AlienVault Open Threat Exchange (OTX) is among our most useful threat intelligence tools. It is a repository of Indicators of Compromise (IOCs) supported by the community. It contributes pulses and each pulse contains a collection of IOCs targeted at a particular area.
This document provides information about the AlienVault-OTX connector, which facilitates automated interactions, with an AlienVault-OTX server using FortiSOAR™ playbooks. Add the AlienVault-OTX connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving details for an indicator, creating and retrieving details for a pulse, and running queries on the AlienVault-OTX server.
Connector Version: 1.0.2
FortiSOAR™ Version Tested on: 7.2.2-1098 and later
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the AlienVault-OTX Connector in version 1.0.2:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum
command as a root
user to install connectors from an SSH session:
yum install cyops-connector-alienvault-otx
For the procedure to configure a connector, see Configuring a Connector.
In FortiSOAR™, on the Connectors page, select the AlienVault-OTX connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server Address | Address of the AlienVault-OTX server to which you will connect and perform the automated operations. |
API Key | API key configured for your account to access the AlienVault-OTX server. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 5.0.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Create Pulse | Create new pulse which contains a collection of IOCs targeted at a particular area. | create_pulse Investigation |
Get IP Reputation | Retrieves the reputation for a specified IP based on parameters such as, the IP address that you have specified. | get_ip_reputation Investigation |
Get Domain Reputation | Retrieves the reputation for a specified domain based on parameters such as, the domain name that you have specified. | get_domain_reputation Investigation |
Get URL Reputation | Retrieves the reputation for a specified URL based on the URL that you have specified. | get_url_reputation Investigation |
Get File Reputation | Retrieves the reputation for a specified file based on parameters such as, the filehash that you have specified. | get_file_reputation Investigation |
Get Hostname Reputation | Retrieves the reputation for a specified host based on parameters such as, the hostname that you have specified. | get_hostname_reputation Investigation |
Get All Indicators | Retrieves a list of all indicators based on various parameters such as indicator type and value that you have specified. | get_indicators Investigation |
Get Pulse Indicators | Retrieves a list of all indicators based on the pulse ID that you have specified. | get_indicators Investigation |
Get Pulse Details | Retrieves details about a pulse based on the pulse ID that you have specified. | get_pulse Investigation |
Get Related Pulses | Retrieves a list of pulses that share an indicator with the pulse that you have specified using the pulse ID. | get_pulses Investigation |
Get Subscribed Pulses | Retrieves a list of all subscribed pulses based on various parameters such as datetime that you have specified.. | get_pulses Investigation |
Run Query | Runs a query that you have specified and fetches data from your AlienVault-OTX instance, based on the input filters. | run_query Investigation |
Search Pulses | Searches for pulses that match the text that you have specified in the input parameters. | search_pulse Investigation |
Subscribe to Pulse | Subscribes to a particular pulse based on the pulse ID that you have specified. | subscribe_pulse Investigation |
Unsubscribe from Pulse | Unsubscribes from a particular pulse based on the pulse ID that you have specified. | unsubscribe_pulse Investigation |
User Actions | Allows you to perform actions, such as follow, subscribe, etc for a specified user on the AlienVault-OTX server based on the username that you have specified. |
Parameter | Description |
---|---|
Name | Name of the pulse that you want to create. |
Description | (Optional) Brief description of the pulse that you want to create and the threat it addresses. |
Indicators | (Optional) List of indicators. Each indicator is stored as a dictionary having a key-value pair. Every object in the list must have at least the following three fields:{"type": "", "indicator": "", "description": ""} |
Tags | (Optional) List of tags that categorize the pulse that you want to create. For example, malware, phishing, hacking, etc. |
References | (Optional) List of external references to associate with the pulse that you want to create. |
Public | Select this field to allow other users to see or subscribe to the pulse that you want to create. By default, this option is set as True . |
The JSON output contains all the details for the newly created pulse on the AlienVault-OTX server.
{
"subscribers_count": "",
"indicators": [
{
"access_type": "",
"content": "",
"access_groups": [],
"access_reason": "",
"is_active": "",
"title": "",
"type": "",
"description": "",
"expiration": "",
"indicator": "",
"role": ""
}
],
"name": "",
"group_ids": [],
"description": "",
"author_id": "",
"votes_count": "",
"subscribers": [],
"cloned_from": "",
"locked": "",
"references_count": "",
"validators_count": "",
"upvotes": [],
"downvotes": [],
"pulse_name": "",
"TLP": "",
"upvotes_count": "",
"validators": [],
"author_name": "",
"tags_count": "",
"active": "",
"followers_count": "",
"pulse_source": "",
"public": "",
"downvotes_count": "",
"comments_count": "",
"exported_by": [],
"extract_source": [],
"indicators_count": "",
"followers": [],
"references": [],
"export_count": "",
"industries": [],
"created": "",
"targeted_countries": [],
"revision": "",
"tags": [],
"modified": "",
"unsubscribed_users": [],
"adversary": "",
"id": ""
}
Parameter | Description |
---|---|
Type | Type of IP for which you want to retrieve reputation from AlienVault-OTX. Choose between IPv4 or IPv6. |
IP Address | IP address for which you want to retrieve reputation from AlienVault-OTX. |
The JSON output retrieves the reputation of the IP address you have specified from the AlienVault-OTX server.
