EclecticIQ

eclecticiq is a threat intelligence platform designed to help organizations manage and operationalize their cyber threat intelligence eclecticiq is a leading threat intelligence platform that empowers organizations to manage and analyze cyber threats effectively the eclecticiq connector for swimlane turbine enables seamless integration with eclecticiq's robust threat intelligence capabilities, allowing users to create and manage observables and entities, and retrieve detailed threat data this integration enhances security automation by providing real time insights and actionable intelligence, enabling security teams to respond swiftly and efficiently to emerging threats limitations none to date supported versions this eclecticiq connector uses the latest version api additional documents documentation click here https //developers eclecticiq com/reference/get aggregations entities counts prerequisites before you can use the eclecticiq connector for turbine, you'll need access to the eclecticiq api this requires the following http bearer authentication using the following parameters url the endpoint url for accessing the eclecticiq api api key a valid api key to authenticate requests to the eclecticiq platform authentication methods http bearer authentication method url the endpoint url for accessing the eclecticiq api api key a valid api key for authenticating requests to the eclecticiq api capabilities this eclecticiq connector provides the following capabilities create a new observable create an entity get a list of entities get a list of observables get an entity by id get an observable by id create a new observable create a new observable in eclecticiq using the provided data in json format click here https //developers eclecticiq com/reference/post observables create an entity this action leverages the external (stix) id provided on the payload's data attribute to de duplicate the entity click here https //developers eclecticiq com/reference/post entities get a list of entities retrieves a paginated list of entities with sorting, optional field projection, structured filters, and lucene full text or faceted search click here https //developers eclecticiq com/reference/get entities get a list of observables retrieve observables with pagination, sorting, optional field projection, filters (type, value, sources, entities), and lucene style search click here https //developers eclecticiq com/reference/get observables get an entity by id retrieves an entity by its id the id can be either a stix id or an eclecticiq id click here https //developers eclecticiq com/reference/get entities id get an observable by id retrieve an observable from eclecticiq using its unique id provided as a path parameter click here https //developers eclecticiq com/reference/get observables id configurations http bearer authentication authenticates using bearer token such as a jwt, etc configuration parameters parameter description type required url a url to the target host string required token the api key, token, etc string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create a new observable create a new observable in eclecticiq using the provided data in json format endpoint url api/v2/observables method post input argument name type required description data object optional response data data meta object optional meta data for the observable data meta link type string optional link type for the observable data meta maliciousness string optional maliciousness for the observable data type string required type of the observable data sources array optional source associated to this object (id/url) only the source of type {'group'} can be assigned but any source types may be returned if assigned by the system, like an incoming feed source data value string required value of the observable input example {"json body" {"data" {"meta" {"link type" "test link","maliciousness" "safe","newkey" "new value"},"type" "ja3 full","sources" \["http //localhost/api/v2/sources/a1711a44 41cc 4c32 aaf1 9bbd734c00c5","http //localhost/api/v2/sources/a1711a44 41cc 4c32 aaf1 9bbd734c00c5"],"value" "test"}}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data created at string response data data entities array response data data id number response data data last updated at string response data data meta object response data data meta link type string response data data meta maliciousness string response data data meta risk score string response data data meta additionalprop object response data data sources array response data data type string response data data value string response data output example {"status code" 201,"response headers" {},"reason" "created","json body" {"data" \[{}]}} create an entity leverage the external stix id in the payload's data attribute to de duplicate and create an entity in eclecticiq endpoint url api/v2/entities method post input argument name type required description data object optional response data data data object required response data data data type string optional the type of the associated object data meta object optional response data data meta report template object optional basic metadata of the associated report template data meta report template id number optional id of the associated report template data meta report template sub title string optional sub title of the associated report template data meta report template super title string optional super title of the associated report template data meta tags array optional tags associated to this object data meta taxonomies array optional taxonomy id, url or path expressed as a lists of strings data meta alias string optional user defined title data meta attacks array optional mitre att\&ck id/url the parent att\&ck like a tactic for a technique are not included except if specifically classified data meta source reliability string optional source reliability of the associated object possible values are a, b, c, d data meta tlp color string optional the current tlp value the values clear and amber strict are also accepted as an input but converted to tlp v1 on the response side data meta estimated observed time string optional timestamp in utc iso 8601 format data meta estimated threat end time string optional timestamp in utc iso 8601 format data meta estimated threat start time string optional timestamp in utc iso 8601 format data meta half life number optional half life of the associated object in days data sources array optional source associated to this object (id/url) only the source of type {'group'} can be assigned but any source types may be returned if assigned by the system, like an incoming feed source data datasets array optional dataset id/url data observables array optional observables are always returned as list of api urls, but it is also possible to provide them as objects