Threat Intelligence

Threat intelligence integrations automatically enrich your logs with threat data from external providers during ingestion, enabling you to detect and alert on known malicious activity in real-time. By matching log fields (IPs, domains, URLs, file hashes) against threat intelligence feeds as logs are indexed, you can:

• Create detection rules that trigger alerts when known malicious indicators appear in your logs

• Investigate incidents faster with threat context already embedded in your log data

• Identify compromised systems communicating with known bad actors

• Reduce manual lookups — threat intelligence is searchable and filterable just like any other log field

Scanner syncs indicators from external threat intelligence providers into lookup tables, then uses those tables to enrich your logs as they're ingested. Once enriched, the threat data becomes part of your searchable log data and can be used in queries and detection rules.

Supported Providers

Scanner currently supports:

• AlienVault OTX (LevelBlue): A community-driven threat intelligence platform with millions of indicators

Setting Up AlienVault OTX Integration

Prerequisites

You will need:

• An API key from https://otx.alienvault.com/api

• At least one pulse subscription in your AlienVault OTX account

Creating the Integration

Auto-Syncing

Threat intelligence lookup tables are automatically synced daily. When you create a new integration, Scanner queues up an initial background sync that typically completes within a few hours (depending on the number of pulses and indicators).

During each sync:

• Scanner fetches the latest indicators from the provider

• New indicators are added to the lookup table

• Stale indicators (ones no longer in pulses you subscribe to) are removed

• Metadata (descriptions, references, timestamps) is updated

Using AlienVault OTX Enrichment

Once you've set up your AlienVault OTX integration and created a synced lookup table, you can add the Enrich with AlienVault OTX transformation to your import rules to automatically enrich logs during ingestion.

This transformation matches log fields against threat indicators in your lookup table. When a match is found, it appends threat indicator metadata to the log event following the Elastic Common Schema (ECS) threat enrichment format.

Parameters

When configuring the transformation in your import rule, you'll need to specify:

• IOC Type: The type of threat indicator to match against (IPv4, IPv6, domain, URL, email, or file hash).

• Lookup Table: Select a lookup table that contains threat intelligence data synchronized from your AlienVault OTX integration with a matching indicator type.

• Source Path: The field path in your log event to check for indicators (e.g., source.ip, dns.question.name, file.hash.md5). If the field doesn't exist or no threat indicator is found in the lookup table, the log is unchanged.

• Target Path: Where to store enrichment results (e.g., @ecs.threat.enrichments). The transformation preserves any existing enrichments at the result path by appending to the array if it already exists.

Output Structure

When a match is found, the transformation appends an enrichment object to the array at the target path (e.g., @ecs.threat.enrichments). The appended results use fields from the Elastic Common Schema threat enrichments. Each enrichment contains:

• indicator: Metadata about the threat indicator

  • type: Array containing the indicator type (e.g., ["ipv4-addr"], ["file"])

  • name: The matched indicator value

  • description: Description of the threat

  • first_seen: Timestamp when the indicator was first observed

  • last_seen: Timestamp when the indicator was last observed

  • provider: Threat intelligence provider (e.g., "AlienVault OTX")

  • reference: URL with more information about the threat

  • Type-specific fields: ip, domain, url, email, or file.hash depending on indicator type

• matched: Information about what was matched

  • atomic: The actual value that matched

  • field: The field path where the match occurred

Example

For an IPv4 enrichment matching on source.ip:

// Input log event
{
  "source": {
    "ip": "192.168.1.100"
  }
}

// Output log event (assuming match)
{
  "source": {
    "ip": "192.168.1.100"
  },
  "@ecs": {
    "threat": {
      "enrichments": [{
        "indicator": {
          "type": ["ipv4-addr"],
          "ip": "192.168.1.100",
          "name": "192.168.1.100",
          "description": "Known malicious scanning IP",
          "first_seen": "2024-01-01T00:00:00Z",
          "last_seen": "2024-01-15T12:30:00Z",
          "provider": "AlienVault OTX",
          "reference": "https://otx.alienvault.com/pulse/..."
        },
        "matched": {
          "atomic": "192.168.1.100",
          "field": "source.ip"
        }
      }]
    }
  }
}

Troubleshooting

No indicators appearing in my lookup table

• Ensure you've subscribed to at least one pulse in AlienVault OTX

• Check that the pulse contains indicators matching your selected indicator type

• Wait for the initial sync to complete (up to a few hours)

Enrichment not appearing in logs

• Confirm the enrichment transformation is added to your import rule

• Verify the source field path matches your actual log structure (e.g., your logs actually contain source.ip)

• Check that the lookup table has synced successfully and contains indicators

• Remember that enrichment only occurs when log data matches a known threat indicator—if your traffic doesn't contain any malicious IPs, domains, etc., no enrichment will be added

Integration created but no lookup table

• Make sure you clicked "New Table" and completed the table creation process during integration setup

• You can create additional lookup tables from an existing integration in Settings → Integrations

Managing Integrations