AlienVault OTX Intel Checker

AlienVault OTX Intel Checker

This app helps with providing guidelines for installing the AlienVault OTX Intel-Checker App in Trisul Network Analytics.

To check all artifacts in your network traffic against the threat IOCs found in AlientVault OTX and throw an alert in the UI.

Intel Framework for Trisul

This App requires you to first install the IOC Harvestor app.
Then, You can install this app by logging in as admin and selecting Web Admin > Manage > Apps > AlienVault OTX Intel Checker.

The check_intel.lua script just checks each of them against a LevelDB database.

Getting the AlienVault OTX into a LevelDB database

Go to OTX and get an AlienVault OTX API Key.
On OTX,subscribe to any number of Pulses . Pulses are collections of IOCs from various sources.

Pre-requisites Ruby and LevelDB

The feed installation process needs Ruby and LevelDB installed on the Probe.

Ubuntu

#apt install build-essential ruby libleveldb1v5 
#gem install rake faraday leveldb

CentOS/RHEL7

#yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
#yum install leveldb
#yum install gcc-c++
#gem install rake faraday leveldb

Please ensure you run these commands in Root.

Installing Feeds

Compile the IOCs from OTX into a LevelDB database using the 'installfeed.sh' script as shown below.

curl -O  https://raw.githubusercontent.com/trisulnsm/apps/master/analyzers/alienvault-otx/installfeed.sh
bash ./installfeed.sh  ALIENVAULT_API_KEY

Viewing Alerts

When Trisul gets an IOC hit on any of the 14 indicators such as hosts, file hashes, SSL Certs, domains, urls - you will get an alert in the 'User-Alerts' group.