We came up with two ways of doing this:ġ. The objective for me was to get the AlienVault OSSIM logs into ELK, one way or another. After all, ELK is built from the ground up to deal with searching and scalability. In addition to all this, Kibana allows you to have auto-updating visualizations, such as trend analysis of the events per seconds from a particular data source (which by the way is a much more elegant and simple solution to the problem originally presented in ) Source trend analysis (with a very limited dataset unfortunately)ĪlienVault’s best feature in my opinion is the OSSIM ( ), an open source SIEM with a very flexible rule and correlation engine that works very well! Less of a joy to use is the AlienVault logger ( ), which while it does what it’s advertised to do, is nowhere near as flexible or as polished as ELK is. Apart from the flexible querying that ELK brings, ELK is also extremely easy to scale and replicate data across a distributed cluster of machines. In this post we explore a quick and easy way to integrate between the two systems. We also had a couple of posts on deploying some AlienVault features. The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 5.0.0 onwards: FunctionĬreate new pulse which contains a collection of IOCs targeted at a particular area.In the last couple of blog posts we’ve been exploring how to use the ELK stack as a forensic logging platform. Specifies whether the SSL certificate for the server is to be verified or not. In FortiSOAR™, on the Connectors page, select the AlienVault-OTX connector and click Configure to configure the following parameters: ParameterĪddress of the AlienVault-OTX server to which you will connect and perform the automated operations.ĪPI key configured for your account to access the AlienVault-OTX server. The FortiSOAR™ server should have outbound connectivity to port 443 on the AlienVault-OTX server.įor the procedure to configure a connector, see Configuring a Connector.You must have the URL of the AlienVault-OTX server to which you will connect and perform the automated operations you will also need the API key to access that server.Yum install cyops-connector-alienvault-otx Prerequisites to configuring the connector You can also use the following yum command as a root user to install connectors from an SSH session: For the detailed procedure to install a connector, click here. Use the Content Hub to install the connector. The new version now correctly determines the type of file hash for the Get File Reputation action.Version informationįortiSOAR™ Version Tested on: 7.2.2-1098 and laterĬertified: Yes Release Notes for version 1.0.2įollowing enhancements have been made to the AlienVault-OTX Connector in version 1.0.2: Add the AlienVault-OTX connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving details for an indicator, creating and retrieving details for a pulse, and running queries on the AlienVault-OTX server. This document provides information about the AlienVault-OTX connector, which facilitates automated interactions, with an AlienVault-OTX server using FortiSOAR™ playbooks. It contributes pulses and each pulse contains a collection of IOCs targeted at a particular area. It is a repository of Indicators of Compromise (IOCs) supported by the community. AlienVault Open Threat Exchange (OTX) is among our most useful threat intelligence tools.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |