I was working to deploy the Alienvault OTX Threat Intel feed listed here: https://www.graylog.org/post/integrating-threat-intelligence-with-graylog
However In my DEV and Prod 2.4.4 Graylog servers I do not see the AlienVault OTX feeds as available.
I read that the plugin can be downloaded from Github here: https://github.com/Graylog2/graylog-plugin-threatintel, but I’m not seeing pre-built JAR files. Do I need to build the JAR files from scratch or was the OTX removed from the plugin purposefully?
How exactly have you installed Graylog 2.4.4 and where did you look for the AlienVault OTX feed?
The Threat Intel plugin has been included as a default plugin since Graylog 2.4.0.
I followed the setup procedures in the manual here: http://docs.graylog.org/en/latest/pages/installation/os/ubuntu.html
Both are a clustered setup with separate Elasticsearch cluster and MongoDB cluster off-box.
My primary confusion is that when I configure the Threat Intelligence plugin I do not see the AlienVault OTX as an option to configure like the blog post. All I see is the Tor exit nodes, spamhaus and abuse.ch options.
Not sure if I’m missing something or if it’s something I haven’t enabled in the config.
There is no configuration setting for AlienVault OTX in the Threat Intelligence plugin configuration (at System / Configurations).
There should be, however, two lookup tables named “Open Thread Exchange (OTX) - IP” and “Open Thread Exchange (OTX) - Domain” on the System / Lookup Tables page.
Ok, I see those. Thanks very much for pointing them out.
Looking around at those settings I don’t see an option to enter an AlienVault OTX API key. Does Graylog come with its own API keys built-in?
You can configure your OTX API key in the configuration of the data adapters of the AlienVault OTX lookup tables (see System/Lookup Tables/Data Adapters).
2 Likes
Well thanks very much for this. I guess that should have been obvious but I missed it a solid six or so times.
Much appreciated!
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.