Bring open threat intelligence from LevelBlue (AlienVault) OTX into Dynatrace to investigate threats and correlate external intelligence with your monitored environment.
Use the LevelBlue (AlienVault) OTX integration for Dynatrace to bring open threat intelligence from LevelBlue (AlienVault) Open Threat Exchange into Dynatrace.
The integration collects OTX pulses and their related indicators of compromise, such as IP addresses, domains, URLs, and file hashes, maps them to the Dynatrace Semantic Dictionary, and ingests them as normalized threat report events. This helps security teams investigate threats, correlate external intelligence with monitored environments, and automate response workflows.
With the ingested data, you can accomplish various use cases, such as
See below for the LevelBlue (AlienVault) OTX and Dynatrace requirements.
ActiveGate version 1.310+ that needs to be able to
Permissions: For a list of required permissions, open Hub, select
Extensions, and display Technical information.
Generate an access token with the openpipeline.events_security scope and save it for later. For details, see Dynatrace API - Tokens and authentication.
In Dynatrace, search for LevelBlue (AlienVault) OTX and select Install.
Follow the on-screen instructions to configure the extension.
Verify the configuration by running the following query in
Notebooks:
For threat report events:
fetch security.events| filter event.provider == "AlienVault OTX"AND event.type == "THREAT_REPORT"
After the extension is installed and working, you can access and manage it in Dynatrace via
Extensions. For details, see About Extensions.

Dynatrace integration with LevelBlue (AlienVault) OTX is an extension running on Dynatrace ActiveGate. After you enable and configure the extension:
default_securityevents bucket (for details, see Built-in Grail buckets).For billing information, see Events powered by Grail.
The integration supports LevelBlue (AlienVault) Open Threat Exchange, also known as LevelBlue (AlienVault) OTX.
Threat report events store the ingested pulses and their related indicators of compromise, such as IP addresses, domains, URLs, and file hashes. For a conceptual overview, see Threat report events.
The integration ingests and maps IOC types that are supported as threat observables in Dynatrace. When these indicators are present in an OTX pulse, they are extracted and added as observables to enrich the threat context.
| IOC type | Mapped to |
|---|---|
Email addresses |
|
IP addresses |
|
Domain names and host names |
|
URLs |
|
MD5 file hashes |
|
SHA-1 file hashes |
|
SHA-256 file hashes |
|
CVEs (Common Vulnerabilities and Exposures) |
|
The integration ingests pulses from LevelBlue (AlienVault) OTX based on the configured ingestion options.
m days, where m is set by the Security events initial fetch time window option in the monitoring configuration.n minutes, where n is set by the Security events ingest frequency option in the monitoring configuration.The alienvault namespace is added for LevelBlue (AlienVault) OTX-specific attributes on top of the core security event schema. The full upstream payload is stored in event.original_content.
alienvault.pulse.public: Indicates whether the pulse is public.alienvault.pulse.tlp: Indicates the Traffic Light Protocol value for the pulse.