RiskIQ PassiveTotal
EF_OUTPUT_RISKIQ_ENABLE
For the RiskIQ Integration to function fully, both the RiskIQ output as well as the enrichment option MUST be enabled. Only information about traffic to/from public IP addresses is transmitted to RiskIQ. No internal/private IP addresses are transmitted. This setting specifies whether the RiskIQ is enabled.
- Valid Values
true,false
- Default
false
EF_OUTPUT_RISKIQ_HOST
This setting specifies hostname of the RiskIQ service to which data is sent to RiskIQ for analysis. The value for this setting will be provided to you in your RiskIQ PassiveTotal account settings.
- Default
''
EF_OUTPUT_RISKIQ_PORT
This setting specifies port number of the RiskIQ service to which data is sent to RiskIQ for analysis. The value for this setting will be provided to you in your RiskIQ PassiveTotal account settings.
- Default
''
EF_OUTPUT_RISKIQ_CUSTOMER_UUID
This setting specifies the user-specific UUID required by the RiskIQ service to associate the data with your account.
- Default
''
EF_OUTPUT_RISKIQ_CUSTOMER_ENCRYPTION_KEY
This setting specifies the user-specific encryption key required to transmit data securely to the RiskIQ service.
- Default
''
EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_ENABLE
This setting specifies whether enrichment with threat attributes from the RiskIQ service is enabled.
- Valid Values
true,false
- Default
false
EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_ENDPOINT
If RiskIQ threat enrichment is enabled (EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_ENABLE is true) this setting specifies the endpoint of the RiskIQ enrichment API to query.
Do NOT change this value unless directed by ElastiFlow support.
- Default
https://api.passivetotal.org/v2/netflow/blocklist/download
EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_REFRESH_INTERVAL
If RiskIQ threat enrichment is enabled (EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_ENABLE is true) this setting specifies the interval, in minutes, at which the RiskIQ enrichment API will be queried to refresh the dataset.
60 minutes is the minimum refresh interval. The collector will fail with an error if this value is less than 60.
- Default
1440
EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_INCLEXCL_PATH
For more control of when enrichment is applied, IP addresses can be included or excluded from threat enrichment by Autonomous System or CIDR. This setting specifies the path to this file.
For more details on the format of this file and the behavior of the include/exclude functionality refer to: Scoping Enrichment with Include/Exclude
- Default
''
- Recommended
hostname/incl_excl.yml
EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_INCLEXCL_REFRESH_RATE
The file specified in EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_INCLEXCL_PATH can be loaded automatically to refresh values without restarting the collector. This value specifies the refresh interval, in minutes, that the file will be reloaded. The value of 0 disables refreshing of the values.
- Default
15
EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_API_USER
If RiskIQ enrichment is enabled (EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_ENABLE is true) this setting specifies the API user from the PassiveTotal account that will be used to access the RiskIQ enrichment API.
- Default
''
EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_API_KEY
If RiskIQ enrichment is enabled (EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_ENABLE is true) this setting specifies the API key from the PassiveTotal account that will be used to access the RiskIQ enrichment API.
- Default
''
EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_API_TIMEOUT
If RiskIQ enrichment is enabled (EF_PROCESSOR_ENRICH_IPADDR_RISKIQ_THREAT_ENABLE is true) this setting specifies the timeout duration, in seconds, for API queries.
- Default
30