Skip to main content

Cyware Orchestrate

AlienVault OTX 1.0.0

App Vendor: AT&T Cybersecurity

Connector Category: Data Enrichment & Threat Intelligence

Connector Version: 1.1.0

API Version: 1.0.0

About App

Alien Vault Open Threat Exchange (OTX) is a threat data platform that allows security researchers and threat data producers to share, research, and investigate new threats. Alien Vault OTX DirectConnect API allows security teams to synchronize the Threat Intelligence that is available in the OTX platform to the tools that security teams use to monitor the environment.

The Alien Vault OTX app allows security teams to connect with the enterprise version of Alien Vault OTX platform to get details about NIDs, Correlation Rules, and CVE IDs and check the reputation of domains, hosts, URLs, IP addresses, and hash values. The Alien Vault OTX app is configured with the Orchestrate application to perform the following actions:

Action Name

Description

Check Alien Vault Network IDs Information

This action retrieves details of Network IDs (NID) such as name, category, pulse information, indicators, event activity, and IP list.

Check Domain Reputation and more Information

This action retrieves the domain reputation and other details such as geographic location details, user details, domain details, host details, URL list, malware details, and passive DNS details.

Check Host Reputation and more Information

This action retrieves the host reputation and other details such as geographic location details, user details, domain details, host details, URL list, malware details, and passive DNS details.

Check IPv4 Reputation and more Information

This action retrieves the IPv4 address reputation and other details in sections such as geographic location details, general details, URL list, malware details, and passive DNS details.

Check IPv6 reputation and more Information

This action retrieves the IPv6 address reputation and other details such as geographic location details, general details, URL list, malware details, and passive DNS details.

Check URL Reputation and more Information

This action retrieves the URL reputation and other details such as general details, URL list, HTTP scan details.

Get Correlation Rule Information

This action retrieves the general details about the correlation rule such as pulse information, type title, and base indicator.

Get CVE Details

This action retrieves general details about the CVE (Common Vulnerabilities and Exposures) ID such as NVD URL, sections, indicator, MITRE URL, pulse information, type title, and base indicator.

Get Hash Reputation and more Information

This action retrieves the hash value reputation and other general details such as type, sections, indicator, pulse information, type title, validation, and base indicator.

Submit URL for Analysis

This action to analyzes suspicious URLs to detect malware and malicious activity.

File for Analysis

This action to analyzes suspicious files to detect malware and malicious activity.

Configuration Parameters

The following configuration parameters are required for the AlienVault OTX app to communicate with the AlienVault OTX enterprise application. The parameters can be configured by creating instances in the app.

Parameter

Description

Field Type

Required/Optional

Comments

API Key

Enter the Alien Vault OTX API key.

Text

Required

Action: Check Alien Vault Network IDs Information

This action retrieves details about Network IDs (NID), such as name, category, pulse info, indicators, event activity, and IP list.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Alien Vault Network ID (NID)

Enter the Alien Vault Network ID (NID) to get the details.

Example:

"2820184"

Text

Required

Example Request

[
    {
        "nid": "2820184"
    }
]
Action: Check Domain Reputation and more Information

This action retrieves the domain reputation and other general details such as geographic location details, user details, domain details, host details, URL list, malware details, and passive DNS details.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Domain Name

Enter the domain name of the user to check the reputation of the domain.

Example:

"google.com"

Text

Required

Input Comma Separated list of Section Names

Enter the list of section names to get the details of the entered sections only.

Example:

$LIST[ geo, general]

List

Optional

If no section name is provided, then the response contains details of all the sections.

Allowed Values:

  • geo

  • general

  • whois

  • malware

  • url_list

  • http_scans

  • passive_dns

Example Request 

[
  {
    "domain_name": "google.com",
    "section_list": [
      "geo",
      "general"
    ]
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

{app_instance}

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response

JSON Object

Includes the response received from the app action.

app_instance.response.general

JSON Object

Includes general details of the domain.

app_instance.response.general.base_indicator

JSON Object

Returns the details of the domain, such as the ID, description, access type, and other details.

app_instance.response.general.pulse_info

JSON Object

Returns a list of pulses associated with the domain.

app_instance.response.general.sections

Array

Returns a list of sections available for the domain in the LevelBlue platform.

app_instance.response.general.validation

Array

Returns details about the domain from various threat intelligence databases.

app_instance.response.general.whois

String

Returns the WHOIS link of the domain.

app_instance.response.geo

JSON Object

Returns the geographic data of the domain, such as country code, coordinates, and other details.

app_instance.response.malware

JSON Object

Returns the malware samples analyzed by LevelBlue Labs and observed while connecting to this domain.

app_instance.response.url_list

JSON Object

Returns the URLs analyzed by LevelBlue Labs that are associated with the domain.

app_instance.response.passive_dns

JSON Object

Returns the passive DNS information about hostnames and domains observed by LevelBlue Labs pointing to this domain.

app_instance.response.http_scans

JSON Object

Returns the metadata for HTTP and HTTPS connections to the domain.

