EclecticIQ Platform

Threat Intelligence Platform that connects and interprets intelligence data from open sources, commercial suppliers and industry partnerships.
EclecticIQ Platform is used through Demisto to get reputation of IOCs and their related entities.
This integration was integrated and tested with version 2.3.0-1 of EclecticIQ Platform

Use Cases

  1. Get reputation of IOCs (observables).
  2. Get observables’ related entities.

Configure EclecticIQ Platform on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for integration-EclecticIQ_Platform.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g. https://192.168.0.1 )
    • Username
    • Trust any certificate (not secure)
    • Use system proxy
    • IP threshold. Minimum maliciousness confidence level to consider the IP address malicious: High, Medium, Low, Safe, Unknown
    • URL threshold. Minimum maliciousness confidence level to consider the URL malicious: High, Medium, Low, Safe, Unknown
    • File threshold. Minimum maliciousness confidence level to consider the file malicious: High, Medium, Low, Safe, Unknown
    • Email threshold. Minimum maliciousness confidence level to consider the email address malicious: High, Medium, Low, Safe, Unknown
    • Domain threshold. Minimum maliciousness confidence level to consider the domain malicious: High, Medium, Low, Safe, Unknown
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.

1. Get the reputation of an IP address observable


Gets the reputation of an IP address observable.

Base Command

ip

Input
Argument Name Description Required
ip IPv4 to get the reputation of Required

Context Output
Path Type Description
EclecticIQ.IP.Address String IP address that was tested
EclecticIQ.IP.Created Date Observable creation date
EclecticIQ.IP.LastUpdate Date Observable last updated date
EclecticIQ.IP.ID Number Observable ID
EclecticIQ.IP.Maliciousness String Maliciousness confidence level
IP.Address String IP address that was tested
IP.Malcious.Vendor String For malicious IPs, the vendor that made the decision
IP.Malcious.Description String For malicious IPs, the reason that the vendor made the decision
DBotScore.Type String Indicator type
DBotScore.Vendor String Vendor used to calculate the score
DBotScore.Score Number The actual score
DBotScore.Indicator String The indicator that was tested

Command Example

ip ip=8.8.8.8

Context Example
{
    "IP": [
        {
            "Address": "8.8.8.8"
        }
    ], 
    "DBotScore": {
        "Vendor": "EclecticIQ", 
        "Indicator": "8.8.8.8", 
        "Score": 1, 
        "Type": "ip"
    }, 
    "EclecticIQ.IP": [
        {
            "Maliciousness": "safe", 
            "Created": "2019-01-16T11:55:11.732145+00:00", 
            "ID": 86, 
            "LastUpdated": "2019-01-16T11:55:11.708640+00:00", 
            "Address": "8.8.8.8"
        }
    ]
}
Human Readable Output

EclecticIQ IP reputation - 8.8.8.8

Maliciousness Created ID LastUpdated Address
safe 2019-01-16T11:55:11.732145+00:00 86 2019-01-16T11:55:11.708640+00:00 8.8.8.8

2. Get the reputation of a URL observable


Gets the reputation of a URL observable.

Base Command

url

Input
Argument Name Description Required
url URL observable to get the reputation of Required

Context Output
Path Type Description
EclecticIQ.URL.Data String URL that was tested
EclecticIQ.URL.Created Date Observable creation date
EclecticIQ.URL.LastUpdate Date Observable last updated date
EclecticIQ.URL.ID Number Observable ID
EclecticIQ.URL.Maliciousness String Maliciousness confidence level
URL.Data String URL that was tested
URL.Malcious.Vendor String For malicious URLs, the vendor that made the decision
URL.Malcious.Description String For malicious URLs, the reason that the vendor made the decision
DBotScore.Type String Indicator type
DBotScore.Vendor String Vendor used to calculate the score
DBotScore.Score Number The actual score
DBotScore.Indicator String The indicator that was tested

Command Example

url url=http://chstarkeco.com

Context Example
{
    "DBotScore": {
        "Vendor": "OpenPhish", 
        "Indicator": "http://chstarkeco.com", 
        "Score": 0, 
        "Type": "url"
    }
}{
    "URL": {
        "Data": "http://chstarkeco.com"
    }, 
    "DBotScore": {
        "Vendor": "PhishTank", 
        "Indicator": "http://chstarkeco.com", 
        "Score": 0, 
        "Type": "url"
    }
}{
    "URL": [
        {
            "Data": "http://chstarkeco.com"
        }
    ], 
    "DBotScore": {
        "Vendor": "EclecticIQ", 
        "Indicator": "http://chstarkeco.com", 
        "Score": 2, 
        "Type": "url"
    }, 
    "EclecticIQ.URL": [
        {
            "Maliciousness": "medium", 
            "Data": "http://chstarkeco.com", 
            "ID": 83, 
            "LastUpdated": "2019-01-16T11:53:51.128167+00:00", 
            "Created": "2019-01-16T11:52:49.993110+00:00"
        }
    ]
}
Human Readable Output

