• Support
  • Forums
  • Blogs

No OTX Pulse Activity


New Life Form
We are receiving no alarms from OTX pulses in USM. We are updated to the latest 5.3.7 version and OTX is connected with 794 pulses downloaded but there are no events or alarms from pulses in the past week. We previously used OSSIM with OTX connected an consistently received alarms from pulses. Is this a known issue? 

Share post:


  • @kspaeth - hm, that doesn't sound right.. Unless your network has been miraculously IoC-free recently. Have you opened a support case? It's hard to say without looking at your appliance and checking the connections. But we don't have any known issues that match your description. 
  • @LBarraco Ok so this is still a problem. I contacted support and they were no help. To make the issue even more bizarre is that we have 4 servers running AV as we are starting as an MSSP. Also, now some pulses work but the vast majority dont.

    Server #1: An OSSIM server that we were using before purchasing. No changes have been made to this for over a month. It worked perfectly fine with OTX for over a year. This is using a different OTX account than the next 3. I looked and its had no OTX pulse activity
    Server #2: Federated server, updated and different OTX account
    Servers #3 and 4: USM all-in-ones, also updated using same OTX account as above.

    Seeing how spread out this issue is across time and configurations, this has to be a problem with AlienVaults pulses and not our stuff. This makes no sense. 

    Are you sure that this problem has never been reported before?
  • I should add that I tested the same pulses on all 4 servers and received consistent results of them working or not working. 
  • And that one of the servers is on a completely separate network that shares no similarities with our network.
  • I recently signed on with AlienVault and have noticed I am seeing the same thing on my box now.  I ahve an OTX account, I grabbed the API key, I input it into my USM anywhere box, but I get nothing for results.  

    Are there any recommended troubleshooting steps for me to try running on my side?  
  • @hatface Testing should be as simple as looking at a pulse and running dig against a domain in it. Thats what support had me do with a test pulse.

    If I run it against one in the newest pulse from AlienVault (https://otx.alienvault.com/pulse/59319e5e61595509bc721739/) it creates an alarm, but if i run it against a domain in the pulse 2 below it (https://otx.alienvault.com/pulse/592ecf6d75454c25bfcd8081/) there is no record in alarm or SIEM.

    Also noteable for my issue is that if I were to clone a pulse by AlienVault with my OTX account, that pulse would trigger an alarm.
  • Thanks for that @kspaeth,

    Running a dig against a domain/URL from each of the top 5 OTX results I have gave me 4 out of 5 returns as alarms.

    That appears to have kicked off things in the OTX dashboard as well as before running this test nothing showed up in there, now even the topmost section that shows the number of pulses subscribed, threat indicators, last update etc.  

    I appreciate the assist and wish there was something I could do to help you out with your issues,.
  • @hatface Interesting. I just tested the top 5 and got 3/5 alarms. Still doesn't explain why we aren't seeing any other OTX activity. There's one WannaCry pulse that gets triggered and that's it. No way our network is that free of malicious activity. 

    I take it something similar is happening to you though, right?
  • I agree that although I do run a rather small network, it is hard to believe that we are that "clean" of malicious behavior.  I see regular alarms that seem like they should have an OTX Pulse that correlates with them as well that seem like they should be popping off OTX alarms but are not.  
  • @hatface We do get normal pulses, but those are just based on internal AlienVault directives in their suricata ruleset. In alarms, under the OTX column, those just show "N/A". However, if it finds something that has an IP in their reputation database, it will show a blue symbol, those work for us. If it is from an OTX pulse the symbol will be orange and the alarm name will be a pulse name, so very descriptive unlike the more generic standard ones I mentioned earlier.

    From what I can gather from you, it seems like we are having a similar problem. That @LBaracco guy from AlienVault that replied earlier said no one else had reported it, from the sounds of it this isnt just a problem with my installations.
  • I get the normal alarms internally from NIDS/HIDS etc but the only time I've seen OTX related alarms is when I caused them to go off with the tests earlier.  These alerts have the orange icon on them under the OTX column.  
  • Ok great, well not great, but maybe support will take this seriously now that its not just me. Thanks!
  • @kspaeth - Someone from our Solutions team will be in contact with you shortly. Apologize again for all the hassle on this. 
  • @LBarraco Great, thank you!
  • I just started experiencing this very issue. Was there a quick solution or configuration to check?


  • Hi All,

    In my case there was a network change that stopped the traffic from being mirrored to our listening interface. Once that was determined and fixed my alarms did start again.



  • Kspaeth, by running a dig do you mean running a cat command?
Sign In or Register to comment.