AlienVault
  • 5 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

AlienVault

  • Dark
    Light
  • PDF

AlienVault Open Threat Exchange (OTX) is the world's most authoritative open threat information sharing and analysis network. OTX provides access to a global community of threat researchers and security professionals, with more than 50,000 participants in 140 countries, who contribute over four million threat indicators daily. OTX allows anyone in the security community to actively discuss, research, validate, and share the latest threat data, trends, and techniques.

OTX provides information on the reliability of threat information, reporter of the threat, and other details of threat investigations. OTX data can be used to enhance threat detection capabilities of security monitoring systems such as DNIF.

Pre-requisites

  • You can sign up and set up an OTX account using your email address, or you can use your existing Twitter or Google+ account.
  • To create an OTX account:
    1. Go to https://otx.alienvault.com
    2. In the upper-right corner of the home page, click Sign Up.

avotx1

3. Enter the details in the form that appears and click Sign Up.
4. Once you have logged into the OTX user interface, click Settings, to view your user profile and also access the Settings page.
5. On this page you can access your OTX account key which is used to authenticate API calls to AlienVault OTX.

avotx2

Configuration

  1. Follow the initial configuration steps in How to Configure Soar Integrations.

image.png

  1. Click the edit icon to add details.
Field Description
API Key AlienVault OTX API Key
  1. Enter the above details and click Save.

Lookups integrated with AlienVault

Retrieve Domain reports

This function returns a complete report of all threat indicators for a given domain, including data from all the sub-reports.

Function_name

get_domain_report

Input

A domain name

_retrieve query DomainDetails

Here:

The DomainDetails is a custom event store created to demonstrate this example. The _retrieve directive fetches the $Domain field for each event in the DomainDetails (custom) eventstore. The output is as shown below:

image.png

Output

_lookup alienvault get_domain_report $Domain

In the pipelined query function, the _lookup directive calls the get_domain_report function of the AlienVault plugin. $Domain is passed as a parameter to the function. This report contains details about the domain, the source domain, pulse count and so on. The output is as shown below:

image.png

The Lookup call returns output in the following structure for available data

Field Type Description
$Domain text Source domain for lookup
$PulseCount number Number of pulses that reference the given domain
$MalwareCount number Malware count for the domain
$City text City in which the domain is registered
$Country text Country in which the domain is registered
$Org text text
$Registrar text Name of the domain's official registrar

Retrieve IP address details

This function returns a complete report of all threat indicators for a given IP address,

Function_name

get_ip_report

Input

A valid IPv4 address in dotted quad notation, for the time being only IPv4 addresses are supported.

_fetch $SrcIP from event where $Stream=FIREWALL limit 1

Here:
The _fetch directive retrieves $SrcIP (source IP address) for each event. The result set is limited to the latest event. The output is as shown below:

image.png

Output

_lookup alienvault get_ip_report $SrcIP

In the pipelined query function, the _lookup directive calls the get_ip_report function of the AlienVault plugin. $SrcIP is passed as a parameter to the function. This report contains details about the IP address such as the source Ip details, malware coount, threat score for the given IP address and so on. The output is as shown below:

image.png

The Lookup call returns output in the following structure for available data

Field Type Description
$IP text Source IP for lookup
$MalwareCount number Malware count for the IP Address
$ThreatScore number AlienVault Labs threat score for the given IP address
$PulseCount number AlienVault pulse count

Retrieve Host Details

This function returns a complete report of all threat indicators for a given hostname.

Function_name

get_hostname_report

Input

_retrieve query HostDetails
  • The HostDetails is a custom event store created to demonstrate this example.

host_details.csv

image.png

The Search query retrieves the $DevSrcIP field for each event in the HostDetails (custom) eventstore.

Output

_lookup alienvault get_hostname_report $DevSrcIP

In the pipelined query function, the _lookup directive calls the get_hostname_report function of the AlienVault plugin. $DevSrcIP is passed as a parameter to the function. This output contains details about the Device such as the Hostname, Pulse Count, Malware Count and so on. The output is as shown below:

image.png

The Lookup call returns output in the following structure for available data

Field Type Description
$Hostname text Host name being queried
$PulseCount number Pulse count for the hostname
$MalwareCount number Malware count for the hostname

Retrieve URL scan reports

This function returns the following information for the given URL:

  • Historical geographic information
  • Threat indicators gathered from the OTX community pulse stream
  • AlienVault Labs' URL analysis results.

Function_name

get_url_report

Input

A URL for which AlienVault will retrieve the most recent report. You may also specify a scan_id (sha256-timestamp as returned by the URL submission API) to access a specific report.

_retrieve query Urldetails

Here:

The Urldetails is a custom event store created to demonstrate this example. The _retrieve directive fetches the $Url field for each event in the Urldetails (custom) eventstore. The output is as shown below:

image.png

Output

_lookup alienvault get_url_report $Url

In the pipelined query function, the _lookup directive calls the get_url_report function of the AlienVault plugin. $Url is passed as a parameter to the function. This report contains details about the URL, its pulse count, country to which it belongs and so on. The output is as shown below:

image.png

The Lookup call returns output in the following structure for available data

Fields Type Description
$Url text The Url being queries
$PulseCount number AlienVault pulse count
$Country text Country in which the given URL's hosting server is deployed

Retrieve hash reports

This function returns the metadata about the file hash, as well as dynamic and static analysis of the given filehash. The SHA1 or SHA256 hashing algorithm (formats) are acceptable.

Function_name

get_hash_report

Input

A sha1/sha256 hash will retrieve the most recent report on a given sample.

_retrieve query File

Here:

The File is a custom event store created to demonstrate this example. The _retrieve directive fetches the $Filehash field for each event in the File (custom) eventstore. The output is as shown below:

image.png

Output

_lookup alienvault get_hash_report $Filehash

In the pipelined query function, the _lookup directive calls the get_file_report function of the AlienVault plugin. $Filehash is passed as a parameter to the function. This report contains details of the Filehash, File Sha256 Hash, MD5 Sum of the File, and so on. The output is as shown below:

image.png

The Lookup call returns output in the following structure for available data

Fields Type Description
$Hash text File hash to be searched
$PulseCount number AlienVault pulse count
$Filesize text File size (in bytes) of the given hash's malware file
$FileType text File type of the given hash's malware file
$SHA1 text SHA1 hash of the given hash's malware file
$SHA256 text SHA256 hash of the given hash's malware file

Was this article helpful?

What's Next