{
"reputation": {
"reputation_val": "",
"country": "",
"city": "",
"reputation_rel_checked": "",
"reputation_rel": "",
"status": "",
"matched_wl": [],
"domains": [],
"_id": {
"$id": ""
},
"threat_score": "",
"last_seen": "",
"counts": {
"Malware Domain": "",
"Malware IP": ""
},
"address": "",
"server_type": "",
"activities": [
{
"data": {
"md5": "",
"file": "",
"url": "",
"domain": "",
"vt": {
"Signature": ""
}
},
"first_date": "",
"name": "",
"md5": "",
"visible": "",
"domain": "",
"vt": "",
"last_date": "",
"status": "",
"url": "",
"source": "",
"file": "",
"data_key": ""
}
],
"first_seen": "",
"lat": "",
"up": "",
"matched_bl": [],
"date_added": {
"sec": "",
"usec": ""
},
"as": "",
"allow_ping": "",
"state": "",
"lon": "",
"reputation_val_checked": ""
}
}
Parameter | Description |
---|---|
Domain | Name of the domain for which you want to retrieve reputation from AlienVault-OTX. |
Section | (Optional) Section of the indicator, domain in this case, whose details you want to retrieve from AlienVault-OTX. Choose from the following sections: General, Geo, Malware, URL List, Passive DNS, or Whois. For more information on the sections option, see OTX DirectConnect API. |
The JSON output retrieves the reputation of the domain name you have specified from the AlienVault-OTX server.
{
"malware": {
"count": "",
"previous": "",
"data": [
{
"datetime_int": "",
"_id": "",
"hash": ""
}
],
"size": "",
"next": ""
},
"general": {
"indicator": "",
"alexa": "",
"whois": "",
"type": "",
"pulse_info": {
"count": "",
"references": [],
"pulses": []
},
"base_indicator": {},
"validation": [
{
"source": "",
"message": "",
"name": ""
}
],
"sections": []
},
"geo": {
"flag_url": "",
"city_data": "",
"city": "",
"region": "",
"charset": "",
"area_code": "",
"continent_code": "",
"country_code3": "",
"latitude": "",
"postal_code": "",
"longitude": "",
"country_code": "",
"country_name": "",
"asn": "",
"dma_code": "",
"flag_title": ""
},
"url_list": {
"has_next": "",
"actual_size": "",
"url_list": [
{
"date": "",
"url": "",
"domain": "",
"hostname": "",
"encoded": ""
}
],
"page_num": "",
"limit": "",
"full_size": "",
"paged": ""
},
"passive_dns": {
"passive_dns": [
{
"last": "",
"indicator_link": "",
"hostname": "",
"address": "",
"flag_url": "",
"flag_title": "",
"asset_type": "",
"first": ""
}
],
"count": ""
},
"whois": {
"count": "",
"data": [
{
"value": "",
"name": "",
"key": ""
}
],
"related": [
{
"related_type": "",
"domain": "",
"related": ""
}
]
}
}
Parameter | Description |
---|---|
URL | URL for which you want to retrieve reputation from AlienVault-OTX. |
The JSON output retrieves the reputation of the URL you have specified from the AlienVault-OTX server.
{
"url_list": {
"flag_url": "",
"city_data": "",
"city": "",
"url_list": [
{
"url": "",
"httpcode": "",
"secs": "",
"params": {},
"result": {
"urlworker": {
"has_file_analysis": "",
"url": "",
"ip": "",
"filemagic": "",
"http_response": {
"CONTENT-LENGTH": "",
"ACCEPT-RANGES": "",
"VARY": "",
"SERVER": "",
"LAST-MODIFIED": "",
"CONNECTION": "",
"ETAG": "",
"DATE": "",
"CONTENT-TYPE": ""
},
"md5": ""
}
},
"date": "",
"deep_analysis": ""
}
],
"charset": "",
"area_code": "",
"continent_code": "",
"country_code3": "",
"latitude": "",
"postal_code": "",
"longitude": "",
"country_code": "",
"country_name": "",
"net_loc": "",
"region": "",
"dma_code": "",
"flag_title": ""
},
"general": {
"indicator": "",
"alexa": "",
"whois": "",
"sections": [],
"hostname": "",
"pulse_info": {
"count": "",
"references": [],
"pulses": []
},
"domain": "",
"base_indicator": {
"indicator": "",
"description": "",
"title": "",
"access_reason": "",
"access_type": "",
"content": "",
"type": "",
"id": ""
},
"type": "",
"type_title": ""
}
}
Parameter | Description |
---|---|
Filehash | Value of the filehash for which you want to retrieve reputation from AlienVault-OTX. Can be MD5 / SHA1 / SHA256 of the file. |
The JSON output retrieves the reputation of the filehash you have specified from the AlienVault-OTX server.
{
"analysis": {
"malware": {},
"page_type": "",
"analysis": {
"info": {
"results": {
"sha1": "",
"file_class": "",
"file_type": "",
"filesize": "",
"ssdeep": "",
"sha256": "",
"md5": ""
}
},
"hash": "",
"plugins": {
"cuckoo": {
"result": {
"signatures": [
{
"new_data": [],
"confidence": "",
"families": [],
"severity": "",
"weight": "",
"name": "",
"alert": "",
"references": [],
"data": [],
"description": ""
}
],
"network": {
"udp": [],
"icmp": [],
"http": [],
"smtp": [],
"tcp": [],
"hosts": [],
"pcap_sha256": "",
"dns": [
{
"request": "",
"type": "",
"answers": [
{
"type": "",
"data": ""
}
]
}
],
"domains": [],
"sorted_pcap_sha256": "",
"irc": []
},
"suricata": {},
"hostname": "",
"dropped": [
{
"yara": [],
"sha1": "",
"name": "",
"sha512": "",
"type": "",
"clamav": "",
"guest_paths": [],
"crc32": "",
"path": "",
"ssdeep": "",
"sha256": "",
"data": "",
"md5": "",
"size": ""
},
{
"yara": [],
"sha1": "",
"name": "",
"sha512": "",
"clamav": "",
"guest_paths": [
""
],
"crc32": "",
"path": "",
"ssdeep": "",
"sha256": "",
"type": "",
"md5": "",
"size": ""
}
],
"behavior": {
"files": [],
"write_keys": [],
"keys": [],
"write_files": [],
"read_keys": [],
"delete_keys": [],
"read_files": [],
"mutexes": [],
"resolved_apis": [],
"delete_files": [],
"executed_commands": [],
"started_services": [],
"created_services": []
},
"sha256": "",
"virustotal": {
"scans": {},
"scan_id": "",
