Alienvault OTX API Data Adapter
The Alienvault OTX API data adapter facilitates access to threat intelligence data from Alienvault Open Threat Exchange (OTX). This adapter enables Graylog to fetch and ingest information regarding potential threats, indicators of compromise (IOCs), and other relevant security intelligence directly from OTX.
Prerequisites
Before proceeding, ensure that the following prerequisites are met:
-
API key generated by Alienvault OTX. This key will be used to authenticate your requests to the OTX API.
-
Install the Open Threat Exchange - Threat Intel Plugin content pack, which is already included in the Graylog server installation package as a default plugin. This content pack installs the required OTX lookup adapters, caches, and lookup tables.
-
Navigate to System > Content Packs.
-
Search for Open Threat Exchange - Threat Intel Plugin in the Filter box.
-
Click on the Actions button and select the install option from the dropdown menu to install the content pack.
-
Configure the Data Adapter
You can create a data adapter during the lookup table creation workflow, or they can be created separately on the Data Adapters tab. The following configuration options are available for this data adapter:
|
Title |
A short and unique title for this data adapter. |
|
Description |
Data adapter description. |
|
Name |
The name used to refer to this data adapter. This should be something unique and recognizable within your Graylog environment. |
|
Custom Error TTL |
Specifies the time to live (TTL) for custom error messages if any occur during the API interaction. Enter a value in seconds, such as |
|
Indicator |
Specify whether you are interested in IP v4 or IP v6 indicators. Choose one based on your network environment and threat intelligence requirements. |
|
OTX API Key |
This value must be your personal API key obtained from AlienVault OTX. |
|
OTX API URL |
The default URL for the AlienVault OTX API. |
|
HTTP User-Agent |
User-agent header used for the HTTP request. |
|
HTTP Connect Timeout |
Specify the timeout duration in milliseconds for establishing a connection to the OTX API server. |
|
HTTP Write Timeout |
Set the timeout duration in milliseconds for sending data to the OTX API server. |
|
HTTP Read Timeout |
Specify the timeout duration in milliseconds for Graylog to wait to receive a response from the OTX API server. |
Pipeline Functions
Adding this data adapter allows you to use the following pipeline functions:
-
-
Requires creating and configuring an Alienvault OTX API data adapter and a lookup table named
otx-api-ipthat refers to the Alienvault OTX API data adapter
-
-
-
Requires creating and configuring an Alienvault OTX API data adapter and a lookup table named
otx-api-domainthat refers to the Alienvault OTX API data adapter
-
Example Alienvault OTX Pipeline Rule
The following is an example lookup enrichment rule that automatically queries AlienVault OTX for threat intelligence data about an IP address in incoming log messages:
rule "PARSE source_ip - otx-api-ip"
when
// validate message has a source_ip field
has_field("source_ip")
// validate that source IP is IPv4 format
&& regex(
pattern: "^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}$",
value: to_string($message.source_ip)
).matches == true
then
let rs = otx_lookup_ip(to_string($message.source_ip));
set_fields(rs);
endThe output may look like as follows:
otx_threat_ids: 60ece5998a5b54a5ffe75cb4
otx_threat_indicated: true
otx_threat_names: SSH Brute-Force Honeypot Live
Further Reading
Explore the following additional resources and recommended readings to expand your knowledge on related topics:
