# Threat Intelligence Threat intelligence integrations automatically enrich your logs with threat data from external providers during ingestion, enabling you to detect and alert on known malicious activity in real-time. By matching log fields (IPs, domains, URLs, file hashes) against threat intelligence feeds as logs are indexed, you can: * Create detection rules that trigger alerts when known malicious indicators appear in your logs * Investigate incidents faster with threat context already embedded in your log data * Identify compromised systems communicating with known bad actors * Reduce manual lookups — threat intelligence is searchable and filterable just like any other log field Scanner syncs indicators from external threat intelligence providers into lookup tables, then uses those tables to enrich your logs as they're ingested. Once enriched, the threat data becomes part of your searchable log data and can be used in queries and detection rules. ## Supported Providers Scanner currently supports: * **AlienVault OTX (LevelBlue)**: A community-driven threat intelligence platform with millions of indicators ## Setting Up AlienVault OTX Integration ### Prerequisites You will need: * An API key from * At least one pulse subscription in your AlienVault OTX account {% hint style="warning" %} **Important**: Scanner will only fetch indicators from pulses you've subscribed to in AlienVault OTX. Before creating the integration in Scanner, make sure you have pulse subscriptions set up: 1. Log into 2. Subscribe to pulses directly, or subscribe to users or join groups to access their pulses * Consider starting with the [official AlienVault user](https://otx.alienvault.com/user/AlienVault/pulses) as a baseline 3. Verify you have pulses at {% endhint %} ### Creating the Integration {% stepper %} {% step %} **Add the integration** In Scanner, navigate to **Settings** → **Integrations**, click **Add Integration**, and select **AlienVault OTX (LevelBlue)**. {% endstep %} {% step %} **Provide credentials** Enter your AlienVault OTX API key. {% endstep %} {% step %} **Create a synced lookup table** Click **New Table** to create a synced lookup table. Choose the IOC type (IPv4, IPv6, domains, URLs, email addresses, or file hashes). {% endstep %} {% step %} **Name and describe** Provide a name and optional description for the synced lookup table. {% endstep %} {% step %} **Finalize** Scanner will automatically create the synced lookup table which will update regularly based on indicators from pulses you subscribe to. Note: These lookup tables cannot be manually modified. {% endstep %} {% endstepper %} ## Auto-Syncing Threat intelligence lookup tables are automatically synced daily. When you create a new integration, Scanner queues up an initial background sync that typically completes within a few hours (depending on the number of pulses and indicators). During each sync: * Scanner fetches the latest indicators from the provider * New indicators are added to the lookup table * Stale indicators (ones no longer in pulses you subscribe to) are removed * Metadata (descriptions, references, timestamps) is updated ## Using AlienVault OTX Enrichment Once you've set up your AlienVault OTX integration and created a synced lookup table, you can add the **Enrich with AlienVault OTX** [transformation](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-transformation-and-enrichment/data-transformations) to your Index Rules to automatically enrich logs during ingestion. This transformation matches log fields against threat indicators in your lookup table. When a match is found, it appends threat indicator metadata to the log event following the Elastic Common Schema (ECS) threat enrichment format. ### Parameters When configuring the transformation in your Index Rule, you'll need to specify: * **IOC Type**: The type of threat indicator to match against (IPv4, IPv6, domain, URL, email, or file hash). * **Lookup Table**: Select a lookup table that contains threat intelligence data synchronized from your AlienVault OTX integration with a matching indicator type. * **Source Path**: The field path in your log event to check for indicators (e.g., `source.ip`, `dns.question.name`, `file.hash.md5`). If the field doesn't exist or no threat indicator is found in the lookup table, the log is unchanged. * **Target Path**: Where to store enrichment results (e.g., `@ecs.threat.enrichments`). The transformation preserves any existing enrichments at the result path by appending to the array if it already exists. ### Output Structure When a match is found, the transformation appends an enrichment object to the array at the target path (e.g., `@ecs.threat.enrichments`). The appended results use fields from the [Elastic Common Schema threat enrichments](https://www.elastic.co/guide/en/ecs/current/ecs-threat.html#field-threat-enrichments). Each enrichment contains: * `indicator`: Metadata about the threat indicator * `type`: Array containing the indicator type (e.g., `["ipv4-addr"]`, `["file"]`) * `name`: The matched indicator value * `description`: Description of the threat * `first_seen`: Timestamp when the indicator was first observed * `last_seen`: Timestamp when the indicator was last observed * `provider`: Threat intelligence provider (e.g., "AlienVault OTX") * `reference`: URL with more information about the threat * Type-specific fields: `ip`, `domain`, `url`, `email`, or `file.hash` depending on indicator type * `matched`: Information about what was matched * `atomic`: The actual value that matched * `field`: The field path where the match occurred ### Example For an IPv4 enrichment matching on `source.ip`: ```json // Input log event { "source": { "ip": "192.168.1.100" } } // Output log event (assuming match) { "source": { "ip": "192.168.1.100" }, "@ecs": { "threat": { "enrichments": [{ "indicator": { "type": ["ipv4-addr"], "ip": "192.168.1.100", "name": "192.168.1.100", "description": "Known malicious scanning IP", "first_seen": "2024-01-01T00:00:00Z", "last_seen": "2024-01-15T12:30:00Z", "provider": "AlienVault OTX", "reference": "https://otx.alienvault.com/pulse/..." }, "matched": { "atomic": "192.168.1.100", "field": "source.ip" } }] } } } ``` ## Troubleshooting ### No indicators appearing in my lookup table * Ensure you've subscribed to at least one pulse in AlienVault OTX * Check that the pulse contains indicators matching your selected indicator type * Wait for the initial sync to complete (up to a few hours) ### Enrichment not appearing in logs * Confirm the enrichment transformation is added to your Index Rule * Verify the source field path matches your actual log structure (e.g., your logs actually contain `source.ip`) * Check that the lookup table has synced successfully and contains indicators * Remember that enrichment only occurs when log data matches a known threat indicator—if your traffic doesn't contain any malicious IPs, domains, etc., no enrichment will be added ### Integration created but no lookup table * Make sure you clicked "New Table" and completed the table creation process during integration setup * You can create additional lookup tables from an existing integration in **Settings** → **Integrations** ## Managing Integrations {% hint style="warning" %} **Note**: Deleting an integration will not delete the lookup table. The table will remain available for transformations but will no longer sync with new threat intelligence data. This means your threat indicators will become stale over time, which is not recommended for production use. {% endhint %}