"sha1": "",
"resource": "",
"response_code": "",
"scan_date": "",
"results": [
{
"vendor": "",
"sig": ""
}
],
"verbose_msg": "",
"permalink": "",
"total": "",
"positives": "",
"sha256": "",
"md5": ""
}
}
},
"pe32info": {
"process_time": "",
"results": {
"pdbinfo": [],
"exports": [],
"richhash": "",
"imports": [
{
"address": "",
"name": "",
"dll": ""
}
],
"signed": "0",
"resource_strings": [],
"version_information": [
{
"name": "",
"value": ""
}
],
"pehash": "",
"certs": [],
"imphash": "",
"sections": [
{
"SizeOfRawData": "",
"entropy": "",
"Name": "",
"Misc_VirtualSize": "",
"VirtualAddress": ""
}
],
"packers": [
""
]
}
},
"adobemalwareclassifier": {
"process_time": "",
"results": {
"alerts": []
}
},
"exiftool": {
"process_time": "",
"results": {
"Linker_Version": "",
"Product_Version_Number": "",
"Product_Version": "",
"Language_Code": "",
"PE_Type": "",
"File_Version": "",
"Legal_Copyright": "",
"File_Subtype": "",
"Company_Name": "",
"Original_Filename": "",
"Object_File_Type": "",
"File_Version_Number": "",
"Code_Size": "",
"Product_Name": "",
"OS_Version": "",
"Entry_Point": "",
"File_Description": "",
"Machine_Type": "",
"Uninitialized_Data_Size": "",
"Character_Set": "",
"MIME_Type": "",
"Subsystem": "",
"Subsystem_Version": "",
"Image_Version": "",
"File_OS": "",
"File_Inode_Change_Date/Time": "",
"Internal_Name": "",
"Time_Stamp": "",
"Initialized_Data_Size": "",
"File_Flags": "",
"File_Flags_Mask": ""
}
},
"clamav": {
"process_time": "",
"results": {}
},
"yarad": {
"process_time": "",
"results": {
"detection": []
}
},
"disa_entrypoint": {
"process_time": "",
"results": {
"error_disa": "",
"instructions": []
}
},
"peanomal": {
"process_time": "",
"results": {
"detection": [
{
"name": "",
"value": ""
}
],
"anomalies": ""
}
},
"avg": {
"process_time": "",
"results": {}
}
},
"datetime_int": "",
"_id": "",
"metadata": {}
}
},
"general": {
"indicator": "",
"sections": [],
"pulse_info": {
"count": "",
"references": [],
"pulses": []
},
"base_indicator": {},
"validation": [],
"type": "",
"type_title": ""
}
}
Parameter | Description |
---|---|
Hostname | Name of the host for which you want to retrieve reputation from AlienVault-OTX. |
Section | (Optional) Section of the indicator, the hostname in this case, whose details you want to retrieve from AlienVault-OTX. Choose from the following sections: General, Geo, Malware, URL List, or Passive DNS. For more information on the sections option, see OTX DirectConnect API. |
The JSON output retrieves the reputation of the hostname you have specified from the AlienVault-OTX server.
{
"geo": {
"flag_url": "",
"city_data": "",
"city": "",
"region": "",
"charset": "",
"area_code": "",
"continent_code": "",
"country_code3": "",
"latitude": "",
"postal_code": "",
"longitude": "",
"country_code": "",
"country_name": "",
"asn": "",
"dma_code": "",
"flag_title": ""
},
"malware": {
"count": "",
"previous": "",
"data": [
{
"datetime_int": "",
"_id": "",
"hash": ""
}
],
"size": "",
"next": ""
},
"general": {
"indicator": "",
"alexa": "",
"whois": "",
"type_title": "",
"base_indicator": {
"indicator": "",
"description": "",
"title": "",
"access_reason": "",
"access_type": "",
"content": "",
"type": "",
"id": ""
},
"pulse_info": {
"count": "",
"references": [],
"pulses": []
},
"domain": "",
"type": "",
"validation": [],
"sections": []
},
"url_list": {
"has_next": "",
"actual_size": "",
"url_list": [
{
"date": "",
"url": "",
"domain": "",
"hostname": "",
"encoded": ""
}
],
"page_num": "",
"limit": "",
"full_size": "",
"paged": ""
},
"passive_dns": {
"passive_dns": [
{
"last": "",
"indicator_link": "",
"hostname": "",
"address": "",
"flag_url": "",
"flag_title": "",
"asset_type": "",
"first": ""
}
],
"count": ""
}
}
Parameter | Description |
---|---|
Indicator Type | (Optional) Type of indicator whose details you want to retrieve from AlienVault-OTX. Choose from the following indicator types: IPv4, IPv6, CIDR, Domain, Hostname, URL, URI, Email, CVE, FileHash-MD5, FileHash-SHA1, FileHash-SHA256, FileHash-IMPHASH, FileHash-PEHASH, FilePath, or Mutex. |
Number Of Records | (Optional) Number of records that the operation should include per page. |
Page Number | (Optional) Page number from which you want to retrieve records. |
From |
(Optional) Datetime from which you want to retrieve indicators. The datetime must be in the ISO format (UTC). If you specify a datetime, then only the indicators that were created or modified from the specified datetime are retrieved. Note: If you receive the error, 'Exceeded maximum number of retries', then, try to define a shorter date range using the From parameter. The date range spans from the date that you selected to the current date. |
Export in JSON | Select this option to export the complete result in the JSON format and save the result in the Attachment module in FortiSOAR™.By default, this option is set as True . |
The JSON output retrieves a list of all the indicators you have specified, based on the input parameters, from the AlienVault-OTX server.
Output schema when export_json checkbox is selected.
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"file": [],
"size": "",
"@type": "",
"@context": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"@type": "",
"@context": "",
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": "",
"description": ""
}
Output schema when export_json checkbox is not selected.
