====== AlienVault OTX Intel Checker ======

This app helps with providing guidelines for installing the AlienVault OTX Intel-Checker App in Trisul Network Analytics.

**
To check all artifacts in your network traffic against the threat IOCs found in AlientVault OTX and throw an alert in the UI. 
**
{{:tips:alienvault-app.png?200|}}

===== Intel Framework for Trisul =====

  * This App requires you to first install the [[tips:ioc_harvestor|IOC Harvestor]] app.
  * Then, You can install this app by logging in as admin and selecting //Web Admin > Manage > Apps > AlienVault OTX Intel Checker.//
{{:tips:alienvault-admin.png?600|}}

<note>The //check_intel.lua// script just checks each of them against a LevelDB database.</note>.

===== Getting the AlienVault OTX into a LevelDB database =====

  * Go to OTX and get an [[https://otx.alienvault.com/api|AlienVault OTX API Key]].
  * On OTX,subscribe to any number of Pulses . Pulses are collections of IOCs from various sources.
{{:tips:alienvaultapi.png?400|}}

==== Pre-requisites Ruby and LevelDB ====

The feed installation process needs Ruby and LevelDB installed on the Probe.

**Ubuntu**
<code>
#apt install build-essential ruby libleveldb1v5 
#gem install rake faraday leveldb
</code>

**CentOS/RHEL7**
<code>
#yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
#yum install leveldb
#yum install gcc-c++
#gem install rake faraday leveldb 
</code>
<note important>Please ensure you run these commands in Root.</note>
===== Installing Feeds =====

Compile the IOCs from OTX into a LevelDB database using the 'installfeed.sh' script as shown below.
<code>
curl -O  https://raw.githubusercontent.com/trisulnsm/apps/master/analyzers/alienvault-otx/installfeed.sh
bash ./installfeed.sh  ALIENVAULT_API_KEY
</code>

===== Viewing Alerts =====

When Trisul gets an IOC hit on any of the 14 indicators such as hosts, file hashes, SSL Certs, domains, urls - you will get an alert in the 'User-Alerts' group.

{{:tips:aleinvault-alert.png?600|}}