Action: Check Host Reputation and More Information

This action retrieves the host reputation and other details such as geographic location details, user details, domain details, host details, URL list, malware details, and passive DNS details.

Action Input Parameters

Parameter

Description

Field Type

Required /Optional

Comments

Host Name

Enter the host name to check the reputation.

Example:

"google.com"

Text

Required

Input Comma Separated list of Section Names

Enter the list of section names to get the details of the entered sections only.

Example:

$LIST[geo, general]

List

Optional

If no section name is provided, then the response contains details of all the sections.

Allowed Values:

  • geo

  • general

  • whois

  • malware

  • url_list

  • http_scans

  • passive_dns

Example Request

[
  {
    "host_name": "google.com",
    "section_list": [
      "geo",
      "general"
    ]
  }
]
Action: Check IPv4 Reputation and More Information

This action retrieves the IPv4 address reputation and other details such as geographic location details, general details, URL list, malware details, and passive DNS details.

Action Input Parameters 

Parameter

Description

Field Type

Required /Optional

Comments

IPv4 Address 

Enter the IP address in IPv4 format to check the reputation.

Example:

"8.8.8.8"

Text

Required

Input Comma Separated list of Section Names 

Enter the list of section names to get the details of the entered sections only.

Example:

$LIST[geo,general]

List

Optional

If no section name is provided, then the response contains details of all the sections.

Allowed Values:

  • geo

  • general

  • malware

  • url_list

  • nids_list

  • http_scans

  • reputation

  • passive_dns

Example Request 

[
  {
    "ipv4_address": "8.8.8.8",
    "section_list": [
      "geo",
      "general"
    ]
  }
]

Action Response Parameters 

Parameter 

Type 

Description 

{app_instance}

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response

JSON Object

Includes the response received from the app action.

app_instance.response.general

JSON Object

Includes general details of the IP address.

app_instance.response.general.base_indicator

JSON Object

Returns the details of the IP address, such as the ID, description, access type, and other details.

app_instance.response.general.domain

String

Returns the domain name associated with the IP address.

app_instance.response.general.hostname

String

Returns the hostname associated with the IP address.

app_instance.response.general.pulse_info

JSON Object

Returns a list of pulses associated with the IP address.

app_instance.response.general.sections

Array

Returns a list of sections available for the IP address in the LevelBlue platform.

app_instance.response.general.validation

Array

Returns details about the IP address from various threat intelligence databases.

app_instance.response.general.whois

String

Returns the WHOIS link of the IP address.

app_instance.response.general.reputation

JSON Object

Returns the Open Threat Intelligence (OTX) data on malicious activity observed by LevelBlue Labs (IP Reputation).

app_instance.response.geo

JSON Object

Returns the geographic data of the IP address, such as country code, coordinates, and other details.

app_instance.response.malware

JSON Object

Returns the malware samples analyzed by LevelBlue Labs and observed while connecting to this IP address.

app_instance.response.url_list

JSON Object

Returns the URLs analyzed by LevelBlue Labs that are associated with the IP address.

app_instance.response.passive_dns

JSON Object

Returns the passive DNS information about hostnames and domains observed by LevelBlue Labs pointing to this IP address.

app_instance.response.http_scans

JSON Object

Returns the metadata for HTTP and HTTPS connections to the IP address.

Action: Check IPv6 Reputation and More Information

This action retrieves the IPv6 address reputation and other details such as geographic location details, general details, URL list, malware details, and passive DNS details.

Action Input Parameters

Parameter

Description

Field Type

Required /Optional

Comments

IPv6 Address

Enter the IP address in IPv6 format to get the reputation details.

Example:

"2001:4860:4860::8888"

Text

Required

Input Comma Separated list of Section Names

Enter the list of section names to get the details of the entered sections only.

Example:

$LIST[ "geo","general" ]

List

Optional

If no section name is provided, then the response contains details of all the sections.