{
"next": "",
"count": "",
"results": [
{
"id": "",
"type": "",
"title": "",
"content": "",
"indicator": "",
"description": ""
}
],
"previous": ""
}
Parameter | Description |
---|---|
Pulse ID | ID of the pulse based on which you want to retrieve the list of all indicators from AlienVault-OTX. |
Include Inactive | (Optional) Check this box if you want to include inactive indicators as a part of the response. Default is set to unchecked (which means that the value is False). |
Limit | (Optional) Number of items to include in the response. Default limit is 1000. |
Page Number | (Optional) Page number from which you want to retrieve records. |
The JSON output retrieves a list of all the indicators based on the pulse ID that you have specified.
{
"description": "",
"content": "",
"type": "",
"title": "",
"created": "",
"indicator": "",
"id": "",
"slug": "",
"pulse_key": ""
}
Parameter | Description |
---|---|
Pulse ID | ID of pulse whose details you want to retrieve from AlienVault-OTX. |
The JSON output retrieves the details of the pulse based on the pulse ID that you have specified.
{
"public": "",
"modified": "",
"name": "",
"author_name": "",
"created": "",
"tags": [],
"references": [],
"id": "",
"TLP": "",
"description": "",
"targeted_countries": [],
"revision": "",
"adversary": "",
"industries": [],
"indicators": [
{
"description": "",
"access_groups": [],
"created": "",
"expiration": "",
"id": "",
"indicator": "",
"content": "",
"role": "",
"access_type": "",
"observations": "",
"title": "",
"is_active": "",
"type": "",
"access_reason": ""
}
]
}
Parameter | Description |
---|---|
Pulse ID | ID of pulse based on which you want to retrieve related pulses, i.e. pulses that share an indicator, from AlienVault-OTX. |
Page Number | (Optional) Page number from which you want to retrieve records. |
The JSON output retrieves a list of pulses that share an indicator with the pulse that you have specified using its pulse ID.
{
"count": "",
"previous": "",
"next": "",
"results": [
{
"public": "",
"id": "",
"industries": [],
"name": "",
"adversary": "",
"TLP": "",
"description": "",
"created": "",
"indicators": [
{
"id": "",
"description": "",
"created": "",
"content": "",
"indicator": "",
"type": "",
"title": ""
}
],
"author_name": "",
"references": [],
"tags": [],
"revision": "",
"targeted_countries": [],
"modified": ""
}
]
}
Parameter | Description |
---|---|
Number of records | (Optional) Number of records that the operation should include per page. |
Page Number | (Optional) Page number from which you want to retrieve records. |
From | (Optional) Datetime from which you want to retrieve pulses. The datetime must be in the ISO format (UTC). If you specify the datetime then only those pulses that are created or modified later then the specified datetime are retrieved. |
The JSON output retrieves a list of all the pulses you have subscribed to and which you have specified, based on the input parameters, from the AlienVault-OTX server.
{
"previous": "",
"count": "",
"next": "",
"results": [
{
"id": "",
"created": "",
"industries": [],
"targeted_countries": [],
"adversary": "",
"indicators": [
{
"id": "",
"type": "",
"created": "",
"description": "",
"content": "",
"title": "",
"indicator": ""
}
],
"public": "",
"author_name": "",
"tlp": "",
"references": [],
"modified": "",
"description": "",
"extract_source": [],
"revision": "",
"tags": [],
"name": ""
}
]
}
Parameter | Description |
---|---|
URL | URL of the input query. For example, https://otx.alienvault.com/api/v1/indicators/export?&types=IPv6&limit=10&page=1. For more information, see OTX DirectConnect API. |
The JSON output retrieves the data from your AlienVault-OTX instance, based on the input query you have specified.
The output varies depending on the URL provided as a parameter.
Parameter | Description |
---|---|
Text | Pulses that you want to search for on AlienVault-OTX. |
Number of Records | (Optional) Number of records that the operation should include per page. |
Page Number | (Optional) Page number from which you want to retrieve records. |
The JSON output retrieves a list of all the pulses that match the text that you have specified in the input parameters, from the AlienVault-OTX server.
{
"exact_match": "",
"next": "",
"results": [
{
"created": "",
"TLP": "",
"author_name": "",
"industries": [],
"revision": "",
"id": "",
"tags": [],
"indicators": [
{
"created": "",
"indicator": "",
"type": "",
"content": "",
"id": "",
"title": "",
"description": ""
}
],
"description": "",
"name": "",
"modified": "",
"references": [],
"public": "",
"adversary": "",
"targeted_countries": []
}
],
"count": "",
"previous": ""
}
Parameter | Description |
---|---|
Pulse ID | ID of pulse to which you want to subscribe. |
The JSON output returns a Success
message if you could successfully subscribe to the pulse you have specified using the pulse ID or an Error
message containing the reason for failure.
{
"status": "",
"subscriber_count": ""
}
Parameter | Description |
---|---|
Pulse ID | ID of pulse from which you want to unsubscribe. |
The JSON output returns a Success
message if you could successfully unsubscribe from the pulse you have specified using the pulse ID or an Error
message containing the reason for failure.
{
"status": "",
"subscriber_count": ""
}
Parameter | Description |
---|---|
Username | Name of the user on whom you want to perform the selected action. |
Action | Action that you want to perform on the select user. Choose from the following actions: Subscribe, Unsubscribe, Follow, or Unfollow. |
The JSON output returns a Success
message if you could successfully perform the selected action on the selected user or an Error
message containing the reason for failure.
{
"status": ""
}
The Sample - AlienVault-OTX - 1.0.2
playbook collection comes bundled with the AlienVault-OTX connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the AlienVault-OTX connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
AlienVault Open Threat Exchange (OTX) is among our most useful threat intelligence tools. It is a repository of Indicators of Compromise (IOCs) supported by the community. It contributes pulses and each pulse contains a collection of IOCs targeted at a particular area.
This document provides information about the AlienVault-OTX connector, which facilitates automated interactions, with an AlienVault-OTX server using FortiSOAR™ playbooks. Add the AlienVault-OTX connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving details for an indicator, creating and retrieving details for a pulse, and running queries on the AlienVault-OTX server.
Connector Version: 1.0.2
FortiSOAR™ Version Tested on: 7.2.2-1098 and later
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the AlienVault-OTX Connector in version 1.0.2:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum
command as a root
user to install connectors from an SSH session:
yum install cyops-connector-alienvault-otx
For the procedure to configure a connector, see Configuring a Connector.
In FortiSOAR™, on the Connectors page, select the AlienVault-OTX connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server Address | Address of the AlienVault-OTX server to which you will connect and perform the automated operations. |
API Key | API key configured for your account to access the AlienVault-OTX server. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 5.0.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Create Pulse | Create new pulse which contains a collection of IOCs targeted at a particular area. | create_pulse Investigation |
Get IP Reputation | Retrieves the reputation for a specified IP based on parameters such as, the IP address that you have specified. | get_ip_reputation Investigation |
Get Domain Reputation | Retrieves the reputation for a specified domain based on parameters such as, the domain name that you have specified. | get_domain_reputation Investigation |
Get URL Reputation | Retrieves the reputation for a specified URL based on the URL that you have specified. | get_url_reputation Investigation |
Get File Reputation | Retrieves the reputation for a specified file based on parameters such as, the filehash that you have specified. | get_file_reputation Investigation |
Get Hostname Reputation | Retrieves the reputation for a specified host based on parameters such as, the hostname that you have specified. | get_hostname_reputation Investigation |
Get All Indicators | Retrieves a list of all indicators based on various parameters such as indicator type and value that you have specified. | get_indicators Investigation |
Get Pulse Indicators | Retrieves a list of all indicators based on the pulse ID that you have specified. | get_indicators Investigation |
Get Pulse Details | Retrieves details about a pulse based on the pulse ID that you have specified. | get_pulse Investigation |
Get Related Pulses | Retrieves a list of pulses that share an indicator with the pulse that you have specified using the pulse ID. | get_pulses Investigation |
Get Subscribed Pulses | Retrieves a list of all subscribed pulses based on various parameters such as datetime that you have specified.. | get_pulses Investigation |
Run Query | Runs a query that you have specified and fetches data from your AlienVault-OTX instance, based on the input filters. | run_query Investigation |
Search Pulses | Searches for pulses that match the text that you have specified in the input parameters. | search_pulse Investigation |
Subscribe to Pulse | Subscribes to a particular pulse based on the pulse ID that you have specified. | subscribe_pulse Investigation |
Unsubscribe from Pulse | Unsubscribes from a particular pulse based on the pulse ID that you have specified. | unsubscribe_pulse Investigation |
User Actions | Allows you to perform actions, such as follow, subscribe, etc for a specified user on the AlienVault-OTX server based on the username that you have specified. |
Parameter | Description |
---|---|
Name | Name of the pulse that you want to create. |
Description | (Optional) Brief description of the pulse that you want to create and the threat it addresses. |
Indicators | (Optional) List of indicators. Each indicator is stored as a dictionary having a key-value pair. Every object in the list must have at least the following three fields:{"type": "", "indicator": "", "description": ""} |
Tags | (Optional) List of tags that categorize the pulse that you want to create. For example, malware, phishing, hacking, etc. |
References | (Optional) List of external references to associate with the pulse that you want to create. |
Public | Select this field to allow other users to see or subscribe to the pulse that you want to create. By default, this option is set as True . |
The JSON output contains all the details for the newly created pulse on the AlienVault-OTX server.
{
"subscribers_count": "",
"indicators": [
{
"access_type": "",
"content": "",
"access_groups": [],
"access_reason": "",
"is_active": "",
"title": "",
"type": "",
"description": "",
"expiration": "",
"indicator": "",
"role": ""
}
],
"name": "",
"group_ids": [],
"description": "",
"author_id": "",
"votes_count": "",
"subscribers": [],
"cloned_from": "",
"locked": "",
"references_count": "",
"validators_count": "",
"upvotes": [],
"downvotes": [],
"pulse_name": "",
"TLP": "",
"upvotes_count": "",
"validators": [],
"author_name": "",
"tags_count": "",
"active": "",
"followers_count": "",
"pulse_source": "",
"public": "",
"downvotes_count": "",
"comments_count": "",
"exported_by": [],
"extract_source": [],
"indicators_count": "",
"followers": [],
"references": [],
"export_count": "",
"industries": [],
"created": "",
"targeted_countries": [],
"revision": "",
"tags": [],
"modified": "",
"unsubscribed_users": [],
"adversary": "",
"id": ""
}
Parameter | Description |
---|---|
Type | Type of IP for which you want to retrieve reputation from AlienVault-OTX. Choose between IPv4 or IPv6. |
IP Address | IP address for which you want to retrieve reputation from AlienVault-OTX. |
The JSON output retrieves the reputation of the IP address you have specified from the AlienVault-OTX server.
{
"reputation": {
"reputation_val": "",
"country": "",
"city": "",
"reputation_rel_checked": "",
"reputation_rel": "",
"status": "",
"matched_wl": [],
"domains": [],
"_id": {
"$id": ""
},
"threat_score": "",
"last_seen": "",
"counts": {
"Malware Domain": "",
"Malware IP": ""
},
"address": "",
"server_type": "",
"activities": [
{
"data": {
"md5": "",
"file": "",
"url": "",
"domain": "",
"vt": {
"Signature": ""
}
},
"first_date": "",
"name": "",
"md5": "",
"visible": "",
"domain": "",
"vt": "",
"last_date": "",
"status": "",
"url": "",
"source": "",
"file": "",
"data_key": ""
}
],
"first_seen": "",
"lat": "",
"up": "",
"matched_bl": [],
"date_added": {
"sec": "",
"usec": ""
},
"as": "",
"allow_ping": "",
"state": "",
"lon": "",
"reputation_val_checked": ""
}
}
Parameter | Description |
---|---|
Domain | Name of the domain for which you want to retrieve reputation from AlienVault-OTX. |
Section | (Optional) Section of the indicator, domain in this case, whose details you want to retrieve from AlienVault-OTX. Choose from the following sections: General, Geo, Malware, URL List, Passive DNS, or Whois. For more information on the sections option, see OTX DirectConnect API. |
The JSON output retrieves the reputation of the domain name you have specified from the AlienVault-OTX server.
{
"malware": {
"count": "",
"previous": "",
"data": [
{
"datetime_int": "",
"_id": "",
"hash": ""
}
],
"size": "",
"next": ""
},
"general": {
"indicator": "",
"alexa": "",
"whois": "",
"type": "",
"pulse_info": {
"count": "",
"references": [],
"pulses": []
},
"base_indicator": {},
"validation": [
{
"source": "",
"message": "",
"name": ""
}
],
"sections": []
},
"geo": {
"flag_url": "",
"city_data": "",
"city": "",
"region": "",
"charset": "",
"area_code": "",
"continent_code": "",
"country_code3": "",
"latitude": "",
"postal_code": "",
"longitude": "",
"country_code": "",
"country_name": "",
"asn": "",
"dma_code": "",
"flag_title": ""
},
"url_list": {
"has_next": "",
"actual_size": "",
"url_list": [
{
"date": "",
"url": "",
"domain": "",
"hostname": "",
"encoded": ""
}
],
"page_num": "",
"limit": "",
"full_size": "",
"paged": ""
},
"passive_dns": {
"passive_dns": [
{
"last": "",
"indicator_link": "",
"hostname": "",
"address": "",
"flag_url": "",
"flag_title": "",
"asset_type": "",
"first": ""
}
],
"count": ""
},
"whois": {
"count": "",
"data": [
{
"value": "",
"name": "",
"key": ""
}
],
"related": [
{
"related_type": "",
"domain": "",
"related": ""
}
]
}
}
Parameter | Description |
---|---|
URL | URL for which you want to retrieve reputation from AlienVault-OTX. |
The JSON output retrieves the reputation of the URL you have specified from the AlienVault-OTX server.
{
"url_list": {
"flag_url": "",
"city_data": "",
"city": "",
"url_list": [
{
"url": "",
"httpcode": "",
"secs": "",
"params": {},
"result": {
"urlworker": {
"has_file_analysis": "",
"url": "",
"ip": "",
"filemagic": "",
"http_response": {
"CONTENT-LENGTH": "",
"ACCEPT-RANGES": "",
"VARY": "",
"SERVER": "",
"LAST-MODIFIED": "",
"CONNECTION": "",
"ETAG": "",
"DATE": "",
"CONTENT-TYPE": ""
},
"md5": ""
}
},
"date": "",
"deep_analysis": ""
}
],
"charset": "",
"area_code": "",
"continent_code": "",
"country_code3": "",
"latitude": "",
"postal_code": "",
"longitude": "",
"country_code": "",
"country_name": "",
"net_loc": "",
"region": "",
"dma_code": "",
"flag_title": ""
},
"general": {
"indicator": "",
"alexa": "",
"whois": "",
"sections": [],
"hostname": "",
"pulse_info": {
"count": "",
"references": [],
"pulses": []
},
"domain": "",
"base_indicator": {
"indicator": "",
"description": "",
"title": "",
"access_reason": "",
"access_type": "",
"content": "",
"type": "",
"id": ""
},
"type": "",
"type_title": ""
}
}
Parameter | Description |
---|---|
Filehash | Value of the filehash for which you want to retrieve reputation from AlienVault-OTX. Can be MD5 / SHA1 / SHA256 of the file. |
The JSON output retrieves the reputation of the filehash you have specified from the AlienVault-OTX server.
{
"analysis": {
"malware": {},
"page_type": "",
"analysis": {
"info": {
"results": {
"sha1": "",
"file_class": "",
"file_type": "",
"filesize": "",
"ssdeep": "",
"sha256": "",
"md5": ""
}
},
"hash": "",
"plugins": {
"cuckoo": {
"result": {
"signatures": [
{
"new_data": [],
"confidence": "",
"families": [],
"severity": "",
"weight": "",
"name": "",
"alert": "",
"references": [],
"data": [],
"description": ""
}
],
"network": {
"udp": [],
"icmp": [],
"http": [],
"smtp": [],
"tcp": [],
"hosts": [],
"pcap_sha256": "",
"dns": [
{
"request": "",
"type": "",
"answers": [
{
"type": "",
"data": ""
}
]
}
],
"domains": [],
"sorted_pcap_sha256": "",
"irc": []
},
"suricata": {},
"hostname": "",
"dropped": [
{
"yara": [],
"sha1": "",
"name": "",
"sha512": "",
"type": "",
"clamav": "",
"guest_paths": [],
"crc32": "",
"path": "",
"ssdeep": "",
"sha256": "",
"data": "",
"md5": "",
"size": ""
},
{
"yara": [],
"sha1": "",
"name": "",
"sha512": "",
"clamav": "",
"guest_paths": [
""
],
"crc32": "",
"path": "",
"ssdeep": "",
"sha256": "",
"type": "",
"md5": "",
"size": ""
}
],
"behavior": {
"files": [],
"write_keys": [],
"keys": [],
"write_files": [],
"read_keys": [],
"delete_keys": [],
"read_files": [],
"mutexes": [],
"resolved_apis": [],
"delete_files": [],
"executed_commands": [],
"started_services": [],
"created_services": []
},
"sha256": "",
"virustotal": {
"scans": {},
"scan_id": "",
"sha1": "",
"resource": "",
"response_code": "",
"scan_date": "",
"results": [
{
"vendor": "",
"sig": ""
}
],
"verbose_msg": "",
"permalink": "",
"total": "",
"positives": "",
"sha256": "",
"md5": ""
}
}
},
"pe32info": {
"process_time": "",
"results": {
"pdbinfo": [],
"exports": [],
"richhash": "",
"imports": [
{
"address": "",
"name": "",
"dll": ""
}
],
"signed": "0",
"resource_strings": [],
"version_information": [
{
"name": "",
"value": ""
}
],
"pehash": "",
"certs": [],
"imphash": "",
"sections": [
{
"SizeOfRawData": "",
"entropy": "",
"Name": "",
"Misc_VirtualSize": "",
"VirtualAddress": ""
}
],
"packers": [
""
]
}
},
"adobemalwareclassifier": {
"process_time": "",
"results": {
"alerts": []
}
},
"exiftool": {
"process_time": "",
"results": {
"Linker_Version": "",
"Product_Version_Number": "",
