-->
  1. LevelBlue
  2. Blog
  3. LevelBlue Labs
  4. Feeding Alienvault’s Open Threat Exchange (OTX) threat information to ArcSight

Feeding Alienvault’s Open Threat Exchange (OTX) threat information to ArcSight

August 6, 2012  |  Jaime Blasco

When we launched the Open Threat Exchange (OTX) project, one of our goals was creating an open and free threat database and exchange system. We want it to be used by as many users as possible using a wide range of technologies.

That is why we are publishing some code to feed our Open Threat Exchange (OTX) data to an ArcSight SIEM using the Common Event Format via Syslog.

The Open Threat Exchange (OTX) contains an IP reputation database that offers real time information of bad actors. Using this information within a SIEM gives you new possibilities to correlate data, for example:

  • Connection to know C&C servers
  • Detection of P2P botnets
  • Data exfiltration to low reputation servers
  • Password guessing attacks from bad actors
  • Exploit/Malware access from malicious servers
  • ...
Download the required files:
 
- otx-arcsight.py http://alienvault-labs-garage.googlecode.com/files/otx-arcsight.py [no longer available]
- config_otx.cfg http://alienvault-labs-garage.googlecode.com/files/config_otx.cfg [no longer available]

The configuration is very easy, just open the configuration file config_otx.py:

[main]

syslog_level = notice

syslog_facility = daemon

syslog_host = 10.49.5.139

reputation_server = https://reputation.alienvault.com/

syslog_port = 514

revision = 0

[fields]

min_reliability = 2

min_priority = 2

ignore_activities =

[proxy]

enable = False

host =

user =

password =

port =

Configure your collector ip address on syslog_host and you are ready to go. The script will download the reputation data from ours servers (HTTP) and it will send that data to the collector using UDP.

Then you need to create an Active List in ArcSight to use the indicators.

If you need to access the Internet via a proxy, configure it under the proxy section.

Using this method, our reputation data is updated in an hourly basis so you can configure a cron job to execute the script once an hour.

You can also configure some filters, if you want to ignore some ff the activities we send you can use this syntax:

ignore_activities = Scanning Host,Spamming

The min_reliability is the minimum reliability value that will be send to the collector based on the reliability that OTX put to that ip address. The same with min_priority, it is the minimum priority value that will make the information to be sent.

$ python otx-arcsight.py

Server data rev is 14694

Local rev is 14694

It means the database is up to date.

$ python otx-arcsight.py

Server data rev is 14694

Local rev is 14691

Updating data from server

Downloading complete database

Sending CEF:0|AlienvaultOTX|AlienvaultOTX|1.0|100|Suspicious Host|1|src=94.248.192.110 msg=Scanning Host,http://reputation.alienvault.com/panel/ip_json.php?ip=94.248.192.110

Sending CEF:0|AlienvaultOTX|AlienvaultOTX|1.0|100|Suspicious Host|1|src=94.248.192.112 msg=Scanning Host,http://reputation.alienvault.com/panel/ip_json.php?ip=94.248.192.112

Share this with others

Tags: threat intelligence, threat data, arcisght, common event format

Featured resources

 

 

2024 Futures Report

Learn more
Get price Free trial

We use cookies to provide you with a great user experience. By using our website, you agree to our Privacy Policy and Website Terms of Use.