Working with AlienVault OTX
This section describes how to configure FortiSIEM to work with AlienVault OTX malware domains, IPs, URLs, and hashes with Taxii 2.1 integration.
- Working with AlienVault OTX Malware Domains
- Working with AlienVault OTX Malware IPs
- Working with AlienVault OTX Malware URLs
- Working with AlienVault OTX Malware Hash
Working with AlienVault OTX Malware Domains
- Enabling the AlienVault OTX Service
- Disabling the AlienVault OTX Service
- AlienVault OTX Malware Domain Values
Enabling the AlienVault OTX Service
To start the AlienVault OTX service, follow these steps once you have defined the feeds:
- Go to RESOURCES > Malware Domains> select the OTX service you defined.
- Click More > Update. In the Update Malware Domain dialog box, click + to schedule the starting of the service. See Specifying a schedule.
- Click Save.
Disabling the AlienVault OTX Service
To stop the AlienVault OTX service, follow these steps:
- Go to RESOURCES > Malware Domains and select the Malware Domain folder with your AlienVault OTX service.
- Click More > Update.
- Select an existing schedule.
- Delete the existing schedule.
- Repeat steps 3 through 4 until all schedules have been removed.
- Click Save.
AlienVault OTX Malware Domain Values
After creating a group/folder for AlienVault, select the group/folder, click More > Update, select Update via API, click the edit icon next to URL, and use the following values to configure AlienVault OTX Malware Domains for FortiSIEM, then click Save.
Parameter | Value |
---|---|
URL | https://otx.alienvault.com/taxii/root |
User Name |
<user> (Your API key) |
Password |
Not required. (Not necessary to put anything here, password is ignored) |
Plugin Class | com.accelops.service.threatfeed.impl.Stix2MalwareDomainUpdateService |
Data Format | Select STIX/TAXII Format |
Collection | user_AlienVault |
Data Update | Select Full |
Working with AlienVault OTX Malware IPs
For AlienVault OTX Malware IPs, go to RESOURCES > Malware IPs, and repeat the same steps as for AlienVault OTX Malware Domains.
Use the following values to configure AlienVault OTX Malware IPs for FortiSIEM.
Parameter | Value |
---|---|
URL | https://otx.alienvault.com/taxii/root |
User Name |
<user> (Your API key) |
Password |
Not required. (Not necessary to put anything here, password is ignored) |
Plugin Class | com.accelops.service.threatfeed.impl.Stix2MalwareIPUpdateService |
Data Format | Select STIX/TAXII Format |
Collection | user_AlienVault |
Data Update | Select Full |
Working with AlienVault OTX Malware URLs
For AlienVault OTX Malware URLs, go to RESOURCES > Malware URLs, and repeat the same steps as for AlienVault OTX Malware Domains.
Use the following values to configure AlienVault OTX Malware URLs for FortiSIEM.
Parameter | Value |
---|---|
URL | https://otx.alienvault.com/taxii/root |
User Name |
<user> (Your API key) |
Password |
Not required. (Not necessary to put anything here, password is ignored) |
Plugin Class | com.accelops.service.threatfeed.impl.Stix2MalwareUrlUpdateService |
Data Format | Select STIX/TAXII Format |
Collection | user_AlienVault |
Data Update | Select Full |
Working with AlienVault OTX Malware Hash
For AlienVault OTX Malware Hash, go to RESOURCES > Malware Hash, and repeat the same steps as for AlienVault OTX Malware Domains.
Use the following values to configure AlienVault OTX Malware Hash for FortiSIEM.
Parameter | Value |
---|---|
URL | https://otx.alienvault.com/taxii/root |
User Name |
<user> (Your API key) |
Password |
Not required. (Not necessary to put anything here, password is ignored) |
Plugin Class | com.accelops.service.threatfeed.impl.Stix2MalwareHashUpdateService |
Data Format | Select STIX/TAXII Format |
Collection | user_AlienVault |
Data Update | Select Full |