with type and value attributes if such objects do not exist, they will be created data attachments array optional entity attachment id/url data id string optional internal eclecticiq entity uuid input example {"json body" {"data" {"data" {"type" "exploit target"},"meta" {"report template" {"id" 5,"sub title" "test sub tile","super title" "test super title"},"tags" \["test tag 1"],"taxonomies" \["http //localhost/api/v2/taxonomies/1"],"alias" "test alias","attacks" \["http //localhost/api/v2/attacks/ta0001\ t1078 001"],"source reliability" "d","tlp color" "green","estimated observed time" "2016 12 31t16 28 00+00 00","estimated threat end time" "2016 12 31t16 28 00+00 00","estimated threat start time" "2016 12 31t16 28 00+00 00","half life" 5},"sources" \["http //localhost/api/v2/sources/a86de6e0 af20 4a57 93d9 826e1ef4a47a"],"datasets" \["http //localhost/api/v2/datasets/1"],"observables" \["http //localhost/api/v2/observables/1"],"attachments" \["http //localhost/api/v2/entities/attachments/1"],"id" "a86de6e0 af20 4a57 93d9 826e1ef4a47a"}}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data attachments array response data data created at string response data data created by string response data data data object response data data data aliases array response data data data aliases value string response data data data confidence string response data data data description string response data data data description structuring format string response data data data external references array response data data data external references description string response data data data external references external id string response data data data external references source name string response data data data external references url string response data data data external references hashes object response data data data external references hashes additionalprop string response data data data handling array response data data data handling controlled structure string response data data data handling id string response data data data handling idref string response data data data handling information source object response data data data handling information source description string response data output example {"status code" 202,"response headers" {},"reason" "created","json body" {"data" {"attachments" \[],"created at" "2016 12 31t16 28 00+00 00","created by" "http //localhost/api/v2/users/1","data" {},"datasets" \[],"id" "3fa85f64 5717 4562 b3fc 2c963f66afa6","incoming feed" "http //localhost/api/v2/incoming feeds/1","last updated at" "2016 12 31t16 28 00+00 00","meta" {},"observables" \[],"outgoing feeds" \[],"relevancy" 0,"sources" \[]}}} get a list of entities retrieve a paginated list of entities in eclecticiq with sorting, optional field projection, structured filters, and lucene full text or faceted search endpoint url api/v2/entities method get input argument name type required description parameters limit number optional maximum number of items to be returned (int32) parameters offset number optional return results starting from the specified zero based index (int32) parameters sort string optional comma separated list of fields to sort on prefix a field with the minus " " sign to apply descending sort parameters data boolean optional set to false to retrieve only the count of objects matching the query; otherwise full result data is returned parameters attributes string optional comma separated list of attributes to return nested attributes are separated by dots (e g data title) parameters filter\[id] string optional filter by entity internal uuid parameters filter\[type] string optional filter by entity type parameters filter\[data id] string optional filter by stix id parameters filter\[data title] string optional filter by title parameters filter\[data description] string optional filter by description parameters filter\[data test mechanisms test mechanism type] string optional filter by test mechanism type parameters filter\[data producer identity] string optional filter by producer identity parameters filter\[data producer roles] string optional filter by producer roles parameters filter\[meta alias] string optional filter by entity alias parameters filter\[meta half life] string optional filter by entity half life parameters filter\[sources] string optional filter by source(s) parameters filter\[incoming feed] string optional filter by incoming feed id/url parameters filter\[outgoing feeds] string optional filter by outgoing feed ids/urls parameters filter\[meta source reliability] string optional filter by entity source reliability (admiralty scale letter) parameters filter\[meta tags] string optional filter by tags parameters filter\[meta taxonomies] string optional filter by taxonomy node ids/urls parameters filter\[meta is unresolved idref] string optional filter by unresolved idref flag to exclude all unresolved entities, use filter\[!meta is unresolved idref]=true on the api parameters filter\[meta tlp color] string optional filter by tlp color clear and amber strict may be accepted as input and mapped on the server parameters filter\[meta attacks] string optional filter by mitre att\&ck ids/urls the filter follows parent relationships if an entity is classified with a technique, filtering on the parent tactic still includes that entity parameters filter\[attack classifications] string optional filter by mitre att\&ck ids/urls for explicit classifications only filtering on a parent tactic does not include entities classified only with a child technique input example {"parameters" {"limit" 26,"offset" 495,"sort" "id","data"\ true,"attributes" "data description,meta tags,id","filter\[id]" "6f3c1dc4 9d3e 4959 98d1 d3a1803040d9","filter\[type]" "attack pattern","filter\[data id]" "{https //d440jsdt example com}indicator 5d8d2f67 2511 447c bb11 64d35a32aae2","filter\[data title]" "zzyfgg1a ee4fxd title","filter\[data description]" "random description oz14do1fsi5ireunxjbt ","filter\[data test mechanisms test mechanism type]" "yara","filter\[data producer identity]" "http //localhost/api/v2/sources/f015be5a be3f 40b9 92cd 20f9f06376e7","filter\[data producer roles]" "reporter","filter\[meta alias]" "alias l8yfkh","filter\[meta half life]" "86400","filter\[sources]" "http //localhost/api/v2/sources/7e2539fc 7612 413f b784 6e3fea683665","filter\[incoming feed]" "http //localhost/api/v2/incoming feeds/43738","filter\[outgoing feeds]" "http //localhost/api/v2/outgoing feeds/77285","filter\[meta source reliability]" "c","filter\[meta tags]" "rch8k,p062a,ssd38,9www8","filter\[meta taxonomies]" "http //localhost/api/v2/taxonomies/87436,http //localhost/api/v2/taxonomies/70569","filter\[meta is unresolved idref]" "false","filter\[meta tlp color]" "red","filter\[meta attacks]" "http //localhost/api/v2/attacks/ta0002\ t1084 4","filter\[attack classifications]" "http //localhost/api/v2/attacks/ta0001\ t1051","filter\[datasets]" "http //localhost/api/v2/datasets/81290","filter\[observables]" "http //localhost/api/v2/observables/95810","filter\[ lucene search]" "attached files "}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data attachments array response data data created at string response data data created by string response data data data object response data data data aliases array response data data data aliases value string response data data data confidence string response data data data description string response data data data description structuring format string response data data data external references array response data data data external references description string response data data data external references external id string response data data data external references source name string response data data data external references url string response data data data handling array response data data data handling controlled structure string response data data data handling id string response data data data handling idref string response data data data handling information source object response data data data handling information source description string response data data data handling information source description structuring format string response data data data handling information source identity object response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" \[{}]}} get a list of observables retrieve a list of observables from eclecticiq with options for pagination, sorting, field projection, filters, and lucene style search endpoint url api/v2/observables method get input argument name type required description parameters limit number optional maximum number of items to be returned (int32) parameters offset number optional return results starting from the specified zero based index (int32) parameters sort string optional comma separated list of fields to sort on prefix a field with the minus " " sign to apply descending sort parameters data boolean optional set to false to retrieve only the count of objects matching the query; otherwise full result data is returned parameters attributes string optional comma separated list of attributes to return use dots for nested attributes (e g data title) parameters filter\[type] string optional filter by observable type parameters filter\[value] string optional filter by observable value parameters filter\[sources] string optional filter by source id/url parameters filter\[entities] string optional filter by related entity id/url parameters filter\[ lucene search] string optional full text or faceted search with logic operators such as and and or input example {"parameters" {"limit" 12,"offset" 0,"sort" "field 1","data"\ true,"attributes" "field 1","filter\[type]" "test type","filter\[value]" "test value","filter\[sources]" "test sources","filter\[entities]" "test entities","filter\[ lucene search]" "field 1\ value and field 2\ other"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data created at string response data data entities array response data data id number response data data last updated at string response data data meta object response data data meta link type string response data data meta maliciousness string response data data meta risk score string response data data meta additionalprop object response data data sources array response data data type string response data data value string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" \[{}]}} get an entity by id retrieve an entity using its stix or eclecticiq id requires the 'id' as a path parameter endpoint url api/v2/entities/{{id}} method get input argument name type required description parameters attributes string optional comma separated list of attributes to be returned nested attributes are separated by dots e g data title path parameters id string required entity id it can be either a stix id or an eclecticiq id input example {"parameters" {"attributes" "data title,meta alias,data id"},"path parameters" {"id" "1"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data attachments array response data data created at string response data data created by string response data data data object response data data data aliases array response data data data aliases value string response data data data confidence string response data data data description string response data data data description structuring format string response data data data external references array response data data data external references description string response data data data external references external id string response data data data external references source name string response data data data external references url string response data data data external references hashes object response data data data external references hashes additionalprop string response data data data handling array response data data data handling controlled structure string response data data data handling id string response data data data handling idref string response data data data handling information source object response data data data handling information source description string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"attachments" \[],"created at" "2026 03 03t04 18 53+00 00","created by" "http //localhost/api/v2/users/18341","data" {},"datasets" \[],"id" "2d3f8587 0f63 4833 b7ff 134e97bd2f8f","incoming feed" "http //localhost/api/v2/incoming feeds/65270","last updated at" "2026 03 02t17 01 14 647z","meta" {},"observables" \[],"outgoing feeds" \[],"relevancy" 151,"sources" \[]}}} get an observable by id retrieve an observable from eclecticiq using its unique id provided as a path parameter endpoint url api/v2/observables/{{id}} method get input argument name type required description parameters attributes string optional comma separated list of attributes to be returned nested attributes are separated by dots path parameters id number required observable id input example {"parameters" {"attributes" "data title"},"path parameters" {"id" 5}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data created at string response data data entities array response data data id number response data data last updated at string response data data meta object response data data meta link type string response data data meta maliciousness string response data data meta risk score string response data data meta additionalprop object response data data sources array response data data type string response data data value string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"created at" "2016 12 31t16 28 00+00 00","entities" \[],"id" 0,"last updated at" "2016 12 31t16 28 00+00 00","meta" {},"sources" \[],"type" "ja3 full","value" "test"}}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt