Open Threat Exchange (OTX)

Integration Overview

Open Threat Exchange (OTX) is AlienVault's community-driven threat intelligence platform, where security researchers and practitioners collaborate to identify and share emerging threats in the form of pulses — collections of indicators of compromise including IP addresses, domains, and file hashes. Panther integrates with OTX to automatically enrich incoming log events against OTX indicators before they reach the detection engine. OTX data is stored as a Panther-managed Lookup Table, so there are no API calls at detection time — enrichment is applied automatically and surfaced under the p_enrichment field in matching events.

OTX enrichment requires an OTX API key and is available to all Panther customers.

Use Cases

Panther's OTX enrichment integration helps security teams:

• Automatically flag log events containing known malicious IPs, domains, or file hashes from OTX pulses

• Reduce investigation time by surfacing threat context directly within alerts and detection logic

• Leverage community intelligence from thousands of OTX contributors to broaden indicator coverage

How it Works

OTX enrichment runs against every log source in your Panther environment by default. When an incoming event contains an indicator that matches an OTX pulse entry, OTX data is automatically appended under the p_enrichment field and is immediately available in detections and searches. Enrichment data refreshes on a configurable interval, with a default of every 360 minutes, and a configurable max age for pulses to control data freshness.

You can check out our product documentation for more information.