Using OTX in USM Appliance

Applies to Product: USM Appliance™ AlienVault OSSIM®

When you sign up for and connect your Open Threat Exchange® (OTX™) account to your USM Appliance instance, it configures USM Appliance to receive raw pulse data and other IP reputation information.

Note: Reputation data is updated separately from OTX pulse information.

USM Appliance then correlates that data with incoming events, alerting you to OTX pulse and IP Reputation-related security events/alarms when it detects IoCs interacting with assets in your environment. Such interactions might consist of malicious IPs communicating with systems, malware detected in your network, or outbound communication with command-and-control (C&C) servers.

Connecting OTX to USM Appliance helps manage risks and threats in the following ways:

  • USM Appliance detects threat updates every 30 minutes for all pulses to which you subscribe, either directly or through subscriptions to other OTX users.
  • You receive updates on your subscribed pulses by email, either individually as they occur or in digest mode.
  • You can review OTX pulses about related threat vectors in USM Appliance.
  • As soon as you log into USM Appliance, you can see which pulses are most active in your environment by looking at the USM Appliance Dashboards Overview.
  • USM Appliance checks OTX pulses against all NIDS events. It generates an alarm when a malicious IP address communicates with any of your assets, or when some of the other IoCs, including CIDR (IPv4 only), domain, and hostname, are detected in your network.
  • In a distributed environment, the USM Appliance Server replicates the OTX pulses to the connected USM Appliance Sensors through TCP port 6380. This replication is read-only so that the copy on the USM Appliance Server remains intact.

    Note: When a USM Appliance Sensor is added to the USM Appliance Server, a firewall rule is created to allow OTX traffic going through TCP port 6380. When the Sensor is removed, the firewall rule is deleted. The same mechanism is used in a high availability (HA) deployment to replicate OTX pulses between nodes.

Following sections describe collection of IP Reputation information used in calculating risk for specific events. In addition, information is provided on filtering events based on related pulse information and risk based on specific IP Reputation levels.

OTX IP Reputation Data Correlated with Events

USM Appliance maintains an IP reputation list that stores data it receives from OTX about public IP addresses involved in malicious or other suspect activities. Whenever an event has its source or destination IP addresses listed in the IP Reputation list, reputation data will be added to the data stored for the event. This allows USM Appliance to support some additional features like reprioritization of events and alarms depending on the IP of the hosts involved.

The IP reputation list maintained by USM Appliance is stored on the USM Appliance Server in the /etc/ossim/server/reputation.data file. Activity, Reliability, and Priority values provided by OTX are saved with event information for those events having reputation data for either source or destination IP addresses.

The main purpose of the IP reputation list is to provide a list of known or potentially dangerous IP addresses. If any alarm or event is generated by the action of a listed dangerous IP address, then this event will have a smaller probability of being a false positive. This also allows for the recalculation of event/alarm risk depending on its' "IP Reliability" and "IP Priority" values.

Note: Reputation events are anonymized and submitted to the AlienVault OTX service for those customers who enable that capability in USM Appliance. With the feedback received from customer systems and all the other sources AlienVault uses, the IP Reputation values are updated before being redistributed to customers.

Displaying Alarms and Events Based on OTX Pulse and IP Reputation

The USM Appliance Alarm and Security Events (SIEM) web UI each provide methods of searching for and filtering alarm and security events based on OTX pulse and IP Reputation information. For each event, the database stores associated information on the source and destination IP address provided by OTX, in addition to the activity reported in the event, for example, spamming, phishing, scanning, malware distribution, and so on.

Viewing OTX Alarms

Different from the way other alarms are processed, USM Appliance generates an alarm whenever it detects even one event associated with an OTX pulse. Alarm correlation begins at that point and proceeds for a period of 24 hours. During this time, USM Appliance adds any new events related to that pulse to the same alarm.

If any new events related to the pulse occur after that 24-hour period, USM Appliance generates a second alarm and a new correlation period begins. As an exception to this rule, should an event contain data on record with OTX IP Reputation information, USM Appliance correlates the alarm, using its standard directive taxonomy.

Note: If an OTX pulse is creating too much noise and generating too many false positive alarms, you can always just unsubscribe from the pulse.

USM Appliance does not offer a filter for IP Reputation-based alarms. However, you can view these within the Alarms list, where they occur.

Searching, Filtering, and Viewing Events

From the USM Appliance Security Events (SIEM) page, you can search for and filter events based on whether OTX pulses exist for source or destination IP addresses, as well as the severity of different IP Reputation scores. The following screen shot highlights fields in which you can select OTX pulse and IP Reputation search/filter options.

Selecting the OTX IP Reputation field opens a menu list in which you can choose to display only events that meet or exceed a specific IP Reputation severity level.

The Low, Medium, and High severity levels take in account the OTX IP priority values of both the source and destination IP addresses included in events, based on the following rules:

  • Low Severity — returns events that have a source or destination IP priority of 0, 1, or 2.
  • Medium Severity — returns events that have a source or destination IP priority of 3, 4, 5, or 6.
  • High Severity — returns events that have a source or destination IP priority greater than 6.

Once you've made your selection, the Event list display will be updated to show only those events matching the IP Reputation criteria you specified, plus OTX pulse information, if you selected that option.

In this example, the event list display shows events in which the Any OTX IP Reputation filter option was selected. The OTX field displays the blue icon, indicating the event has OTX IP Reputation information. (An orange icon is displayed when OTX has pulse information for the event.)

Displaying OTX Pulse and IP Reputation Information in Event and Alarm Displays

In the SIEM Events list, you can click the orange or blue OTX icon to display the OTX IP Reputation information available for an event, as shown below.

OTX Details page - IP Reputation details.

OTX Details — IP Reputation
Field Description
Type Tells you whether the indicator is the source or the destination of the event.
Indicator IP address or hostname of the event source.
Activity Type of malicious activity identified, for example, a scanning host.
Reliability

OTX IP reliability score, with values ranging from 1 to 10; 10 being the highest reliability.

Priority

OTX IP priority score, with values ranging from 1 to 10; 10 being the highest priority.

Magnifying glass icon

Clicking on the magnifying glass icon takes you to OTX to learn more about the indicator.

From the SIEM Events list display, you can also click the magnifying glass icon to display additional event details, plus OTX and risk information.

From this display, you can click the number in blue under OTX Indicators to get more OTX details about an indicator.

In addition to other navigation options, in both Alarm and SIEM Event list views, you can right-click on Source and Destination IP addresses or host names, which will display a popup menu of available actions you can take corresponding to a specific IP address or host name.

Right-click context menu providing options for event and alarm source and destination IP addresses

For example, the Look up in OTX option opens the OTX site to display potential and reported threats related to the selected location. If no threat information is found about the location, the Look Up in OTX option opens the Create New Pulse web page in OTX, which lets you create a new Pulse to report a possible new threat.

AlienVault OSSIM Limitations: Although AlienVault OSSIM has a complete integration of OTX in its environment, the additional alarm context compiled by the AT&T Alien Labs™ Security Research Team to analyze and validate OTX threat data is only available in USM Appliance.