OpenPhish Database - URL Query

No matches for URL http://chstarkeco.com

PhishTank Database - URL Query

No matches for URL http://chstarkeco.com

EclecticIQ URL reputation - http://chstarkeco.com

Maliciousness Data ID LastUpdated Created
medium http://chstarkeco.com 83 2019-01-16T11:53:51.128167+00:00 2019-01-16T11:52:49.993110+00:00

3. Get the reputation of a file observable


Gets the reputation of a file hash observable.

Base Command

file

Input
Argument Name Description Required
file File hash observable to get the reputation of Required

Context Output
Path Type Description
EclecticIQ.File.MD5 String File MD5 hash that was tested
EclecticIQ.File.SHA1 String File SHA-1 hash that was tested
EclecticIQ.File.SHA256 String File SHA-256 hash that was tested
EclecticIQ.File.SHA512 String File SHA-512 hash that was tested
EclecticIQ.File.Created Date Observable creation date
EclecticIQ.File.LastUpdate Date Observable last updated date
EclecticIQ.File.ID Number Observable ID
EclecticIQ.File.Maliciousness String Maliciousness confidence level
File.MD5 String File MD5 hash that was tested
File.SHA1 String File SHA-1 hash that was tested
File.SHA256 String File SHA-256 hash that was tested
File.SHA512 String File SHA-512 hash that was tested
File.Malcious.Vendor String For malicious files, the vendor that made the decision
File.Malcious.Description String For malicious files, the reason that the vendor made the decision
DBotScore.Type String Indicator type
DBotScore.Vendor String Vendor used to calculate the score
DBotScore.Score Number The actual score
DBotScore.Indicator String The indicator that was tested

Command Example

file file=00112233445566778899aabbccddeeff


Returns related entities of a single observable.

Base Command

eclecticiq-get-observable-related-entity

Input
Argument Name Description Required
observable_id Observable ID to get entity information for (can be retrieved from one of the IOCs commands) Required

Context Output
Path Type Description
EclecticIQ.Entity.Analysis String Entity analysis description
EclecticIQ.Entity.EstimatedObservedTime Date Entity estimated observed time
EclecticIQ.Entity.EstimatedStartTime Date Entity estimated start time
EclecticIQ.Entity.Exposure.Community Boolean Is entity in the community feed
EclecticIQ.Entity.Exposure.Detection Boolean Is entity detected
EclecticIQ.Entity.Exposure.Exposed Boolean Is entity exposed
EclecticIQ.Entity.Exposure.Prevention Boolean Is entity in prevented feed
EclecticIQ.Entity.Exposure.Sighting Boolean Is entity sighted
EclecticIQ.Entity.HalfLife String The time it takes an entity to decay in intelligence value, expressed in the number of days until a 50% decay
EclecticIQ.Entity.ID String Entity ID
EclecticIQ.Entity.Source.Name String Entity source name
EclecticIQ.Entity.Source.Reliability String Entity source reliability
EclecticIQ.Entity.Title String Entity title
EclecticIQ.Entity.Source.Type string Entity source type

Command Example

eclecticiq-get-observable-related-entity observable_id=63

Context Example
{
    "EclecticIQ.Entity": [
        {
            "HalfLife": "30 Days", 
            "Title": "Indicator containing malicious file hashes", 
            "EstimatedObservedTime": "2018-11-21T13:34:35.890076+00:00", 
            "Analysis": "Indicator that contains malicious file hashes.", 
            "Source": [
                {
                    "Reliability": null, 
                    "Type": "incoming_feed", 
                    "Name": "TAXII Stand Samples"
                }
            ], 
            "EstimatedStartTime": "2014-05-08T09:00:00+00:00", 
            "ID": "56e218b0-3f6b-4237-beca-3b39ab8e96c2", 
            "Exposure": {
                "Detection": false, 
                "Sighting": false, 
                "Prevention": false, 
                "Community": false, 
                "Exposed": true
            }
        }
    ]
}
Human Readable Output
HalfLife Title EstimatedObservedTime Analysis EstimatedStartTime ID
30 Days Indicator containing malicious file hashes 2018-11-21T13:34:35.890076+00:00 Indicator that contains malicious file hashes. 2014-05-08T09:00:00+00:00 56e218b0-3f6b-4237-beca-3b39ab8e96c2

Sources

Type Name
incoming_feed TAXII Stand Samples

Exposure

Detection Sighting Community Prevention Exposed
false false false false true

5. Get the reputation of an email observable: email


Gets the reputation of an email address observable.

