Feeding Alienvault’s Open Threat Exchange (OTX) threat information to ArcSight

August 6, 2012 | Jaime Blasco

When we launched the Open Threat Exchange (OTX) project, one of our goals was creating an open and free threat database and exchange system. We want it to be used by as many users as possible using a wide range of technologies.

That is why we are publishing some code to feed our Open Threat Exchange (OTX) data to an ArcSight SIEM using the Common Event Format via Syslog.

The Open Threat Exchange (OTX) contains an IP reputation database that offers real time information of bad actors. Using this information within a SIEM gives you new possibilities to correlate data, for example:

  • Connection to know C&C servers
  • Detection of P2P botnets
  • Data exfiltration to low reputation servers
  • Password guessing attacks from bad actors
  • Exploit/Malware access from malicious servers
  • ...
Download the required files:
- otx-arcsight.py http://alienvault-labs-garage.googlecode.com/files/otx-arcsight.py [no longer available]
- config_otx.cfg http://alienvault-labs-garage.googlecode.com/files/config_otx.cfg [no longer available]

The configuration is very easy, just open the configuration file config_otx.py:


syslog_level = notice

syslog_facility = daemon

syslog_host =

reputation_server = https://reputation.alienvault.com/

syslog_port = 514

revision = 0


min_reliability = 2

min_priority = 2

ignore_activities =


enable = False

host =

user =

password =

port =

Configure your collector ip address on syslog_host and you are ready to go. The script will download the reputation data from ours servers (HTTP) and it will send that data to the collector using UDP.

Then you need to create an Active List in ArcSight to use the indicators.

If you need to access the Internet via a proxy, configure it under the proxy section.

Using this method, our reputation data is updated in an hourly basis so you can configure a cron job to execute the script once an hour.

You can also configure some filters, if you want to ignore some ff the activities we send you can use this syntax:

ignore_activities = Scanning Host,Spamming

The min_reliability is the minimum reliability value that will be send to the collector based on the reliability that OTX put to that ip address. The same with min_priority, it is the minimum priority value that will make the information to be sent.

$ python otx-arcsight.py

Server data rev is 14694

Local rev is 14694

It means the database is up to date.

$ python otx-arcsight.py

Server data rev is 14694

Local rev is 14691

Updating data from server

Downloading complete database

Sending CEF:0|AlienvaultOTX|AlienvaultOTX|1.0|100|Suspicious Host|1|src= msg=Scanning Host,http://reputation.alienvault.com/panel/ip_json.php?ip=

Sending CEF:0|AlienvaultOTX|AlienvaultOTX|1.0|100|Suspicious Host|1|src= msg=Scanning Host,http://reputation.alienvault.com/panel/ip_json.php?ip=

Jaime Blasco

About the Author: Jaime Blasco

Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AT&T Cybersecurity, Jaime leads the Alien Labs Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AT&T, Jaime was Chief Scientist at AlienVault. Prior to that, he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.

Read more posts from Jaime Blasco ›


Get the latest security news in your inbox.

Subscribe via email


Get price Free trial