Splunk IOC Threat Feed- Open Threat Exchange

Published: May 5, 2020

Ingesting open source threat feeds should be a trivial effort, especially considering the value they typically contain. Based on my experience getting feeds populating and ingesting into a log management platform, it was anything but simple.  I recently found the OTX add-on for Splunk, which seems to satisfy all my needs.

The OTX Add-on requires a splunk account to download: (INSERT SPLUNK LINK) and an API from otx.alienault.com. OTX or Open Threat Exchange is an open-source threat platform maintained by AlienVault (now AT&T).

Once you create an account and login, you’ll see some profile details and some feeds that you’re subscribed to

I good place to start subscribing to feeds is at the bottom of your profile, under top community contributors:

If you click on one of their profile images, it will load their page. Click subscribe OR unsubscribe based on the IOCs you want to ingest:

Highlight the “Browse” button for quick links to filter your list of OTX pulses (IOC lists)

Maybe you want to receive feeds based on APT groups

Goto Browse -> Adversaries

There’s 302 adversaries we can search on

In the top right corner, we can use the search function to pull up a specific adversary. Say we want to investigate APT41. We can issue the following search:

If we highlight “Browse” we can see the filter being applied

And OTX lists APT41 pulses we can subscribe to

Another example would be searching pulses via industry. I work in the education industry, and OTX has an education section with 68 pulses These IOC feeds are targeted to my industry, so they provide a slight bit more value than other IOC feeds.

Identify some IOC feeds of interested and subscribe to them at your hearts content. Once you’ve done this, we’re ready to start addressing ingesting the data into Splunk!

First thing we’ll do is download the Splunk add-on for OTX:

https://splunkbase.splunk.com/app/4336/

We can log into Splunk

And click the cog to manage applications

Install App from file

Browse to and “Open” the add-on

There is no GUI for this app, so we have to go back to manage apps to verify that it’s installed

Before we start ingesting data, we need to create a new index the add-on is expecting. Goto Settings -> Indexes

Click “New Index”

Create an index called “otx” and click “Save”

Then we’ll goto Settings -> Data Inputs

Then click on “Open Treat Exchange”

Click on the name “default” to insert your OTX API key

Now you have to get your OTX API key. Log back into your OTX account at otx.alienvault.com

Click on the settings icon next to your profile name, then click “Settings”

This is where you’ll find your OTX API key

Take that and paste it into your input, set your backfill days and “Save”

Then make sure you set the status to “Enabled”

Wait a few seconds and run the following search to see IOCs that have been ingested in the last 24hr

From this data, I created a dashboard to summarize the data. You can also created alerts to email you if these IOCs match anything observed in your environment.