OTX

AlienVault’s Open Threat Exchange (OTX) is the “neighborhood watch of the global intelligence community.” It enables private companies, independent security researchers, and government agencies to openly collaborate and share the latest information about emerging threats, attack methods, and malicious actors, promoting greater security across the entire community.

More information about OTX can be found here.

Enabling the OTX Extension

Before utilizing the OTX extension, you will ned an AlienVault OTX API Key. This can be found in your AlienVault OTX account here.

To enable the OTX extension, navigate to the OTX extension page. Select the organization you wish to enable the extension for, and select Subscribe.

Once the extension is enabled, navigate to Extensions > OTX. You will need to provide your OTX API Key, which can be done directly in the form or via LimaCharlie’s Secrets Manager. Click Save.

Using the OTX Extension

After providing a valid API key, the Extension will automatically create Detection & Response rules for your organization. The OTX D&R rules make use of the following events:

• Process Events

  • CODE_IDENTITY

  • EXISTING_PROCESS

  • MEM_HANDLES_REP (response to the mem_handles Sensor command)

  • NEW_PROCESS

• Network Events

  • DNS_REQUEST

  • HTTP_REQUEST

  • NETWORK_CONNECTIONS

  • NEW_TCP4_CONNECTION

  • NEW_TCP6_CONNECTION

  • NEW_UDP4_CONNECTION

  • NEW_UDP6_CONNECTION

Please ensure that the events you are interested in using with OTX lookups are enabled in the Sensors > Event Collection menu.