Strengthening Your Organization’s Security with Alienvault OTX and Splunk Integration
Hello everyone, in this blog, I will show you how to improve your organization’s security with a threat intelligence platform. As the title suggests, we will be using Alienvault OTX. Alienvault OTX is a cybersecurity platform that helps gather and share information about online threats.
We require a Splunk app for integrating Alienvault OTX and Splunk. There is an app created by Luke Monahan for this purpose. You can access it through this link. The official app page provides information about installation and usage. Additionally, I will demonstrate how to automatically gather and block IOCs.
Once you’ve followed the instructions on the app page, you can easily access IOCs by performing a simple search in Splunk, just like the example below.
If you see any results in this search, congratulations, your app is working correctly. Now, let me explain the concept of sourcetypes. There are two sourcetypes, ‘otx:pulse’ and ‘otx:indicator.’ The ‘otx:pulse’ sourcetype displays pulses from Alienvault, including title, author name, malware families, and more. On the other hand, ‘otx:indicator’ contains IOCs sourced from Alienvault pulses, including IOC type, pulse ID, and so on.
We’ll use two sourcetypes in one search because our table has both IOCs and titles. IOCs can be difficult to understand without titles, so we’ll employ a Splunk subsearch for this purpose.
index=otx sourcetype="otx:indicator"
| fields indicator, pulse_id
| rename pulse_id as id
| join type=inner id
[ search index=otx sourcetype="otx:pulse"
| fields id, name ]
| table indicator, name | outputlookup OTX_IOC.csvLike you can see in the Splunk search above, I retrieve the indicator and name (pulse title) using a Splunk subsearch and then save this result in a CSV file. If you schedule this task to run automatically, it will collect IOCs on its own.
Now, your organization is more secure than before. All you need to do is select the Alienvault titles that pose a threat to your environment and click the subscribe button on Alienvault. It will automatically collect IOCs related to new threats. You can then use the CSV file to block these indicators.
