diff --git a/Domain Stats/otx.ps1 b/Domain Stats/otx.ps1
new file mode 100644
index 0000000..1a0dad3
--- /dev/null
+++ b/Domain Stats/otx.ps1
@@ -0,0 +1,62 @@
+################################
+### Script to check event data on AlienVault OTX IoCs
+### SOCFortress
+### https://www.socfortress.co
+### info@socfortress.co
+################################
+##########
+# The API Call to OTX will run the parameter passed in the call against existing IoCs
+# The API response is filtered out to only get IoCs part of pulses created by the user "AlienVault"
+# API Response (relevant fields) in the response converted to JSON and appended to active-responses.log
+# An API key to access AlienVault OTX is required (otx.alienvault.com)
+##########
+
+# Your OTX API KEY
+$otxkey = "Your_API_KEY"
+# Read the Alert that triggered the Active Response in manager and convert to Array
+$INPUT_JSON = Read-Host
+$INPUT_ARRAY = $INPUT_JSON | ConvertFrom-Json
+$INPUT_ARRAY = $INPUT_ARRAY | ConvertFrom-Json
+
+#Function to Call OTX API with Params and Return Response
+function ApiCall($indicator_type, $param) {
+ $url = "https://otx.alienvault.com/api/v1/indicators/$indicator_type/$param/general"
+ $otx_response = invoke-webrequest -URI $url -UseBasicParsing -Headers @{"X-OTX-API-KEY"="$otxkey"} -UseDefaultCredentials
+ if (($otx_response.StatusCode -eq '200') -And (select-string -pattern '\"username\":\ \"AlienVault\"' -InputObject $otx_response.content))
+ {
+#Convert Response (JSON) to Array and remove objects
+ $otx_response_array = $otx_response | ConvertFrom-Json
+ $otx_response_array_trim = $otx_response_array | Select-Object sections,type,base_indicator
+#Append Alert to Active Response Log
+ echo $otx_response_array_trim | ConvertTo-Json -Compress | Out-File -width 2000 C:\"Program Files (x86)"\ossec-agent\active-response\active-responses.log -Append -Encoding ascii
+ }
+}
+#Switch For Rule Group From Alert
+$switch_condition = ($INPUT_ARRAY."parameters"."alert"."rule"."groups"[1]).ToString()
+switch -Exact ($switch_condition){
+#If Rule Group = "new_domain", Extract quieried hostname and call the API
+#Alert example: {"timestamp":"2021-10-20T05:12:39.783+1100","rule":{"level":5,"description":"DNS Stats - New or Low Frequency Domain Detetcted in Query","id":"100010","firedtimes":2,"mail":false,"groups":["dnsstat","dnsstat_alert"]},"agent":{"id":"034","name":"WIN-7FK8M79Q5R6","ip":"192.168.252.105"},"manager":{"name":"tactical"},"id":"1634667159.125787496","decoder":{"name":"json"},"data":{"dnsstat":{"query":"yt3.ggpht.com","alerts":["LOW-FREQ-SCORES"],"category":"ESTABLISHED","freq_score":[4.0377,3.871],"seen_by_isc":"top1m","seen_by_web":"Wed, 16 Jan 2008 18:55:33 GMT","seen_by_you":"Mon, 18 Oct 2021 22:17:34 GMT"},"integration":"dnsstat"},"location":"dns_stats"}
+"dnsstat_alert"
+ {
+ $indicator_type = 'hostname'
+ $hostname = $INPUT_ARRAY."parameters"."alert"."data"."dnsstat"."query"
+ ApiCall $indicator_type $hostname
+ break;
+ }
+
+}
+######################
+## Wazuh Manager: Command and AR.
+#
+# alienvault_otx
+# otx.cmd
+# no
+#
+####################
+#
+# no
+# 3
+# alienvault_otx
+# local
+# dnsstat_alert
+#