EclecticIQ Platform ingests both structured and unstructured threat intelligence data from open sources, commercial supplies, industry partnerships, and internal resources that are pulled into a single, collaborative, analyst workbench. The platform can be deployed in the cloud or on-premises.
EclecticIQ does not use the collection method. Instead, the company has a team of analysts who continuously investigate and research threats to produce bundles of intelligence. The bundles are aligned to verticals and themes, working off various open source feeds to bring all intelligence together in a structured format and offer a complete overview with actionable intelligence. Organizations can fuse EclecticIQ’s data with other commercially available data consumed inside the EclecticIQ platform.
Feeds are an effective way to quickly begin ingesting information from can be open source, commercial, email or RSS feeds. Structured data uses the STIX data model while unstructured data extracts technical objects and mounts them to observables in order to correlate them with any existing intelligence in the platform. The vendor has designed the feeds are designed to be shared so it can configure feeds coming from other organizations.
A diagram shows data feeds with structured and unstructured data. The platform aggregates all the data and deletes any duplicates. It uses Elasticsearch and dynamic data sets, and outgoing feeds can send the intelligence anywhere from sources including SIEM, SOAR and ticketing systems.
With EclecticIQ analysts can model workspaces for specific areas that offer collaboration throughout; however they also can grant limited access as well. The solution is both a consumption and production platform. And analysts can even set up a workspace for an individual incident to contain research pertaining to that incident. Once complete, an organization can archive the workspace, and make it active again if the incident reoccurs in the future. Security teams can configure Discovery Alerts so the appearance of currently tracked threats will notifications. They also can set alerts to hunt specific entities (malware families, threat actors, etc.) and sound the alarm on any incoming variants that pertain to those entities.
Organizations can set source reliability of sources in addition to relevancy configurations. The platform retains all intelligence and analysts can configure and apply observable rules, such as reducing false positives, marking objects as safe and completely ignoring objects, among others.
The Report Builder feature really demonstrates the production environment side of EclecticIQ. It can create reports based on specific variants and analysts can easily add information to a report. They can add relationships in the text to add context of the research being compiled. By providing more information through clickable links in these relationships have links that can be clicked on for more information, navigation is = intuitive. The solution uses TLP to prevent information from being disseminated outside the platform. The platforms can import vulnerability reports that compare CVEs to what it is being exploited in the wild.
Starting price is $100,000. Support offerings include Bronze (basic, no-cost for business hours support via email, phone, and support portal), Silver and Gold.
Tested by: Tom Weil