Creating a Pulse in OTX™ from any Text Document | AlienVault

Creating a Pulse in OTX™ from any Text Document

The challenge today is that we, as security professionals, are inundated with data from security blogs, pdfs, reports, etc on the internet. We then have to manually review the content and identify what can be used as indicators of compromise - also known as IOCs. Then, you have to pull all of these disparate pieces of data into your threat intelligence platform (if you have one) and then figure out a way to feed that into your security tools.

Video Transcript

Hey aliens – Garrett here. In this video, I wanted to take you through, start to finish the process of creating a pulse in OTX 2.0.

The challenge today is that we, as security professionals, are inundated with data from security blogs, pdfs, reports, etc on the internet. We then have to manually review the content and identify what can be used as indicators of compromise - also known as IOCs. Then, you have to pull all of these disparate pieces of data into your threat intelligence platform (if you have one) and then figure out a way to feed that into your security tools.

Creating an OTX Pulse from Any Text Document

One of the features in OTX is the ability to create a pulse with indicators found in blogs, pdfs, reports, really any document in text format. All you do is paste the url of the document into the field shown and the system will then identify any IOCs that can be extracted. You then have the ability to review the IOCs before submitting your pulse.

In this case (a blog on dragonok from paloalto), you can see that we were able to extract several hashes via file names mentioned in the blog post as well as a domain name. If you look under “excerpt from source”, it shows you exactly where in the document we found the indicator. In this blog, it mentions a C&C server hosted at bionews.info so we created an IOC for that domain. We extracted several other urls as well related to the C&C activity, hostnames related to pieces of malware, as well as more hashes. Finally, we were able to identify specific IP addresses related to this threat, even one that we already had a record of in our IP reputation database.

If you take a look at the left hand side of the screen, you’ll notice some checkbox filters that can be used to manually exclude IOCs by type.

Excluding IOCs

We also take measures to exclude potential IOCs that turn out to be false positives. You can see that fireeye.com, for example, has been excluded because it is a known domain that has been whitelisted in the system. We will also pull out any references to whitelisted domains in urls that we find as well as private or internal IPs.

Once we have decided which IOCs to include in the pulse, we click next.

Organizing and Classifying Pulses

In the next screen, we are able to name the pulse, add a description, and assign tags to help organize and classify pulses. The system will suggest tags for you but you have the final say and can remove suggested tags as well as add your own.

Finally, hit ‘submit’ and then your pulse has been created. All of your followers and subscribers are then notified immediately that you have created the pulse and will be able to consume this data.

I hope this video was helpful. Thanks for watching.

Watch a Demo ›
GET PRICE FREE TRIAL CHAT