tips:alienvault_otx
Table of Contents
AlienVault OTX Intel Checker
This app helps with providing guidelines for installing the AlienVault OTX Intel-Checker App in Trisul Network Analytics.
To check all artifacts in your network traffic against the threat IOCs found in AlientVault OTX and throw an alert in the UI.
Intel Framework for Trisul
- This App requires you to first install the IOC Harvestor app.
- Then, You can install this app by logging in as admin and selecting Web Admin > Manage > Apps > AlienVault OTX Intel Checker.
The check_intel.lua script just checks each of them against a LevelDB database.
.
Getting the AlienVault OTX into a LevelDB database
- Go to OTX and get an AlienVault OTX API Key.
- On OTX,subscribe to any number of Pulses . Pulses are collections of IOCs from various sources.
Pre-requisites Ruby and LevelDB
The feed installation process needs Ruby and LevelDB installed on the Probe.
Ubuntu
#apt install build-essential ruby libleveldb1v5 #gem install rake faraday leveldb
CentOS/RHEL7
#yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm #yum install leveldb #yum install gcc-c++ #gem install rake faraday leveldb
Please ensure you run these commands in Root.
Installing Feeds
Compile the IOCs from OTX into a LevelDB database using the 'installfeed.sh' script as shown below.
curl -O https://raw.githubusercontent.com/trisulnsm/apps/master/analyzers/alienvault-otx/installfeed.sh bash ./installfeed.sh ALIENVAULT_API_KEY
Viewing Alerts
When Trisul gets an IOC hit on any of the 14 indicators such as hosts, file hashes, SSL Certs, domains, urls - you will get an alert in the 'User-Alerts' group.
tips/alienvault_otx.txt · Last modified: 2020/03/31 19:06 by navaneeth