result.message	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'query entities'

Query EclecticIQ Platform for entities

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
query	optional	Observable value to query related entities	string	`ip` `hash` `domain` `url` `sha1` `sha256` `md5` `sha512`
entity_value	optional	Text to search inside entity title. To find exact phrase wrap it with double-quotes (")	string
entity_type	optional	Type of entity to query	string

Action Output

DATA PATH	TYPE	CONTAINS
action_result.status	string
action_result.parameter.entity_type	string
action_result.parameter.entity_value	string
action_result.parameter.query	string	`ip` `hash` `domain` `url` `sha1` `sha256` `md5` `sha512`
action_result.data.*.description	string
action_result.data.*.extract_classification	string
action_result.data.*.extract_confidence	string
action_result.data.*.extract_kind	string
action_result.data.*.extract_value	string
action_result.data.*.source_name	string
action_result.data.*.tags	string
action_result.data.*.threat_start	string
action_result.data.*.title	string
action_result.data.*.type	string
action_result.summary	string
action_result.message	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'on poll'

Callback action for the on_poll ingest functionality

Type: ingest
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE
container_id	optional	Container IDs to limit the ingestion to	string
start_time	optional	Start of time range, in epoch time (milliseconds)	numeric
end_time	optional	End of time range, in epoch time (milliseconds)	numeric
container_count	optional	Maximum number of container records to query for	numeric
artifact_count	optional	Maximum number of artifact records to query for	numeric
feed_ids	optional	TIP feed IDs delimited by ","	string

Action Output

No Output

Name		Name	Last commit message	Last commit date
Latest commit History 54 Commits
.github/workflows		.github/workflows
release_notes		release_notes
wheels		wheels
.pre-commit-config.yaml		.pre-commit-config.yaml
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE		LICENSE
NOTICE		NOTICE
README.md		README.md
__init__.py		__init__.py
dev-requirements.txt		dev-requirements.txt
eclecticiqapp.json		eclecticiqapp.json
eclecticiqapp_connector.py		eclecticiqapp_connector.py
exclude_files.txt		exclude_files.txt
logo_eclecticiqapp.svg		logo_eclecticiqapp.svg
logo_eclecticiqapp_dark.svg		logo_eclecticiqapp_dark.svg
requirements.txt		requirements.txt

License

eclecticiq/-intelligence-center-app-splunk-phantom

Folders and files

Latest commit

History

Repository files navigation

EclecticIQ app

Configuration Variables

Supported Actions

action: 'test connectivity'

Action Parameters

Action Output

action: 'domain reputation'

Action Parameters

Action Output

action: 'email reputation'

Action Parameters

Action Output

action: 'file reputation'

Action Parameters

Action Output

action: 'ip reputation'

Action Parameters

Action Output

action: 'url reputation'

Action Parameters

Action Output

action: 'create sighting'

Action Parameters

Action Output

action: 'create indicator'

Action Parameters

Action Output

action: 'query entities'

Action Parameters

Action Output

action: 'on poll'

Action Parameters

Action Output

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages