When you choose to create and contribute pulsesOTX pulses provide information on the reliability of threat data, who reported a threat, and other details of threat investigations. to OTX, you can use a number of different methods to do so:
- Use the OTX extraction wizard to pull IOCs from your favorite sources. These can be blogs, emails, a PDF file, log files, or any other malware sources—any file that has a textual description of a threat. You can also import Open IOC 1.x and STIX files.
- Manually add indicators of compromise to create a pulse.
- Copy and paste indicators into the detail of a new pulse.
- Clone an existing pulse possessing the characteristics of a pulse you want to create, and then edit the cloned pulse to create a new pulse.
- Open an existing pulse you’ve created and add indicators, either manually or using the AlienVault Indicator Extractor.
Creating a Pulse Using the Indicator Extractor
1. From the OTX main menu, select Create Pulse.
2. In the Extract from Source (AlienVault Indicator Extractor) section of the Create New Pulse page, do one of the following, depending on the type of indicator you want to define for the new pulse:
- Type the URL of a website or blog.
- Drag and drop a text file (for example, a PDF, text, plain text log, STIX, or OpenIOC file).
- Paste the text describing an indicator.
3. Click Next.
OTX processes the request and displays the new pulse page with the newly Included indicators.
4. If OTX found any excluded IOCs, review the list of Excluded IOCs tab.
This tab includes items that OTX determined were unlikely to pose threats. However, it is good practice to scan the list anyway, in case you see something about which you do not agree.
5. If you see something suspicious on the list, transfer it to the list of Included IOCs.
6. Click Next.
OTX displays a final Create New Pulse page to include other details describing the new pulse you want contribute. The specific indicator you added on the previous page, and its type (for example, domain), appear on the right side of the page, in a table.
7. Identify the pulse and complete the pulse description with the following information:
- TLP — Indicate the Traffic Light Protocol (TLP) for the threat by expanding the TLP list. The TLP consists of designations used to help ensure that sensitive information is shared with the correct audience. Its four colors indicate different degrees of sensitivity and the corresponding sharing considerations to be applied by the recipient(s). For guidance, see https://www.us-cert.gov/tlp.
- Name — Give the pulse a concise name that uniquely characterizes the threat. This could consist of where the threat was found or what type of malware it represents, for example, “New PoSeidon spotted”.
- Description — Describe the pulse in terms of where you found it, the type of threat it poses, and any other facts that may link it to other threat indicators.
- Private — Indicate whether or not you want to share the pulse with others or make it private. (Private means that you do not want to share the pulse with others, because you need to conduct more research.)
- Tags — If your IOC is a URL, OTX creates relevant tags based on its analysis of the URL. You can review any of these tags, and delete them, or you can add a new tag you feel is relevant.
- Groups — Add groups to associate with pulse.
- Industries — Specify primary industries targeted by threat.
- Targeted Countries — Specify countries that have been targeted by threat.
8. After reviewing all your entries for the new pulse, click Submit.
OTX returns you to the main pulse activity feed. Here you will see the pulse you just created, along with its associated tags. If you need to make changes to an existing pulse, for example, to add new indicators, you can simply open the existing pulse and add new indicators manually or using the AlienVault Indicator extractor.
Creating a Pulse by Manually Adding Indicators
You can also create a pulse by adding indicators of compromise (IOCs) manually, as opposed to using the AlienVault Indicator Extractor.
To create a pulse by manually adding indicators
1. Access the Create New Pulse page by selecting Create Pulse from the OTX user interface main menu.
2. Click the arrow to the left of the Manually Add Indicators section. A new data entry section appears.
3. From the Choose Type list, select the applicable IOC type.
4. Paste the indicator you want to include for the new pulse into the Indicator field.
5. Specify entries for the remaining fields you want to populate for the new pulse.
6. Click Add.
7. OTX again displays a final Create New Pulse page, allowing you to name and include other details describing the new pulse you want to submit.
8. After completing the remaining description entries for the new pulse, click Submit.
OTX returns you to the main pulse activity feed. Here you will see the pulse you just created, along with its associated tags. If you need to make changes to an existing pulse, for example, to add new indicators, you can open the existing pulse and simply add new indicators manually or using the AlienVault Indicator extractor.