AlienVault OTX¶

Table of Contents¶

About This Package
Prerequisites
Installation
Function Inputs
Function Output
Pre-Process Script
Post-Process Script
Rules

About This Package:¶

This package contains a Resilient Function that allows you to search your Alien Vault OTX platform with the given query for Threat Intelligence data about a particular Threat Indicator

Threat intelligence indicators that can be searched for are:
- IP Address
- Domain
- Host Name
- File Hashes
- URL
- CVE
The function makes use of the Alien Vault OTX api/v1/indicators API call to get information on a given query
More information on Alien Vault OTX

screenshot

Sample Function layout:¶

screenshot

Sample Pre-Process Script¶

screenshot

Sample Post-Process Script¶

screenshot

Prerequisites:¶

Resilient Appliance >= v31.0.0
Integrations Server running resilient_circuits >= v30.0.0
Account with Alien Vault OTX
A DirectConnect OTX API Key from Alien Vault

Installation¶

This package requires that it is installed on a RHEL or CentOS platform and uses the resilient-circuits framework.

Install this package using pip:
Download the .zip file from our App Exchange and extract it. You will find a file called: fn_alienvault_otx-<version>.tar.gz
Copy this file to your Integrations Server

To install the package, run:

$ pip install pip install fn_alienvault_otx-<version>.tar.gz

To import the function, example rules and workflows into your Resilient Appliance, run:
```
$ resilient-circuits customize -y -l fn-alienvault-otx
```
To update your app.config file with the required Alien Vault configurations, run:
```
$ resilient-circuits config -u
```

Then open your app.config file and the following configuration data is added:

  [fn_alienvault_otx]
  # OTX API Key to Access the Alien Vault OTX Service
  av_api_key=<<DirectConnect OTX API Key>>

  #Base URL Path of Alien Vault OTX
  av_base_url=https://otx.alienvault.com/api/v1

  # Proxy Server by Default will be None
  proxy=None

Run resilient-circuits:
```
$ resilient-circuits run
```
To uninstall:
```
$ pip uninstall fn-alienvault-otx
```

Function Inputs¶

Function Name	Type	Required	Example	Info
`alien_search_value`	`String`	Yes	`"192.168.0.1"`	The search value to send to Alien Vault OTX (may be any String that contains an IP Address, URL, Hash, Threat CVE ID, DNS Name, System Name.)
`alien_search_type`	`String`	Yes	`IP Address`	The search type to send to Alien Vault OTX (may be any String type can be an IP Address, URL, Hash, Threat CVE ID, DNS Name, System Name.)
`alien_section`	`select`	Yes	`reputation`	The section to search for Threat Intelligence Data from Alien Vault, this section may be different for different search type (may be any string general, geo, malware, reputation, url_list, passive_dns, http_scans etc)

Function Output¶

To see the output of each of the API calls for this Function, we recommend running resilient-circuits in DEBUG mode.

To do this run:

$ resilient-circuits run --loglevel=DEBUG

Sample Output Displayed on Incident Notes Section¶

screenshot

Pre-Process Script¶

This example sets the alienvault_search_value, alienvault_search_type, alienvault_section inputs to the value and type of the Artifacts and sections the user took action on

# The search value to send to Alien Vault OTX (may be any String that contains an IP Address, URL, Hash,Threat CVE ID,DNS Name,System Name.)
inputs.alienvault_search_value = artifact.value
#The search type to send to Alien Vault OTX (may be any String type can be an IP Address, URL, Hash,Threat CVE ID,DNS Name,System Name.)
inputs.alienvault_search_type = artifact.type
#The section to search for Threat Intelligence Data from Alien Vault, this section may be different for different search type(may be any string general, geo, malware,reputation, url_list, passive_dns, http_scans etc)
inputs.alienvault_section = rule.properties.alien_vault_search_section_ip

Post-Process Script¶

result_data = results['content']
for key_data,value_data in result_data.items():
rich_text_tmp += rich_text_format.format(key_data.upper(),value_data)browse_rich_text_final = helper.createRichText(rich_text_tmp)
incident.addNote(browse_rich_text_final)

Rules¶

Rule Name	Object Type	Workflow Triggered	Activity Fields
Example: Alien Vault - CVE Lookup	`Artifact`	`Example: Alien Vault OTX CVESearch`	`Alien Vault Search Section CVE` values : general
Example: Alien Vault - DNS Name Lookup	`Artifact`	`Example: Alien Vault OTX DNS Name`	`Alien Vault Search Section DNS Name` values : general,geo,malware,url_list,passive_dns,whois,http_scans
Example: Alien Vault - File Hash Lookup	`Artifact`	`Example: Alien Vault OTX Hash`	`Alien Vault Search Section Hash` values : general,analysis
Example: Alien Vault - Host Name Lookup	`Artifact`	`Example: Alien Vault OTX Host Name`	`Alien Vault Search Section Host Name` values : general,geo,malware,url_list,passive_dns,http_scans
Example: Alien Vault - IP Address Lookup	`Artifact`	`Example: Alien Vault OTX IP Address`	`Alien Vault Search Section IP Address` values : general,reputation,geo,malware,url_list,passive_dns,http_scans
Example: Alien Vault - URL Lookup	`Artifact`	`Example: Alien Vault OTX URL`	`Alien Vault Search Section URL` values : general,url_list

Using the Alien Vault OTX Function¶

The Alien Vault Function can be called on artifact like IP Address, DNS Name, System Name, URL, URL Referer, Hashes, Threat CVE ID.
After invoking a Rule on the Artifact, we need to choose the Section based on the Artifact
For more info on what section refers to, please see: https://otx.alienvault.com/api