New Features in Open Threat Exchange (OTX)

March 31, 2017 | Chris Doman
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Its been a busy couple of months for the OTX team, making lots of improvements to make OTX more useful for security researchers and InfoSec professionals. Thought it was time to give you and update. Here's what's new in OTX:

Easier Way to Create Pulses

We've rebuilt the way you create pulses from scratch. So you can now bulk-edit pulses and get feedback on why indicators were whitelisted.

We've also added a suggested indicators tab - OTX looks for everything that is one-hop away from the pulse to find indicators that you might want to include:

 

New! Adversary Pages

 

OTX has long supported the concept of adversaries, but we've recently revamped how we display that data. We've promoted adversaries to have dedicated pages, pulling together all the information we have from various sources.

The descriptions are kindly made available by the MISP project. There is a lot of discussion in the industry about whether one group of attackers should be classed as Group X or Group Y. If you think the data is incorrect, and you're happy to share that, you can dive in and improve the information for everyone.

OTX also uses this data to suggest adversaries when you are creating pulses.

Whois Data Now Included in OTX

We've added Whois data to OTX to provide some quick context when you are triaging alerts. We're also looking at improving how you can pivot and monitor this data.

Network Signature Hits Against Servers Data Now in OTX

AlienVault has a wealth of information about which servers on the internet are being used for malware command and control. We get this data from both our malware sandboxes and users who choose to opt-in to share anonymised information from their networks. We've just started to present this data in OTX - and AlienVault USM customers will additionally see the contents of our rules and private threat intelligence pulses.

New! OTX Python SDK Function to Maintain Feeds in Pulses

A new function in the OTX Python SDK makes it easy to maintain feeds in pulses. You can periodically check a feed, and update a pulse to keep it up to date with the indicators in the feed.

It's been great to see some users already experimenting with this feature. And OTX users have built a ton of other functionality using the API. Want to use OTX data in Splunk, Graylog, Maltego or 30 other tools? OTX users have got you covered.

New! Ability to Comment on Indicator Pages

Not everything can be said in a table, and we've added the ability to comment on indicator pages to reflect this. We're working on making OTX a more social experience overall - so you can discuss the threats you see every day with other users.

We're also providing more information on why indicators may not be malicious - to help that person in your SOC who keeps flagging windowsupdate.com as malware:

Whats Coming Next?

Stay tuned folks, we've got a lot coming! Some of the things we're looking at include...

  • Full STIX / TAXII support
  • Additional data sources
  • A cleaner user interface
  • What Have We Missed?

We'd love to hear any feedback or thoughts you might have around how to improve OTX. There's a survey you can fill out, or just drop us an e-mail.

Chris Doman

About the Author: Chris Doman, AlienVault
I've had a long interest in security, but joined the industry after winning the civilian section of the Department of Defense's forensics competition. I run a popular threat intelligence portal (ThreatCrowd.org) in my spare time, and hold a CCHIA (Certified Host Intrusion Analyst) from CREST and a degree in Computer Science from the University of Cambridge.
Read more posts from Chris Doman ›

TAGS: otx, usm, otx pulse

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL CHAT