AlienVault OTX
App Vendor: AT&T Cybersecurity
Connector Category: Data Enrichment & Threat Intelligence
Connector Version: 1.1.0
API Version: 1.0.0
About App
Alien Vault Open Threat Exchange (OTX) is a threat data platform that allows security researchers and threat data producers to share, research, and investigate new threats. Alien Vault OTX DirectConnect API allows security teams to synchronize the Threat Intelligence that is available in the OTX platform to the tools that security teams use to monitor the environment.
The Alien Vault OTX app allows security teams to connect with the enterprise version of Alien Vault OTX platform to get details about NIDs, Correlation Rules, and CVE IDs and check the reputation of domains, hosts, URLs, IP addresses, and hash values. The Alien Vault OTX app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Check Alien Vault Network IDs Information | This action retrieves details of Network IDs (NID) such as name, category, pulse information, indicators, event activity, and IP list. |
Check Domain Reputation and more Information | This action retrieves the domain reputation and other details such as geographic location details, user details, domain details, host details, URL list, malware details, and passive DNS details. |
Check Host Reputation and more Information | This action retrieves the host reputation and other details such as geographic location details, user details, domain details, host details, URL list, malware details, and passive DNS details. |
Check IPv4 Reputation and more Information | This action retrieves the IPv4 address reputation and other details in sections such as geographic location details, general details, URL list, malware details, and passive DNS details. |
Check IPv6 reputation and more Information | This action retrieves the IPv6 address reputation and other details such as geographic location details, general details, URL list, malware details, and passive DNS details. |
Check URL Reputation and more Information | This action retrieves the URL reputation and other details such as general details, URL list, HTTP scan details. |
Get Correlation Rule Information | This action retrieves the general details about the correlation rule such as pulse information, type title, and base indicator. |
Get CVE Details | This action retrieves general details about the CVE (Common Vulnerabilities and Exposures) ID such as NVD URL, sections, indicator, MITRE URL, pulse information, type title, and base indicator. |
Get Hash Reputation and more Information | This action retrieves the hash value reputation and other general details such as type, sections, indicator, pulse information, type title, validation, and base indicator. |
Submit URL for Analysis | This action to analyzes suspicious URLs to detect malware and malicious activity. |
File for Analysis | This action to analyzes suspicious files to detect malware and malicious activity. |
Configuration Parameters
The following configuration parameters are required for the AlienVault OTX app to communicate with the AlienVault OTX enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
API Key | Enter the Alien Vault OTX API key. | Text | Required |
Action: Check Alien Vault Network IDs Information
This action retrieves details about Network IDs (NID), such as name, category, pulse info, indicators, event activity, and IP list.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alien Vault Network ID (NID) | Enter the Alien Vault Network ID (NID) to get the details. Example: "2820184" | Text | Required |
Example Request
[
{
"nid": "2820184"
}
]Action: Check Domain Reputation and more Information
This action retrieves the domain reputation and other general details such as geographic location details, user details, domain details, host details, URL list, malware details, and passive DNS details.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain Name | Enter the domain name of the user to check the reputation of the domain. Example: "google.com" | Text | Required | |
Input Comma Separated list of Section Names | Enter the list of section names to get the details of the entered sections only. Example: $LIST[ geo, general] | List | Optional | If no section name is provided, then the response contains details of all the sections. Allowed Values:
|
Example Request
[
{
"domain_name": "google.com",
"section_list": [
"geo",
"general"
]
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Includes general details of the domain. |
| JSON Object | Returns the details of the domain, such as the ID, description, access type, and other details. |
| JSON Object | Returns a list of pulses associated with the domain. |
| Array | Returns a list of sections available for the domain in the LevelBlue platform. |
| Array | Returns details about the domain from various threat intelligence databases. |
| String | Returns the WHOIS link of the domain. |
| JSON Object | Returns the geographic data of the domain, such as country code, coordinates, and other details. |
| JSON Object | Returns the malware samples analyzed by LevelBlue Labs and observed while connecting to this domain. |
| JSON Object | Returns the URLs analyzed by LevelBlue Labs that are associated with the domain. |
| JSON Object | Returns the passive DNS information about hostnames and domains observed by LevelBlue Labs pointing to this domain. |
| JSON Object | Returns the metadata for HTTP and HTTPS connections to the domain. |
Action: Check Host Reputation and More Information
This action retrieves the host reputation and other details such as geographic location details, user details, domain details, host details, URL list, malware details, and passive DNS details.
Action Input Parameters
Parameter | Description | Field Type | Required /Optional | Comments |
|---|---|---|---|---|
Host Name | Enter the host name to check the reputation. Example: "google.com" | Text | Required | |
Input Comma Separated list of Section Names | Enter the list of section names to get the details of the entered sections only. Example: $LIST[geo, general] | List | Optional | If no section name is provided, then the response contains details of all the sections. Allowed Values:
|
Example Request
[
{
"host_name": "google.com",
"section_list": [
"geo",
"general"
]
}
]Action: Check IPv4 Reputation and More Information
This action retrieves the IPv4 address reputation and other details such as geographic location details, general details, URL list, malware details, and passive DNS details.
