Alienvault OTX Missing - Threat Intel Plugin - Graylog 2.4.4


(Chris) #1

I was working to deploy the Alienvault OTX Threat Intel feed listed here: https://www.graylog.org/post/integrating-threat-intelligence-with-graylog
However In my DEV and Prod 2.4.4 Graylog servers I do not see the AlienVault OTX feeds as available.
I read that the plugin can be downloaded from Github here: https://github.com/Graylog2/graylog-plugin-threatintel, but I’m not seeing pre-built JAR files. Do I need to build the JAR files from scratch or was the OTX removed from the plugin purposefully?


(Jochen) #2

How exactly have you installed Graylog 2.4.4 and where did you look for the AlienVault OTX feed?

The Threat Intel plugin has been included as a default plugin since Graylog 2.4.0.


(Chris) #3

I followed the setup procedures in the manual here: http://docs.graylog.org/en/latest/pages/installation/os/ubuntu.html

Both are a clustered setup with separate Elasticsearch cluster and MongoDB cluster off-box.
My primary confusion is that when I configure the Threat Intelligence plugin I do not see the AlienVault OTX as an option to configure like the blog post. All I see is the Tor exit nodes, spamhaus and abuse.ch options.

image

Not sure if I’m missing something or if it’s something I haven’t enabled in the config.


(Jochen) #4

There is no configuration setting for AlienVault OTX in the Threat Intelligence plugin configuration (at System / Configurations).

There should be, however, two lookup tables named “Open Thread Exchange (OTX) - IP” and “Open Thread Exchange (OTX) - Domain” on the System / Lookup Tables page.


(Chris) #5

Ok, I see those. Thanks very much for pointing them out.
Looking around at those settings I don’t see an option to enter an AlienVault OTX API key. Does Graylog come with its own API keys built-in?


(Jochen) #6

You can configure your OTX API key in the configuration of the data adapters of the AlienVault OTX lookup tables (see System/Lookup Tables/Data Adapters).


(Chris) #7

Well thanks very much for this. I guess that should have been obvious but I missed it a solid six or so times.
Much appreciated!


(system) #8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.