AlienVault OTX Integration Guide🔗
The following instructions are for configuring AlienVault OTX to ingest threat indicators into Secureworks® Taegis™ XDR to generate alerts via the Bring Your Own Threat Intel Detector. Once this integration is setup, XDR imports indicators based on the user‘s subscribed AlienVault OTX pulses and polls for new indicators every hour.
AlienVault OTX Requirements🔗
An AlienVault OTX account with at least one subscribed pulse is required to integrate with XDR.
Note
There is a limit of 15,000 active indicators per tenant. When indicators reach the limit, the oldest indicators are deleted to remain under the limit.
Note
This integration imports indicators based on the user‘s subscribed AlienVault OTX pulses. After initial import, the integration polls every hour for new indicators.
Data Provided from Integration🔗
Threat Indictor Lists contain the following data types:
- IP Address
- Domain
- URL
- Filehash (SHA1, SHA256, MD5)
Locate your OTX API Key🔗
Find your OTX Key at the AlienVault OTX API Integration Page (login required).
Add Integration in XDR🔗
- From the Taegis Menu, select Integrations → Cloud APIs.
-
Select Add an Integration from the top of the page.
Add an Integration -
From the Optimized tab, select AlienVault OTX.
Create a New AlienVault OTX Integration -
Enter the following fields:
- Integration Name — Name that this integration will use in XDR
- Severity — Default severity to use for alerts
- AlienVault OTX API Key — Obtained in the first step
-
Select Done. The Cloud API Integrations page displays with the successfully added AlienVault OTX integration.
Once the preceding steps are completed, AlienVault OTX integration details are available on Cloud APIs. From the Taegis Menu, select Integrations → Cloud APIs.
Example Query Language Searches🔗
To search for Bring Your Own Threat Intel Alerts from the last 24 hours: