AlienVault Open Threat Exchange Integration

Threat sharing in the security industry remains mainly ad-hoc and informal, filled with blind spots, frustration, and pitfalls. Our vision is for companies and government agencies to gather and share relevant, timely, and accurate information about new or ongoing cyberattacks and threats as quickly as possible to avoid major breaches (or minimize the damage from an attack). The Alien Labs Open Threat Exchange (OTX) delivers the first truly open threat intelligence community that makes this vision a reality.

OTX provides access to a global community of threat researchers and security professionals, with more than 100,000 participants in 140 countries, who contribute over 19 million threat indicators daily. OTX allows anyone in the security community to actively discuss, research, validate, and share the latest threat data, trends, and techniques.

The OTX community reports on and receives threat data in the form of pulses. An OTX pulse consists of one or more indicators of compromise (IOCs) that constitute a threat or define a sequence of actions that could be used to carry out attacks on networks devices and computers. OTX pulses also provide information on the reliability of threat information, who reported a threat, and other details of threat investigations.

All OTX members receive pulse information through their OTX Activity feed, as well as receive updates about pulses through email. This information appears as soon as you open an OTX account. OTX data can be used to enhance the threat detection capabilities, not only of security monitoring systems such as AlienVault USM Appliance™ and the open source AlienVault OSSIM platform, but also of other third-party security monitoring and management systems.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Third-Party tab and navigate to the AlienVault Open Threat Exchange integration.

  3. Click the plus sign (+) in the lower-right corner of the card. The AlienVault Open Threat Exchange integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the AlienVault Open Threat Exchange integration in Cisco XDR.

You can perform the following tasks after you integrate AlienVault Open Threat Exchange with Cisco XDR:

  • Investigations - Start a new investigation into any combination of domains, email addresses, MD5 hashes, SHA-1 hashes, SHA-256 hashes, IP addresses, and URLs and the results will include any records of them found in your AlienVault Open Threat Exchange. To verify that this integration is working, and to see what kind of data is returned, investigate one of more observables about which you know AlienVault Open Threat Exchange has recent information. For details, see Investigate.