Action Input Parameters
Parameter | Description | Field Type | Required /Optional | Comments |
|---|---|---|---|---|
IPv4 Address | Enter the IP address in IPv4 format to check the reputation. Example: "8.8.8.8" | Text | Required | |
Input Comma Separated list of Section Names | Enter the list of section names to get the details of the entered sections only. Example: $LIST[geo,general] | List | Optional | If no section name is provided, then the response contains details of all the sections. Allowed Values:
|
Example Request
[
{
"ipv4_address": "8.8.8.8",
"section_list": [
"geo",
"general"
]
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Includes general details of the IP address. |
| JSON Object | Returns the details of the IP address, such as the ID, description, access type, and other details. |
| String | Returns the domain name associated with the IP address. |
| String | Returns the hostname associated with the IP address. |
| JSON Object | Returns a list of pulses associated with the IP address. |
| Array | Returns a list of sections available for the IP address in the LevelBlue platform. |
| Array | Returns details about the IP address from various threat intelligence databases. |
| String | Returns the WHOIS link of the IP address. |
| JSON Object | Returns the Open Threat Intelligence (OTX) data on malicious activity observed by LevelBlue Labs (IP Reputation). |
| JSON Object | Returns the geographic data of the IP address, such as country code, coordinates, and other details. |
| JSON Object | Returns the malware samples analyzed by LevelBlue Labs and observed while connecting to this IP address. |
| JSON Object | Returns the URLs analyzed by LevelBlue Labs that are associated with the IP address. |
| JSON Object | Returns the passive DNS information about hostnames and domains observed by LevelBlue Labs pointing to this IP address. |
| JSON Object | Returns the metadata for HTTP and HTTPS connections to the IP address. |
Action: Check IPv6 Reputation and More Information
This action retrieves the IPv6 address reputation and other details such as geographic location details, general details, URL list, malware details, and passive DNS details.
Action Input Parameters
Parameter | Description | Field Type | Required /Optional | Comments |
|---|---|---|---|---|
IPv6 Address | Enter the IP address in IPv6 format to get the reputation details. Example: "2001:4860:4860::8888" | Text | Required | |
Input Comma Separated list of Section Names | Enter the list of section names to get the details of the entered sections only. Example: $LIST[ "geo","general" ] | List | Optional | If no section name is provided, then the response contains details of all the sections. Allowed Values:
|
Example Request
[
{
"ipv6_address": "2001:4860:4860::8888",
"section_list": [
"geo",
"general"
]
}
]Action: Check URL Reputation and More Information
This action retrieves the URL reputation and other details such as general details, URL list, and HTTP scan details.
Action Input Parameters
Parameter | Description | Field Type | Required /Optional | Comments |
|---|---|---|---|---|
URL | Enter a URL to retrieve the reputation details. Example: "http://google.com" | Text | Required |
Example Request
[
{
"url": "http://google.com"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Includes general details of the URL. |
| JSON Object | Returns the details of the URL, such as the ID, description, access type, and other details. |
| String | Returns the domain name associated with the URL. |
| String | Returns the hostname associated with the URL. |
| JSON Object | Returns a list of pulses associated with the URL. |
| Array | Returns a list of sections available for the URL in the LevelBlue platform. |
| Array | Returns details about the URL from various threat intelligence databases. |
| String | Returns the WHOIS link of the URL. |
| JSON Object | Returns the URLs analyzed by LevelBlue Labs that are associated with the URL. |
Action: Get Correlation Rule Information
This action retrieves the general details about a correlation rule such as pulse information, type title, and base indicator.
Action Input Parameters
Parameter | Description | Field Type | Required /Optional | Comments |
|---|---|---|---|---|
Correlation Rule | Enter a correlation rule entry to get the details. Example: "572f8c3c540c6f0161677877" | Text | Required |
Example Request
[
{
"corr_rule": "572f8c3c540c6f0161677877"
}
]Action: Get CVE Details
This action retrieves general details about the CVE (Common Vulnerabilities and Exposures) ID such as NVD URL, sections, indicator, MITRE URL, pulse information, type title, and base indicator.
Action Input Parameters
Parameters | Description | Field Type | Required /Optional | Comments |
|---|---|---|---|---|
CVE ID | Enter a CVE ID to get the details. Example: "CVE-2016-7654321" | Text | Required |
Example Request
[
{
"cve": "CVE-2016-7654321"
}
]Action: Get Hash Reputation and More Information
This action retrieves the hash value reputation and other general details such as type, sections, indicator, pulse information, type title, validation, and base indicator.
Action Input Parameters
Parameter | Description | Field Type | Required /Optional | Comments |
|---|---|---|---|---|
Hash | Enter a hash value to check the reputation. Example: "02aeb9966cd1f83656d125f4a688b779" | Text | Required | Allowed File Hash types:
|
Example Request
[
{
"file_hash": "02aeb9966cd1f83656d125f4a688b779"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| JSON Object | Includes general details of the hash. |
| JSON Object | Returns the details of the hash, such as the ID, description, access type, and other details. |
| JSON Object | Returns a list of pulses associated with the hash. |
| Array | Returns a list of sections available for the hash in the LevelBlue platform. |
| Array | Returns details about the hash from various threat intelligence databases. |
| String | Returns the hash type. |
| JSON Object | Returns the dynamic and static analysis of this file (Cuckoo analysis, exiftool, and more.) |
Action: Submit URL for Analysis
This action to analyzes suspicious URLs to detect malware and malicious activity.
Action Input Parameters
Parameter | Description | Field Type | Required /Optional | Comments |
|---|---|---|---|---|
URL | Enter the URL for Analysis. Example: "www.google.com" | Text | Required |
Example Request
[
{
"url": "www.google.com"
}
]Action: File for Analysis
This action to analyzes suspicious files to detect malware and malicious activity.
Action Input Parameters
Parameter | Description | Field Type | Required /Optional | Comments |
|---|---|---|---|---|
File Path | Enter the file path for analysis. Example: "/tmp/path/file.pdf" | Text | Required | The file path must be a local path on your Orchestrate host. |
Example Request
[
{
"file_path": "/tmp/path/file.pdf"
}
]