When we launched the Open Threat Exchange (OTX) project, one of our goals was creating an open and free threat database and exchange system. We want it to be used by as many users as possible using a wide range of technologies.
That is why we are publishing some code to feed our Open Threat Exchange (OTX) data to an ArcSight SIEM using the Common Event Format via Syslog.
The Open Threat Exchange (OTX) contains an IP reputation database that offers real time information of bad actors. Using this information within a SIEM gives you new possibilities to correlate data, for example:
- Connection to know C&C servers
- Detection of P2P botnets
- Data exfiltration to low reputation servers
- Password guessing attacks from bad actors
- Exploit/Malware access from malicious servers
- ...
The configuration is very easy, just open the configuration file config_otx.py:
[main]
syslog_level = notice
syslog_facility = daemon
syslog_host = 10.49.5.139
reputation_server = https://reputation.alienvault.com/
syslog_port = 514
revision = 0
[fields]
min_reliability = 2
min_priority = 2
ignore_activities =
[proxy]
enable = False
host =
user =
password =
port =
Configure your collector ip address on syslog_host and you are ready to go. The script will download the reputation data from ours servers (HTTP) and it will send that data to the collector using UDP.
Then you need to create an Active List in ArcSight to use the indicators.
If you need to access the Internet via a proxy, configure it under the proxy section.
Using this method, our reputation data is updated in an hourly basis so you can configure a cron job to execute the script once an hour.
You can also configure some filters, if you want to ignore some ff the activities we send you can use this syntax:
ignore_activities = Scanning Host,Spamming
The min_reliability is the minimum reliability value that will be send to the collector based on the reliability that OTX put to that ip address. The same with min_priority, it is the minimum priority value that will make the information to be sent.
$ python otx-arcsight.py
Server data rev is 14694
Local rev is 14694
It means the database is up to date.
$ python otx-arcsight.py
Server data rev is 14694
Local rev is 14691
Updating data from server
Downloading complete database
Sending CEF:0|AlienvaultOTX|AlienvaultOTX|1.0|100|Suspicious Host|1|src=94.248.192.110 msg=Scanning Host,http://reputation.alienvault.com/panel/ip_json.php?ip=94.248.192.110
Sending CEF:0|AlienvaultOTX|AlienvaultOTX|1.0|100|Suspicious Host|1|src=94.248.192.112 msg=Scanning Host,http://reputation.alienvault.com/panel/ip_json.php?ip=94.248.192.112