Duplicates in AlienVault OTX integration

[Lesterol]

Version

2.4.60

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

64

RAM

64

Storage for /

500G

Storage for /nsm

20T

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi all. I have set up SO integration with AlienVault OTX. Integration has been added to the so-grid-nodes_general policy. Now when viewing indicators in Kibana I see quite a lot of duplicates when viewing one indicator. What solutions to the problem are possible in this case? I believe that due to the addition of integration to the so-grid-nodes_general policy, indicators are loaded from all 4 agents that are under this policy. For now, the solution seems to be to remove the node manager from this policy and assign it a separate policy. We have a distributed deployment.
What other options are possible? Help, please.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[reyesj2]

You should add the alienVault integration to the fleet server policy

When setting up a new integration, it is important that you add it to an appropriate Policy.
If an integration pulls the data, you should add it to the Fleet Server policy. Depending on complexity and log volume, it might make sense to stand up a Fleet Node and add your integrations to it.

https://docs.securityonion.net/en/2.4/elastic-fleet.html#adding-an-integration

[Lesterol]

Thanks, it worked!