Base Command

email

Input
Argument Name Description Required
email Email address observable to get the reputation of Required

Context Output
Path Type Description
EclecticIQ.Email.Address String Email that was tested
EclecticIQ.Email.Created Date Observable creation date
EclecticIQ.Email.LastUpdate Date Observable last updated date
EclecticIQ.Email.ID Number Observable ID
EclecticIQ.Email.Maliciousness String Maliciousness confidence level
Account.Email.Address String Email that was tested
Account.Email.Malcious.Vendor String For malicious email addresses, the vendor that made the decision
Account.Email.Malcious.Description String For malicious email addresses, the reason that the vendor made the decision
DBotScore.Type String Indicator type
DBotScore.Vendor String Vendor used to calculate the score
DBotScore.Score Number The actual score
DBotScore.Indicator String The indicator that was tested

Command Example

email email=disco-team@stealthemail.com

Context Example
{
    "EclecticIQ.Email": [
        {
            "Maliciousness": "unknown", 
            "Created": "2018-11-21T13:34:31.126027+00:00", 
            "ID": 42, 
            "LastUpdated": "2018-11-21T13:34:31.126027+00:00", 
            "Address": "disco-team@stealthemail.com"
        }, 
        {
            "Maliciousness": "unknown", 
            "Created": "2018-11-21T13:34:31.134425+00:00", 
            "ID": 43, 
            "LastUpdated": "2018-11-21T13:34:31.134425+00:00", 
            "Address": "disco-team@stealthemail.com"
        }
    ], 
    "DBotScore": {
        "Vendor": "EclecticIQ", 
        "Indicator": "disco-team@stealthemail.com", 
        "Score": 0, 
        "Type": "email"
    }, 
    "Account.Email": [
        {
            "Address": "disco-team@stealthemail.com"
        }, 
        {
            "Address": "disco-team@stealthemail.com"
        }
    ]
}
Human Readable Output

EclecticIQ Email reputation - disco-team@stealthemail.com

Maliciousness Created ID LastUpdated Address
unknown 2018-11-21T13:34:31.126027+00:00 42 2018-11-21T13:34:31.126027+00:00 disco-team@stealthemail.com
unknown 2018-11-21T13:34:31.134425+00:00 43 2018-11-21T13:34:31.134425+00:00 disco-team@stealthemail.com

6. Get the reputation of a domain observable


Gets the reputation of a domain observable.

Base Command

domain

Input
Argument Name Description Required
domain Domain observable to get the reputation of Required

Context Output
Path Type Description
EclecticIQ.Domain.Name String Domain name that was tested
EclecticIQ.Domain.Created Date Observable creation date
EclecticIQ.Domain.LastUpdate Date Observable last updated date
EclecticIQ.Domain.ID Number Observable ID
EclecticIQ.Domain.Maliciousness String Maliciousness confidence level
Domain.Name String Domain name that was tested
Domain.Malcious.Vendor String For malicious domains, the vendor that made the decision
Domain.Malcious.Description String For malicious domains, the reason that the vendor made the decision
DBotScore.Type String Indicator type
DBotScore.Vendor String Vendor used to calculate the score
DBotScore.Score Number The actual score
DBotScore.Indicator String The indicator that was tested

Command Example

domain domain=gooc.om

Context Example
{
    "Domain": [
        {
            "Name": "gooc.om"
        }
    ], 
    "DBotScore": {
        "Vendor": "EclecticIQ", 
        "Indicator": "gooc.om", 
        "Score": 0, 
        "Type": "domain"
    }, 
    "EclecticIQ.Domain": [
        {
            "Maliciousness": "unknown", 
            "Name": "gooc.om", 
            "ID": 74, 
            "LastUpdated": "2018-11-21T13:34:38.964435+00:00", 
            "Created": "2018-11-21T13:34:38.964435+00:00"
        }
    ]
}
Human Readable Output

EclecticIQ Domain reputation - gooc.om

ID Maliciousness Name LastUpdated Created
74 unknown gooc.om 2018-11-21T13:34:38.964435+00:00 2018-11-21T13:34:38.964435+00:00