Allowed Values:

  • geo

  • general

  • malware

  • url_list

  • nids_list

  • http_scans

  • reputation

  • passive_dns

Example Request

[
  {
    "ipv6_address": "2001:4860:4860::8888",
    "section_list": [
      "geo",
      "general"
    ]
  }
]
Action: Check URL Reputation and More Information

This action retrieves the URL reputation and other details such as general details, URL list, and HTTP scan details.

Action Input Parameters 

Parameter

Description

Field Type

Required /Optional

Comments

URL 

Enter a URL to retrieve the reputation details.

Example:

"http://google.com"

Text

Required

Example Request 

[
    {
        "url": "http://google.com"
    }
]

Action Response Parameters 

Parameter 

Type 

Description 

{app_instance}

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response

JSON Object

Includes the response received from the app action.

app_instance.response.general

JSON Object

Includes general details of the URL.

app_instance.response.general.base_indicator

JSON Object

Returns the details of the URL, such as the ID, description, access type, and other details.

app_instance.response.general.domain

String

Returns the domain name associated with the URL.

app_instance.response.general.hostname

String

Returns the hostname associated with the URL.

app_instance.response.general.pulse_info

JSON Object

Returns a list of pulses associated with the URL.

app_instance.response.general.sections

Array

Returns a list of sections available for the URL in the LevelBlue platform.

app_instance.response.general.validation

Array

Returns details about the URL from various threat intelligence databases.

app_instance.response.general.whois

String

Returns the WHOIS link of the URL.

app_instance.response.url_list

JSON Object

Returns the URLs analyzed by LevelBlue Labs that are associated with the URL.

Action: Get Correlation Rule Information

This action retrieves the general details about a correlation rule such as pulse information, type title, and base indicator.

Action Input Parameters

Parameter

Description

Field Type

Required /Optional

Comments

Correlation Rule

Enter a correlation rule entry to get the details.

Example:

"572f8c3c540c6f0161677877"

Text

Required

Example Request

[
    {
        "corr_rule": "572f8c3c540c6f0161677877"
    }
]
Action: Get CVE Details

This action retrieves general details about the CVE (Common Vulnerabilities and Exposures) ID such as NVD URL, sections, indicator, MITRE URL, pulse information, type title, and base indicator.

Action Input Parameters

Parameters

Description

Field Type

Required /Optional

Comments

CVE ID

Enter a CVE ID to get the details.

Example:

"CVE-2016-7654321"

Text

Required

Example Request

[
    {
        "cve": "CVE-2016-7654321"
    }
]
Action: Get Hash Reputation and More Information

This action retrieves the hash value reputation and other general details such as type, sections, indicator, pulse information, type title, validation, and base indicator.

Action Input Parameters 

Parameter

Description

Field Type

Required /Optional

Comments

Hash 

Enter a hash value to check the reputation.

Example:

"02aeb9966cd1f83656d125f4a688b779"

Text

Required

Allowed File Hash types:

  • SHA1

  • SHA256

  • MD5

Example Request 

[
    {
        "file_hash": "02aeb9966cd1f83656d125f4a688b779"
    }
]

Action Response Parameters 

Parameter 

Type 

Description 

{app_instance}

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response

JSON Object

Includes the response received from the app action.

app_instance.response.general

JSON Object

Includes general details of the hash.

app_instance.response.general.base_indicator

JSON Object

Returns the details of the hash, such as the ID, description, access type, and other details.

app_instance.response.general.pulse_info

JSON Object

Returns a list of pulses associated with the hash.

app_instance.response.general.sections

Array

Returns a list of sections available for the hash in the LevelBlue platform.

app_instance.response.general.validation

Array

Returns details about the hash from various threat intelligence databases.

app_instance.response.general.type_title

String

Returns the hash type.

app_instance.response.analysis

JSON Object

Returns the dynamic and static analysis of this file (Cuckoo analysis, exiftool, and more.)

Action: Submit URL for Analysis

This action to analyzes suspicious URLs to detect malware and malicious activity.

Action Input Parameters

Parameter

Description

Field Type

Required /Optional

Comments

URL

Enter the URL for Analysis.

Example:

"www.google.com"

Text

Required

Example Request

[
    {
        "url": "www.google.com"
    }
]
Action: File for Analysis

This action to analyzes suspicious files to detect malware and malicious activity.

Action Input Parameters

Parameter

Description

Field Type

Required /Optional

Comments

File Path

Enter the file path for analysis.

Example:

"/tmp/path/file.pdf"

Text

Required

The file path must be a local path on your Orchestrate host.

Example Request

[
    {
        "file_path": "/tmp/path/file.pdf"
    }
]