First Steps with AlienVault OTX 2.0

Sign Up (It’s free)

Bill Smartt
Apr 7, 2016 · 3 min read

Here at AlienVault, we’ve recently made some exciting updates to the Open Threat Exchange. Want to get free threat intelligence for your security controls? You’ve come to the right place!

First, signup for an account. Use your existing twitter or google account, or fill out the form. Your username will be displayed throughout the site, but your email address will remain private.

Open Threat Exchange Signup Form. Are you a robot? ಠ_ಠ

Fundamentals

Every new account gets subscribed to the AlienVault account. The AlienVault account is how we are posting Indicators Of Compromise (IOCs) to all AlienVault USM and OSSIM appliances, as well as whomever makes use of the API. If you’d prefer a fresh start*, you can unsubscribe from AlienVault. The easiest way to do this as of now is to visit AlienVault’s profile page, and click unsubscribe.

*Given that the AlienVault account is managed by the AV Labs threat intelligence team, we’d highly encourage you to remain subscribed to AlienVault. If you’re planning to use OTX to supply yourself with your own exclusive IOCs and nothing else, you should unsubscribe from AlienVault. In most cases AlienVault IOCs will be of the highest integrity.

We use the term ‘pulse’ to mean a singular threat — but may contain many IOCs. Each `pulse` (or threat) on OTX contains it’s own IOCs, description, tags, comments, etc.

Follow User VS Subscribe User

You’ll notice there’s two actions on user profile pages:

User Profile Page — this is how you subscribe / follow users.

Subscribe to the users whom you trust the most. Pulses by users you subscribe to will be automatically included in your threat intelligence. For example, if AlienVault posts a pulse in the middle of the night, you’ll receive these indicators without having to take action on the website.

Follow users you’re interested in, but not yet ready to blindly accept IOCs from. You’ll be notified about new pulses by users you follow, and you’ll see these pulses in your activity feed (discussed below), but you’ll need to click the subscribe button on each of their pulses for them to be included in your threat intelligence.

Though it is currently possible to subscribe and follow a user, there is no reason to do both! Everything that happens when following a user also happens when subscribing.

Subscribe to a single pulse from the list view:

In Pulse Lists, you can quickly subscribe directly to pulses. Don’t forget to upvote!

Or, to examine the IOCs in detail before subscribing, you can click the list item title, and use the subscribe button in the detailed pulse view:

Subscribing from the detailed Pulse view.

Wrapping up

Pulses — collection of IOCs. Contains a name, tags, references, a breakdown of Threat Infrastructure, community comments.

We now know about two sources for threat intelligence. Pulses we subscribe to directly, and pulses by users we subscribe to. With this knowledge, you’re ready to start building your threat intelligence on OTX!

The third and final source of threat intelligence is from the pulses you create yourself! We’ll take a look at this in a future post.

Bill Smartt

Written by

Detection Engineering @CrowdStrike Security, Engineering, Malware, Exploits

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade