Try it free

Ingest LevelBlue (AlienVault) OTX threat reports

  • Latest Dynatrace
  • Extension
  • Published Jul 01, 2026
  • Preview

Bring open threat intelligence from LevelBlue (AlienVault) OTX into Dynatrace to investigate threats and correlate external intelligence with your monitored environment.

Get started

Overview

Use the LevelBlue (AlienVault) OTX integration for Dynatrace to bring open threat intelligence from LevelBlue (AlienVault) Open Threat Exchange into Dynatrace.

The integration collects OTX pulses and their related indicators of compromise, such as IP addresses, domains, URLs, and file hashes, maps them to the Dynatrace Semantic Dictionary, and ingests them as normalized threat report events. This helps security teams investigate threats, correlate external intelligence with monitored environments, and automate response workflows.

Use cases

With the ingested data, you can accomplish various use cases, such as

  • Visualize and analyze security findings
  • Discover coverage gaps in security findings
  • Automate and orchestrate security findings

Requirements

See below for the LevelBlue (AlienVault) OTX and Dynatrace requirements.

LevelBlue (AlienVault) OTX requirements

  • An active LevelBlue (AlienVault) OTX account.
  • A LevelBlue (AlienVault) OTX API key for authentication.

Dynatrace requirements

  • ActiveGate version 1.310+ that needs to be able to

    • Run the Extensions 2.0 framework
    • Recommended: use the Dedicated limits option for the performance profile — see ActiveGate performance profile configuration. This lets the extension process larger pulses without reaching the memory limits.
    • Reach the LevelBlue (AlienVault) OTX API endpoints
  • Permissions: For a list of required permissions, open Hub, select Extensions Extensions, and display Technical information.

  • Generate an access token with the openpipeline.events_security scope and save it for later. For details, see Dynatrace API - Tokens and authentication.

Activation and setup

  1. In Dynatrace, search for LevelBlue (AlienVault) OTX and select Install.

  2. Follow the on-screen instructions to configure the extension.

  3. Verify the configuration by running the following query in Notebooks Notebooks:

    • For threat report events:

      fetch security.events
      | filter event.provider == "AlienVault OTX"
      AND event.type == "THREAT_REPORT"
  4. After the extension is installed and working, you can access and manage it in Dynatrace via Extensions Extensions. For details, see About Extensions.

Details

How it works

Diagram showing the LevelBlue (AlienVault) OTX extension polling OTX DirectConnect APIs from ActiveGate and ingesting threat intelligence into Dynatrace as security events
How ingest of LevelBlue (AlienVault) OTX threat intelligence works

Dynatrace integration with LevelBlue (AlienVault) OTX is an extension running on Dynatrace ActiveGate. After you enable and configure the extension:

  1. It periodically collects threat intelligence from LevelBlue (AlienVault) OTX using the OTX DirectConnect APIs.
  2. The fetched data is ingested into Dynatrace and mapped to the Dynatrace Semantic Dictionary.
  3. Data is stored in the default_securityevents bucket (for details, see Built-in Grail buckets).

Licensing and costs

For billing information, see Events powered by Grail.

FAQ

Which LevelBlue product does this integration support?

The integration supports LevelBlue (AlienVault) Open Threat Exchange, also known as LevelBlue (AlienVault) OTX.

Which data model is used for LevelBlue (AlienVault) OTX events in Dynatrace?

Threat report events store the ingested pulses and their related indicators of compromise, such as IP addresses, domains, URLs, and file hashes. For a conceptual overview, see Threat report events.

Which types of indicators of compromise (IOCs) are supported?

The integration ingests and maps IOC types that are supported as threat observables in Dynatrace. When these indicators are present in an OTX pulse, they are extracted and added as observables to enrich the threat context.

IOC typeMapped to

Email addresses

threat.observables.emails

IP addresses

threat.observables.ips

Domain names and host names

threat.observables.domains

URLs

threat.observables.urls

MD5 file hashes

threat.observables.hashes.md5

SHA-1 file hashes

threat.observables.hashes.sha1

SHA-256 file hashes

threat.observables.hashes.sha256

CVEs (Common Vulnerabilities and Exposures)

threat.observables.cves

Which LevelBlue (AlienVault) OTX threat intelligence events does Dynatrace import?

The integration ingests pulses from LevelBlue (AlienVault) OTX based on the configured ingestion options.

  • On the first ingest, Dynatrace fetches pulses created or modified in the last m days, where m is set by the Security events initial fetch time window option in the monitoring configuration.
  • On subsequent runs, the extension checks for new or updated pulses every n minutes, where n is set by the Security events ingest frequency option in the monitoring configuration.
  • Only new and updated pulses are ingested.

Which extension fields are added to the core fields of events ingested from LevelBlue (AlienVault) OTX?

The alienvault namespace is added for LevelBlue (AlienVault) OTX-specific attributes on top of the core security event schema. The full upstream payload is stored in event.original_content.

  • alienvault.pulse.public: Indicates whether the pulse is public.
  • alienvault.pulse.tlp: Indicates the Traffic Light Protocol value for the pulse.

Related topics

  • OpenPipeline
  • Dynatrace Query Language
  • Security events
Related tags
SecuritySecurityLevelBlue (AlienVault) OTXPythonThreat Observability