Skip to main content

Cyware Threat Intelligence eXchange

AlienVault

AlienVault integration with CTIX provides the latest vulnerability feeds and threat indicator feeds. You also gain insights as to who is attacking you, their tools and systems, and the indicators of compromise.

About AlienVault

AlienVault enables organizations to detect and respond to today's threats in the cloud, on-premises, and hybrid cloud environments. It develops commercial and open source solutions to manage cyber attacks.

Configure AlienVault App in CTIX

AlienVault is available as an out-of-the-box integration in the CTIX application.

Before you Start

  • You must have the base URL and API key of your AlienVault account.

  • Your user group must have permissions to create, update and view feed sources.

Steps

Use the following steps to configure the AlienVault in CTIX:

  1. Sign in to the CTIX application.

  2. From Administration, open Integration Management, and select APIs under FEED SOURCES.

  3. Click Add API Source.

  4. Use the search bar to locate AlienVault and click on the app.

  5. Click Add Instance to add an AlienVault instance.

  6. Enter the instance name, base URL, and the API key. You can obtain these values from AlienVault.

  7. To secure the connection between CTIX and AlienVault server, select Verify SSL.

  8. Click Save.

Configure Feed Channels for the AlienVault Integration

The data received from the feed channels are stored in separate collections. Mostly, indicators are fetched from this integration.

Steps

Use the following procedure to configure the feed channels:

  1. From Administration, open Integration Management and select APIs under FEED SOURCES.

  2. Use the search bar to locate AlienVault and click on the app.

  3. Click the ellipsis on the top right corner and select Manage.

  4. On the Manage Instance page, click Manage Feed Channel(s).

  5. Select a feed channel.

  6. Enable the feed channel and enter the last polled date for intel.

  7. Enter the collection name to collect the feed data. The system creates a collection and put all the feeds into the collection.

  8. Select from the following Polling Cron Schedule to specify the poll type of your AlienVault account.

    • Select Manual to manually poll for the feeds.

    • Select Auto to automatically poll for the feeds. In Polling Time, enter a frequency in minutes for the automatic polling.

  9. Select a default TLP to assign for the feeds.

  10. Set a default confidence score for the feeds.

  11. Select any tags to identify and categorize the feeds.

  12. Enable Broken Connection Retry Policy to allow CTIX to re-attempt any failed connection attempts to your AlienVault account.

    • You can enter the retry interval units in days, minutes, or weeks and also specify the retry interval and the retry count.

    • Enable Exponential Backoff Entry to progressively extend the wait time between retries for consecutive error responses.

      For example, for a 10-minute exponential retry interval, the system re-attempts to connect in 10, 100, 1000, 10000, and so on till the retry count is met. Use this option to give your system resources some breathing time and resolve any service overload issues.

  13. Click Save.

You can configure multiple instances of this integration by clicking Manage and Add More on the Manage Instance screen.

Poll for Feeds Manually

If you enable Auto Polling while configuring feed channels, the polling is done automatically. However, if you want to poll for information manually, use the following process:

  1. From Administration, open Integration Management and select APIs under FEED SOURCES.

  2. Select AlienVault, and select the feed channel.

  3. Click the vertical ellipsis and choose Poll Now.

View AlienVault Feeds in CTIX

After configuring the AlienVault integration, you can view the intel received on the CTIX application.

  1. From Administration, open Integration Management, and select APIs under FEED SOURCES.

  2. Select AlienVault, and select the feed channel.

  3. Click the vertical ellipsis, and select View Intel. You can view the IOCs received in the feeds from this source in Threat Data. Some IOCs received in the feeds can not be mapped to the STIX domain objects and are mapped to the STIX custom objects.