Ingesting open source threat feeds should be a trivial effort, especially considering the value they typically contain. Based on my experience getting feeds populating and ingesting into a log management platform, it was anything but simple. I recently found the OTX add-on for Splunk, which seems to satisfy all my needs.
The OTX Add-on requires a splunk account to download: (INSERT SPLUNK LINK) and an API from otx.alienault.com. OTX or Open Threat Exchange is an open-source threat platform maintained by AlienVault (now AT&T).
Once you create an account and login, you’ll see some profile details and some feeds that you’re subscribed to
I good place to start subscribing to feeds is at the bottom of your profile, under top community contributors:
If you click on one of their profile images, it will load their page. Click subscribe OR unsubscribe based on the IOCs you want to ingest:
Highlight the “Browse” button for quick links to filter your list of OTX pulses (IOC lists)
Maybe you want to receive feeds based on APT groups
Goto Browse -> Adversaries
There’s 302 adversaries we can search on
In the top right corner, we can use the search function to pull up a specific adversary. Say we want to investigate APT41. We can issue the following search:
If we highlight “Browse” we can see the filter being applied
And OTX lists APT41 pulses we can subscribe to
Another example would be searching pulses via industry. I work in the education industry, and OTX has an education section with 68 pulses These IOC feeds are targeted to my industry, so they provide a slight bit more value than other IOC feeds.
Identify some IOC feeds of interested and subscribe to them at your hearts content. Once you’ve done this, we’re ready to start addressing ingesting the data into Splunk!
First thing we’ll do is download the Splunk add-on for OTX:
We can log into Splunk
And click the cog to manage applications
Install App from file
Browse to and “Open” the add-on
There is no GUI for this app, so we have to go back to manage apps to verify that it’s installed
Before we start ingesting data, we need to create a new index the add-on is expecting. Goto Settings -> Indexes
Click “New Index”
Create an index called “otx” and click “Save”
Then we’ll goto Settings -> Data Inputs
Then click on “Open Treat Exchange”
Click on the name “default” to insert your OTX API key
Now you have to get your OTX API key. Log back into your OTX account at otx.alienvault.com
Click on the settings icon next to your profile name, then click “Settings”
This is where you’ll find your OTX API key
Take that and paste it into your input, set your backfill days and “Save”
Then make sure you set the status to “Enabled”
Wait a few seconds and run the following search to see IOCs that have been ingested in the last 24hr
From this data, I created a dashboard to summarize the data. You can also created alerts to email you if these IOCs match anything observed in your environment.