The newest version of EclecticIQ Intelligence Center is being released for General Availability today. Version 2.13 of our analyst-centric threat intelligence platform (TIP) helps you further streamline your analyst operations, thanks to more-powerful and highly granular rule-based workflow automation, extended audit logging, and an upgraded TAXII server for outgoing STIX 2.1 feeds.
EclecticIQ Intelligence Center 2.13 frees your analysts to focus on what they do best: investigating cyber threats.
- For a quick rundown of what’s new, we invite you to watch this short video.
- For more details, please continue reading.
New options for workflow automation with custom rules
Threat Intelligence Platforms - or TIPs - take the manual work out of aggregating and analyzing threat intelligence. This way, CTI analysts can devote their valuable time to investigations requiring their expert judgment. EclecticIQ Intelligence Center automates the entire analyst workflow, providing maximum data access to deliver unique insights. Most automation comes out-of-the-box, thanks to its STIX-based data model and robust ingestion engine. But Intelligence Center also gives analysts the flexibility to further automate their workflow using custom rules. Release 2.13 now offer analysts more options and granularity when defining these rules.
For example, there’s a well-known problem the threat intelligence industry faces. That is, the use of different nicknames by different intelligence vendors to refer to the same threat actor. One intelligence vendor may talk about APT-28, while another one calls it FancyBear and a third one calls it Sednit. Thanks to Intelligence Center’s current rules feature, a CTI team can already normalize this threat data. They do this by adding a tag to data that refers to one of these names in the title. This way, all tagged data for a single threat actor is consolidated into a single workspace.
But by only looking for name matches in the title, the rule may accidentally add data to the workspace that is not related to that specific threat actor. To address this potential error, release 2.13 adds extra content criteria for rules that give analysts greater control over any additional automation they require. Rules can now contain unlimited query statements, and those statements can combine AND and OR conditions. This new capability allows analysts to eliminate the errors in the previous example by only tagging data where there is a match for all the name variants in both the title and the description. This extra flexibility and granularity supercharge your custom rule-based automation. Plus, they further reduce the time your analysts spend performing manual operations.
Enhanced audit logging capability
Our customers include some of the world’s largest financial institutions. They use EclecticIQ Intelligence Center to power advanced CTI programs and share threat intelligence with their industry peers.
The financial industry is heavily regulated in many areas, including security. To help financial services customers comply, we added two enhancements to the audit logging capability of EclecticIQ Intelligence Center 2.13. First, we expanded what is logged to include not just all the actions, but also what data was accessed -- down to the level of the individual objects. On top of that, you can now stream these logs to central logging servers to perform your own analyses.
These enhancements give you reassurance that any user action is traceable and provide more flexibility to produce the audit trails you need. Like the other new features of version 2.13, they help streamline time-consuming processes – in this case, auditing – so your analysts can concentrate on their core responsibilities.
Simplified set-up for outgoing STIX 2.1 feeds
We are big fans of the STIX and TAXII standards. In fact, STIX serves as the basis for EclecticIQ Intelligence Center’s data model. That’s why our solution already supports ingesting and sharing threat data for an important subset of STIX 2.1 objects.
EclecticIQ Intelligence Center currently allows you to manually push out intelligence in STIX 2.1 over the TAXII 2.1 protocol, or automatically over TAXII 1.2. However, it can be burdensome to set up an outgoing STIX 2.1 feed over TAXII 1.2. That’s why, in release 2.13, we upgraded the built-in TAXII server of EclecticIQ Intelligence Center from version 1 to version 2. Now, it’s much easier to provide an intelligence feed in STIX 2.1 format to multiple stakeholders or security controls over TAXII.
We’re also pleased to announce that we will be making this new TAXII 2.1 server functionality available to the community via our popular open-source tool, OpenTAXII. OpenTAXII allows developers to run an extensible implementation of TAXII services for producers and consumers of threat intelligence. Thanks to the new version of EclecticIQ Intelligence Center, developers will soon be able to offer these services over TAXII 2. Look for the upcoming update on GitHub.
Want to know more?
For a deeper dive into this release, or to find out how EclecticIQ can strengthen your cyber defenses, please get in touch.