"Product_Version": "",
"Language_Code": "",
"PE_Type": "",
"File_Version": "",
"Legal_Copyright": "",
"File_Subtype": "",
"Company_Name": "",
"Original_Filename": "",
"Object_File_Type": "",
"File_Version_Number": "",
"Code_Size": "",
"Product_Name": "",
"OS_Version": "",
"Entry_Point": "",
"File_Description": "",
"Machine_Type": "",
"Uninitialized_Data_Size": "",
"Character_Set": "",
"MIME_Type": "",
"Subsystem": "",
"Subsystem_Version": "",
"Image_Version": "",
"File_OS": "",
"File_Inode_Change_Date/Time": "",
"Internal_Name": "",
"Time_Stamp": "",
"Initialized_Data_Size": "",
"File_Flags": "",
"File_Flags_Mask": ""
}
},
"clamav": {
"process_time": "",
"results": {}
},
"yarad": {
"process_time": "",
"results": {
"detection": []
}
},
"disa_entrypoint": {
"process_time": "",
"results": {
"error_disa": "",
"instructions": []
}
},
"peanomal": {
"process_time": "",
"results": {
"detection": [
{
"name": "",
"value": ""
}
],
"anomalies": ""
}
},
"avg": {
"process_time": "",
"results": {}
}
},
"datetime_int": "",
"_id": "",
"metadata": {}
}
},
"general": {
"indicator": "",
"sections": [],
"pulse_info": {
"count": "",
"references": [],
"pulses": []
},
"base_indicator": {},
"validation": [],
"type": "",
"type_title": ""
}
}
Parameter | Description |
---|---|
Hostname | Name of the host for which you want to retrieve reputation from AlienVault-OTX. |
Section | (Optional) Section of the indicator, the hostname in this case, whose details you want to retrieve from AlienVault-OTX. Choose from the following sections: General, Geo, Malware, URL List, or Passive DNS. For more information on the sections option, see OTX DirectConnect API. |
The JSON output retrieves the reputation of the hostname you have specified from the AlienVault-OTX server.
{
"geo": {
"flag_url": "",
"city_data": "",
"city": "",
"region": "",
"charset": "",
"area_code": "",
"continent_code": "",
"country_code3": "",
"latitude": "",
"postal_code": "",
"longitude": "",
"country_code": "",
"country_name": "",
"asn": "",
"dma_code": "",
"flag_title": ""
},
"malware": {
"count": "",
"previous": "",
"data": [
{
"datetime_int": "",
"_id": "",
"hash": ""
}
],
"size": "",
"next": ""
},
"general": {
"indicator": "",
"alexa": "",
"whois": "",
"type_title": "",
"base_indicator": {
"indicator": "",
"description": "",
"title": "",
"access_reason": "",
"access_type": "",
"content": "",
"type": "",
"id": ""
},
"pulse_info": {
"count": "",
"references": [],
"pulses": []
},
"domain": "",
"type": "",
"validation": [],
"sections": []
},
"url_list": {
"has_next": "",
"actual_size": "",
"url_list": [
{
"date": "",
"url": "",
"domain": "",
"hostname": "",
"encoded": ""
}
],
"page_num": "",
"limit": "",
"full_size": "",
"paged": ""
},
"passive_dns": {
"passive_dns": [
{
"last": "",
"indicator_link": "",
"hostname": "",
"address": "",
"flag_url": "",
"flag_title": "",
"asset_type": "",
"first": ""
}
],
"count": ""
}
}
Parameter | Description |
---|---|
Indicator Type | (Optional) Type of indicator whose details you want to retrieve from AlienVault-OTX. Choose from the following indicator types: IPv4, IPv6, CIDR, Domain, Hostname, URL, URI, Email, CVE, FileHash-MD5, FileHash-SHA1, FileHash-SHA256, FileHash-IMPHASH, FileHash-PEHASH, FilePath, or Mutex. |
Number Of Records | (Optional) Number of records that the operation should include per page. |
Page Number | (Optional) Page number from which you want to retrieve records. |
From |
(Optional) Datetime from which you want to retrieve indicators. The datetime must be in the ISO format (UTC). If you specify a datetime, then only the indicators that were created or modified from the specified datetime are retrieved. Note: If you receive the error, 'Exceeded maximum number of retries', then, try to define a shorter date range using the From parameter. The date range spans from the date that you selected to the current date. |
Export in JSON | Select this option to export the complete result in the JSON format and save the result in the Attachment module in FortiSOAR™.By default, this option is set as True . |
The JSON output retrieves a list of all the indicators you have specified, based on the input parameters, from the AlienVault-OTX server.
Output schema when export_json checkbox is selected.
{
"id": "",
"@id": "",
"file": {
"id": "",
"@id": "",
"file": [],
"size": "",
"@type": "",
"@context": "",
"filename": "",
"metadata": [],
"mimeType": "",
"thumbnail": "",
"uploadDate": ""
},
"name": "",
"type": "",
"@type": "",
"@context": "",
"createDate": "",
"createUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"modifyDate": "",
"modifyUser": {
"id": "",
"@id": "",
"name": "",
"@type": "",
"avatar": "",
"userId": "",
"userType": "",
"@settings": "",
"createDate": "",
"createUser": "",
"modifyDate": "",
"modifyUser": ""
},
"recordTags": "",
"description": ""
}
Output schema when export_json checkbox is not selected.
