Role Availability | Read-Only | Investigator | Analyst | Manager |
You need to sign up for an LevelBlue Labs™ Open Threat Exchange® (OTX™) account and have an OTX key if you want USM Anywhere to receive alerts based on threats identified in OTX The world’s first truly open threat intelligence community. Enables collaborative defense with open access, collaborative research, and seamless integration with USM Anywhere and USM Appliance, and AlienApps for other security products..
To enter your OTX key in USM Anywhere
-
Go to Settings > OTX.
- Enter the OTX key you obtained from the OTX API page.
- Select the look-back period. See The Look-Back Period for more information.
-
Click Validate OTX Subscription Key.
A message displays at the top of the page to inform you about the success of the subscription and the Valid OTX Key is green.
Note: USM Anywhere displays if the subscription is enabled and if the OTX pulses are up-to-date. If the OTX pulses are not up-to-date, USM Anywhere displays when they have been updated.
To delete the OTX Subscription
- Go to Settings > OTX.
-
Click Delete OTX Subscription.
A message displays at the top of the page to inform you about that the subscription has been deleted.
The Look-Back Period
USM Anywhere enables you to configure a period of time, called a look-back period, for receiving raw pulse data from OTX. The look-back period helps your environment to be more effective and agile. Threats are continuously changing, and it is important to have this data updated. In addition, Indicators of Compromise (IOCs) get old quickly and an IP address that was a threat three months ago may not be now.
Note: The configuration of a look-back period helps you to avoid alarms generated by old pulses and without a current value.
You can define a look-back period, which uses pulses from the current date back for a certain range of time that you choose. These are the look-back period options from which you can choose:
- 1 month: Select this option to use pulses from the current day to the previous month.
- 3 months: Select this option to use pulses from the current day to the previous 3 months.
- 6 months: Select this option to use pulses from the current day to the previous 6 months.
- 1 year: Select this option to use pulses from the current day to the previous year.
- Unlimited: Select this option to use pulses without a restriction of time.
Important: The longer the selected period is, the higher the chance to get false positives on obsolete information.
Note: The range of the look-back period that you choose adjusts according to what is the current day of the month. This means that, for example, if you have chosen the 1 month option and it is the first day of the month, you will receive pulses from the previous month, and when it is the fifth day of the month, you will receive pulses from that fifth day of the month to the fifth day of the previous month.
To update the look-back period