Documentation Center
AlienVault® USM Appliance™

What is Open Threat Exchange?

Open Threat Exchange® (OTX™)The world’s first truly open threat intelligence community that enables collaborative defense with actionable, community-powered threat data. This repository provides a continuous view of real time malicious activity. is a threat data platform that provides open access for all, allowing you to collaborate with a worldwide community of threat researchers and security professionals.

On the Threat IntelligenceEvidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging hazard to assets that can be used to inform decisions regarding the subject's response to that hazard. page, you can connect the deployed USM Anywhere SensorSensors are deployed into an on-premises, cloud, or multi-cloud environment to collect log and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. to your AlienVault OTX account. Once connected, the sensor starts to receive raw pulse data from OTX and USM Anywhere correlates that data.

When it detects IOCsIndicator of Compromise interacting with assetsAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. in your environment, USM Anywhere generates related OTX pulseOTX pulses provide information on the reliability of threat data, who reported a threat, and other details of threat investigations. and IP ReputationThreat ranking of IP addresses that have been submitted by the OTX community as being malicious or at least suspicious.-related security eventsInformation collected and displayed that describes a single system or user level activity that took place. and alarmsAlarms provide notification of an event or sequence of events that require attention or investigation.. The platform consists of these two chief components

About OTX Pulses and Indicators of Compromise

The OTX community reports on and receives threat data in the form of pulses. A pulse consists of at least one, but more often multiple, Indicators of Compromise (IOCs).

An IOC is an artifact observed on a network or in an end point, judged with a high degree of confidence to be a threat vector. Examples of threat vectors include campaigns or infrastructures used by an attackerOne who maliciously attempts to bypass security restrictions or negatively impact a system or resource.. The following table provides a list of IOC types.

Indicator of compromise (IOC) types
IOC Type Description
CIDRClassless Inter-Domain Routing, which provides a method for allocating IP addresses, routing Internet protocol packets, and subdividing networks. CIDR notation provides a syntax for specifying a range of IP addresses. Rules Classless inter-domain routing. Specifies a range of IP addresses on a network that is suspected of malicious activity or attack.
CVEThe CVE system provides a method, using CVE IDs, to reference publicly known information security vulnerability and exposures in publicly released software packages and environments. number Standards group identification of Common Vulnerabilities and Exposures (CVEs).
Domains A domain name for a website or server suspected of hosting or engaging in malicious activityActivity in a system that exceeds or misuses that access in a manner that negatively affects the confidentiality, integrity, or availability of the organization's information systems.. Domains may also encompass a series of hostnamesA hostname is a label that is assigned to a device connected to a computer network and is used to identify the device on the network..
Email An email address associated with malicious activity.
File Hashes (MD5, SHA1, SHA256, PEHASH, IMPHASH) A hash computation for a file that can be used to determine whether contents of a file may have been altered or corrupted.
File Paths Unique location in a file system of a resource suspected of malicious activity.
Hostnames (subdomains) The hostname for a server located within a domain, suspected of malicious activity.
IP Addresses An IP address used as the source/destination for an online server or other device suspected of malicious activity.
MUTEX Name Mutual exclusion object allowing multiple program threads to share the same resource. Mutexes are often used by malwareGeneric term for a number of different types of malicious code including viruses, worms, and Trojans. as a mechanism to detect whether a system has already been infected.
URI A uniform resource identifier (URI) that describes the explicit path to a file hosted online, which is suspected of malicious activity.
URL Uniform resource locations (URLs) that summarizes the online location of a file or resource associated with suspected malicious activity.

About OTX IP Reputation

OTX IP Reputation identifies IP addresses and domains worldwide that are submitted by the OTX community. IP Reputation verifies them as either malicious or, at least, suspicious until more data comes in to increase their threat ranking. Through its incoming IP data from all of these sources, IP Reputation supplements OTX data with valuable data about actively or potentially malicious activity appearing worldwide that can affect your systems.

IP Reputation Data Sources

IP Reputation receives data from a variety of sources

Note: AlienVault ensures that none of the data shared with OTX can be traced to the contributor or their USM Anywhere deployment.

Who Has Access to IP Reputation?

All USM Anywhere users receive the benefit of IP Reputation data whether or not they sign up for an OTX account.

When you open an OTX account, you may elect to share IP Reputation data with other OTX users. Any data you contribute are anonymous and secure.

Note: You can configure USM Anywhere to stop sharing IP Reputation data with OTX at any time by visiting the Open Threat Exchange Configuration page.

IP Reputation Ranking Criteria

IP Reputation uses ranking criteria based on IP Reliability and IP Priority that OTX updates on an ongoing basis to calculate changing assessments to risk level. This helps prevent false positivesA condition that is flagged as a vulnerability or weakness that is not actually a concern. This may be caused by other mitigating conditions (such as additional security technology) or inefficient tuning on detection technology..

IP Reliability

IP Reputation data derives from many data sources of differing reliability. Ranking in this case is based on the relative number of reports regarding a malicious IP in relation to others reported. If, for example, OTX receives 10 reports on a given IP address versus 20 on another, it gives the IP with 10 reports a lower reliability ranking than the IP with 20 reports.

IP Priority

OTX ranks IP address priority, based on the behavior associated with each IP address listed. For example, an IP address used as a scanning host receives a lower priority than an IP address known to have been used as a Botnet server.

Ongoing Ranking Reassessment

OTX constantly updates its IP Reputation data as new information emerges, affecting IP reliability or priority criteria. Each update re-prioritizes IP reliability and priority values and the threat level of an IP accordingly.