Open Threat Exchange (OTX) (Beta)

Enrich incoming events with OTX context

Overview

OTX enrichment is in open beta starting with Panther version 1.116, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Open Threat Exchange (OTX) is AlienVault's community-driven threat intelligence platform, where contributors collaborate to identify emerging threats.

Learn how to view stored Enrichment Provider data here, and how to view log events with enrichment data here.

OTX enrichment in Panther requires an OTX API key.

How OTX enrichment works in Panther

By default, OTX is configured to run against every log source in your Panther environment (yet is possible to disable for a log type, if desired). Panther will attempt to match each incoming log event, across all log types, against the OTX Panther-managed Lookup Table before it passes through the detection engine.

If Panther identifies a match between an incoming event and OTX entry, OTX data is appended to the matching log event under a top-level p_enrichment key. It can then be referenced in detection logic and searches.

For more information on detection writing using an enrichment source, see Writing a detection using custom enrichment data.

How a match between a log event and OTX is made

A log event is enriched with OTX Panther-managed Lookup Table data (under p_enrichment) if a match is found between:

Any of the values of the Selector field(s) configured for each associated log type.
- For each log type, the default Selectors are the Indicator Fields (represented by p_any_*) associated with the enrichment table's primary key's indicator field designations (though the Selectors are configurable). Learn more about this auto-mapping here.
The value of the match key in an OTX table entry in Panther.
- match is the primary key of the OTX table and is preset by Panther.
- See an example of match in the Example OTX table entry below.

Setting up OTX enrichment

Step 1: Retrieve an OTX API key

Log in to your OTX account.
In the upper-right corner, click your username, then Settings.
From the OTX Key section, copy the API key you'd like to use to fetch data in Panther.
- If you rotate or regenerate the API key in the future, you must update the configuration in Panther.

Step 2: Create the OTX enrichment in Panther

To configure OTX enrichment in Panther:

In the left-hand navigation bar of your Panther Console, click Configure > Enrichments.
In the upper-right corner, click Create New.
Click Open Threat Exchange.
In the OTX Enrichment Settings form, provide values for the following fields:
- Name: enter a descriptive name for your integration.
- API Token: enter the API token you retrieved in Step 1.
- Refresh period (minutes): configure how often Panther will refresh OTX data. The default refresh period is 360 minutes.
- Max age (days): configure the maximum age in days for pulses to include in the lookup table. Default is 365 days.
Click Setup.
- Your new OTX configuration will be visible in the Configure > Enrichments page.

Enabling, disabling, or modifying OTX enrichment for a log type

OTX enrichment is enabled by default for each log type in your Panther instance.

If you'd like to disable (or later enable) OTX enrichment for a certain log type, or alter a log type's selectors:

In the left-hand navigation bar in your Panther Console, click Configure > Enrichments.
In the list of Enrichments, locate the OTX source you'd like to modify, and click its name.
On the provider's details page, to the right of the Enriched Log Types header, click Edit.
- If you'd like to enable this enrichment for a new log type, click Add Log Type.
  - In the new row that populates, select a Log Type and, in the Selectors field, at least one event field.
- If you'd like to disable this enrichment for a log type, locate that log type's row, and click the trash icon.
- If you'd like to alter the selectors for a log type, click into the Selectors field and add or remove selections for event fields.
In the upper-right corner of the Enriched Log Types tile, click Save.

Example OTX enrichment table entry

The below is an example of an OTX pulse response normalized by Panther:

{
  "id": "507f1f77bcf86cd799439011",
  "name": "Malicious Domain Activity",
  "description": "Indicators related to malicious domain activity",
  "created": "2023-08-15T10:30:00Z",   
  "modified": "2023-08-15T10:30:00Z",
  "indicators": [
    {
      "indicator": "malicious-domain.com",
      "type": "domain", 
      "created": "2023-08-15T10:30:00Z",
      "expiration": "2025-08-15T10:30:00Z",
      "is_active": 1
    },
    {
      "indicator": "192.168.1.100",
      "type": "IPv4",
      "created": "2023-08-15T10:30:00Z", 
      "expiration": null, 
      "is_active": 1
    }
  ],
  "tags": ["malware", "domain", "c2"],
  "industries": ["financial"],
  "malware_families": ["trojan", "backdoor"],
  "attack_ids": ["T1071", "T1105"],
  "references": ["https://example.com/threat-report"],
  "match": [
    "malicious-domain.com",
    "192.168.1.100"
  ],
  "tlp": "white",
  "adversary": "APT29",
  "target_countries": ["US", "UK"],
  "p_event_time": "2023-08-15T10:30:00Z",
  "p_log_type": "OTX.Pulses",
  "p_parse_time": "2023-08-15T11:00:00Z",
  "p_row_id": "abc123def456ghi789",
  "p_schema_version": 0
}