{
"next": "",
"count": "",
"results": [
{
"id": "",
"type": "",
"title": "",
"content": "",
"indicator": "",
"description": ""
}
],
"previous": ""
}
Parameter | Description |
---|---|
Pulse ID | ID of the pulse based on which you want to retrieve the list of all indicators from AlienVault-OTX. |
Include Inactive | (Optional) Check this box if you want to include inactive indicators as a part of the response. Default is set to unchecked (which means that the value is False). |
Limit | (Optional) Number of items to include in the response. Default limit is 1000. |
Page Number | (Optional) Page number from which you want to retrieve records. |
The JSON output retrieves a list of all the indicators based on the pulse ID that you have specified.
{
"description": "",
"content": "",
"type": "",
"title": "",
"created": "",
"indicator": "",
"id": "",
"slug": "",
"pulse_key": ""
}
Parameter | Description |
---|---|
Pulse ID | ID of pulse whose details you want to retrieve from AlienVault-OTX. |
The JSON output retrieves the details of the pulse based on the pulse ID that you have specified.
{
"public": "",
"modified": "",
"name": "",
"author_name": "",
"created": "",
"tags": [],
"references": [],
"id": "",
"TLP": "",
"description": "",
"targeted_countries": [],
"revision": "",
"adversary": "",
"industries": [],
"indicators": [
{
"description": "",
"access_groups": [],
"created": "",
"expiration": "",
"id": "",
"indicator": "",
"content": "",
"role": "",
"access_type": "",
"observations": "",
"title": "",
"is_active": "",
"type": "",
"access_reason": ""
}
]
}
Parameter | Description |
---|---|
Pulse ID | ID of pulse based on which you want to retrieve related pulses, i.e. pulses that share an indicator, from AlienVault-OTX. |
Page Number | (Optional) Page number from which you want to retrieve records. |
The JSON output retrieves a list of pulses that share an indicator with the pulse that you have specified using its pulse ID.
{
"count": "",
"previous": "",
"next": "",
"results": [
{
"public": "",
"id": "",
"industries": [],
"name": "",
"adversary": "",
"TLP": "",
"description": "",
"created": "",
"indicators": [
{
"id": "",
"description": "",
"created": "",
"content": "",
"indicator": "",
"type": "",
"title": ""
}
],
"author_name": "",
"references": [],
"tags": [],
"revision": "",
"targeted_countries": [],
"modified": ""
}
]
}
Parameter | Description |
---|---|
Number of records | (Optional) Number of records that the operation should include per page. |
Page Number | (Optional) Page number from which you want to retrieve records. |
From | (Optional) Datetime from which you want to retrieve pulses. The datetime must be in the ISO format (UTC). If you specify the datetime then only those pulses that are created or modified later then the specified datetime are retrieved. |
The JSON output retrieves a list of all the pulses you have subscribed to and which you have specified, based on the input parameters, from the AlienVault-OTX server.
{
"previous": "",
"count": "",
"next": "",
"results": [
{
"id": "",
"created": "",
"industries": [],
"targeted_countries": [],
"adversary": "",
"indicators": [
{
"id": "",
"type": "",
"created": "",
"description": "",
"content": "",
"title": "",
"indicator": ""
}
],
"public": "",
"author_name": "",
"tlp": "",
"references": [],
"modified": "",
"description": "",
"extract_source": [],
"revision": "",
"tags": [],
"name": ""
}
]
}
Parameter | Description |
---|---|
URL | URL of the input query. For example, https://otx.alienvault.com/api/v1/indicators/export?&types=IPv6&limit=10&page=1. For more information, see OTX DirectConnect API. |
The JSON output retrieves the data from your AlienVault-OTX instance, based on the input query you have specified.
The output varies depending on the URL provided as a parameter.
Parameter | Description |
---|---|
Text | Pulses that you want to search for on AlienVault-OTX. |
Number of Records | (Optional) Number of records that the operation should include per page. |
Page Number | (Optional) Page number from which you want to retrieve records. |
The JSON output retrieves a list of all the pulses that match the text that you have specified in the input parameters, from the AlienVault-OTX server.
{
"exact_match": "",
"next": "",
"results": [
{
"created": "",
"TLP": "",
"author_name": "",
"industries": [],
"revision": "",
"id": "",
"tags": [],
"indicators": [
{
"created": "",
"indicator": "",
"type": "",
"content": "",
"id": "",
"title": "",
"description": ""
}
],
"description": "",
"name": "",
"modified": "",
"references": [],
"public": "",
"adversary": "",
"targeted_countries": []
}
],
"count": "",
"previous": ""
}
Parameter | Description |
---|---|
Pulse ID | ID of pulse to which you want to subscribe. |
The JSON output returns a Success
message if you could successfully subscribe to the pulse you have specified using the pulse ID or an Error
message containing the reason for failure.
{
"status": "",
"subscriber_count": ""
}
Parameter | Description |
---|---|
Pulse ID | ID of pulse from which you want to unsubscribe. |
The JSON output returns a Success
message if you could successfully unsubscribe from the pulse you have specified using the pulse ID or an Error
message containing the reason for failure.
{
"status": "",
"subscriber_count": ""
}
Parameter | Description |
---|---|
Username | Name of the user on whom you want to perform the selected action. |
Action | Action that you want to perform on the select user. Choose from the following actions: Subscribe, Unsubscribe, Follow, or Unfollow. |
The JSON output returns a Success
message if you could successfully perform the selected action on the selected user or an Error
message containing the reason for failure.
{
"status": ""
}
The Sample - AlienVault-OTX - 1.0.2
playbook collection comes bundled with the AlienVault-OTX connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the AlienVault-OTX connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.