OTX data structure

Pulses

An OTX pulse represents a collection of threat intelligence indicators related to a specific threat or campaign. Each pulse contains the following attributes:

id: a unique identifier for the pulse
name: the name/title of the pulse
description: a description of the threat intelligence contained in the pulse
created: a timestamp of when the pulse was originally created
modified: an optional timestamp indicating when the pulse was last modified
indicators: an array of threat indicators (IPs, domains, hashes, etc.) associated with this pulse
tags: categorization tags applied to the pulse
industries: target industries affected by the threats in this pulse
malware_families: malware families associated with the threats
attack_ids: MITRE ATT&CK technique IDs referenced in the pulse
references: external references, URLs, or citations related to the threat intelligence
match: the lookup table matching criteria containing all active indicators
tlp: Traffic Light Protocol (TLP) classification for information sharing
adversary: the threat actor or adversary group associated with the pulse
target_countries: countries targeted by the threats in this pulse

See the complete OTX.Pulses schema below.

Indicators

Indicators within a pulse represent the specific threat intelligence artifacts:

indicator: the actual indicator (IP address, domain, hash, etc.)
type: the indicator type (IPv4, domain, FileHash-SHA256, etc.)
created: a timestamp of when the indicator was created
expiration: the expiration date of the indicator
is_active: whether the indicator is currently active

`OTX.Pulses` schema

The following the is the Panther-managed OTX.Pulses schema, representing how Pulses are stored in Panther. See an event that has been parsed with this schema above.

# Code generated by Panther; DO NOT EDIT. (@generated)
schema: OTX.Pulses
description: Open Threat Exchange (OTX) pulses containing threat intelligence indicators and metadata
referenceURL: https://otx.alienvault.com
fields:
    - name: id
      required: true
      description: ID field
      type: string
    - name: name
      required: true
      description: Name field
      type: string
    - name: description
      description: Description field
      type: string
    - name: created
      required: true
      description: Created field
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S.%N'
        - '%Y-%m-%dT%H:%M:%S.%N'
        - '%Y-%m-%dT%H:%M:%S'
        - '%Y-%m-%dT%H:%M:%S.%NZ'
      isEventTime: true
    - name: modified
      description: Modified field
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S.%N'
        - '%Y-%m-%dT%H:%M:%S.%N'
        - '%Y-%m-%dT%H:%M:%S'
        - '%Y-%m-%dT%H:%M:%S.%NZ'
    - name: indicators
      description: Indicators field
      type: array
      element:
        type: object
        fields:
            - name: indicator
              required: true
              description: Indicator field
              type: string
            - name: type
              description: Type field
              type: string
            - name: is_active
              description: IsActive field
              type: bigint
            - name: created
              description: Created field
              type: timestamp
              timeFormats:
                - '%Y-%m-%d %H:%M:%S.%N'
                - '%Y-%m-%dT%H:%M:%S.%N'
                - '%Y-%m-%dT%H:%M:%S'
                - '%Y-%m-%dT%H:%M:%S.%NZ'
            - name: expiration
              description: Expiration field
              type: timestamp
              timeFormats:
                - '%Y-%m-%d %H:%M:%S.%N'
                - '%Y-%m-%dT%H:%M:%S.%N'
                - '%Y-%m-%dT%H:%M:%S'
                - '%Y-%m-%dT%H:%M:%S.%NZ'
    - name: tags
      description: Tags field
      type: array
      element:
        type: string
    - name: industries
      description: Industries field
      type: array
      element:
        type: string
    - name: malware_families
      description: Malware field
      type: array
      element:
        type: string
    - name: attack_ids
      description: Attack field
      type: array
      element:
        type: string
        indicators:
            - mitre_attack_technique
    - name: references
      description: References field
      type: array
      element:
        type: string
    - name: match
      description: Match field
      type: array
      element:
        type: string
    - name: tlp
      description: Tlp field
      type: string
    - name: adversary
      description: Adversary field
      type: string
    - name: target_countries
      description: TargetCountries field
      type: array
      element:
        type: string

PreviousOkta Profiles NextSnowflake Enrichment (Beta)

Last updated 3 days ago

Was this helpful?