AlienVault OTX v2
AlienVault OTX integration
Query Indicators of Compromise in AlienVault OTX. This integration was integrated and tested with version 1.0 of AlienVault OTX v2
Use Cases
- IPv4/v6, domain, hostname, file hashes, dns enrichment
- Pulses searches
Configure AlienVault OTX v2 on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for AlienVault OTX v2.
- Click Add instance to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server address
- API Token
- Indicator Threshold. The minimum number of pulses to consider the indicator as malicious.
- Source Reliability. Reliability of the source providing the intelligence data. (The default value is C - Fairly reliable)
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the new instance.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- ip
- domain
- alienvault-search-ipv6
- alienvault-search-hostname
- file
- alienvault-search-cve
- alienvault-get-related-urls-by-indicator
- alienvault-get-related-hashes-by-indicator
- alienvault-get-passive-dns-data-by-indicator
- alienvault-search-pulses
- alienvault-get-pulse-details
- url: url
1. ip
Queries an IP address in AlienVault OTX.
Base Command
ip
Input
| Argument Name | Description | Required |
|---|---|---|
| ip | The IP address to query. | Required |
| threshold | If the number of pulses is bigger than the threshold, the IP address is considered as malicious. If the threshold is not specified, the default indicator threshold is used, which is configured in the instance settings. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| IP.Address | String | The address of the IP. |
| IP.ASN | String | The autonomous system name for the IP address. For example, "AS8948". |
| IP.Geo.Country | String | The country where the IP address is located. |
| IP.Geo.Location | String | The geolocation where the IP address is located, in the format: latitude:longitude. |
| AlienVaultOTX.IP.Reputation | String | The reputation of the IP address. |
| AlienVaultOTX.IP.IP | String | IP address |
| DBotScore.Score | Number | The actual score. |
| DBotScore.Type | String | The type of indicator. |
| DBotScore.Vendor | String | The AlienVault OTX vendor. |
| DBotScore.Indicator | String | The indicator that was tested. |
Command Example
!ip ip=8.8.8.8"
Context Example
{
"AlienVaultOTX": {
"IP": {
"IP": "8.8.8.8",
"Reputation": 0
}
},
"DBotScore": {
"Indicator": "8.8.8.8",
"Score": 3,
"Type": "IPv4",
"Vendor": "AlienVault OTX v2"
},
"IP": {
"ASN": "AS15169 Google LLC",
"Address": "8.8.8.8",
"Geo": {
"Country": "US",
"Location": "37.751,-97.822"
}
}
}
Human Readable Output
AlienVault OTX v2 - Results for IPv4 query
| ASN | Address | Geo |
|---|---|---|
| AS15169 Google LLC | 8.8.8.8 |
Country: US
Location: 37.751,-97.822 |
2. domain
Queries a domain in AlienVault OTX.
Base Command
domain
Input
| Argument Name | Description | Required |
|---|---|---|
| domain | The domain to query. | Required |
| threshold | If the number of pulses is bigger than the threshold, the domain is considered as malicious. If the threshold is not specified, the default indicator threshold is used, which is configured in the instance settings. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Domain.Name | String | The domain name. For example, "google.com". |
| AlienVaultOTX.Domain.Alexa | String | Alexa URL for the domain data. |
| AlienVaultOTX.Domain.Whois | String | Whois URL for the domain data. |
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Score | Number | The actual score. |
| DBotScore.Type | String | The type of indicator. |
| DBotScore.Vendor | String | The AlienVault OTX vendor. |
Command Example
!domain domain=google.com"
Context Example
{
"AlienVaultOTX": {
"Domain": {
"Alexa": "http://www.alexa.com/siteinfo/google.com",
"Name": "google.com",
"Whois": "http://whois.domaintools.com/google.com"
}
},
"DBotScore": {
"Indicator": "google.com",
"Score": 3,
"Type": "domain",
"Vendor": "AlienVault OTX v2"
},
"Domain": {
"Name": "google.com"
}
}
Human Readable Output
AlienVault OTX v2 - Results for Domain query
| Alexa | Name | Whois |
|---|---|---|
| http://www.alexa.com/siteinfo/google.com | google.com | http://whois.domaintools.com/google.com |
3. alienvault-search-ipv6
Queries IPv6 in AlienVault OTX.
Base Command
alienvault-search-ipv6
Input
| Argument Name | Description | Required |
|---|---|---|
| ip | The IP address to query. | Required |
| threshold | If the number of pulses is bigger than the threshold, the IP address is considered as malicious. If the threshold is not specified, the default indicator threshold is used, which is configured in the instance settings. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| IP.Address | String | The IP address. |
| IP.ASN | String | The autonomous system name for the IP address. For example, "AS8948". |
| IP.AlienVaultOTX.Reputation | String | The IP reputation in AlienVault OTX. |
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Score | Number | The actual score. |
| DBotScore.Type | String | The type of the indicator. |
| DBotScore.Vendor | String | The AlienVault OTX vendor. |
Command Example
!alienvault-search-ipv6 ip=2001:4860:4860::8888
Context Example
{
"AlienVaultOTX": {
"IP": {
"IP": "2001:4860:4860::8888",
"Reputation": 0
}
},
"DBotScore": {
"Indicator": "2001:4860:4860::8888",
"Score": 0,
"Type": "IPv6",
"Vendor": "AlienVault OTX v2"
},
"IP": {
"ASN": "AS15169 Google LLC",
"Address": "2001:4860:4860::8888",
"Geo": {
"Country": "US",
"Location": "37.751,-97.822"
}
}
}
Human Readable Output
AlienVault OTX v2 - Results for IPv6 query
| ASN | Address | Geo |
|---|---|---|
| AS15169 Google LLC | 2001:4860:4860::8888 |
Country: US
Location: 37.751,-97.822 |
4. alienvault-search-hostname
Searches for a host name in AlienVault OTX.
Base Command
alienvault-search-hostname
Input
| Argument Name | Description | Required |
|---|---|---|
| hostname | The host name to query. | Required |
| threshold | If the number of pulses is bigger than the threshold, the host name is considered as malicious. If the threshold is not specified, the default indicator threshold is used, which is configured in the instance settings. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Endpoint.Hostname | String | The hostname that is mapped to the endpoint. |
| AlienVaultOTX.Endpoint.Hostname | String | The hostname that is mapped to the endpoint. |
| AlienVaultOTX.Endpoint.Alexa | String | The Alexa URL endpoint. |
| AlienVaultOTX.Endpoint.Whois | String | The Whois URL endpoint. |
| DBotScore.Score | Number | The actual score. |
| DBotScore.Type | String | The type of the indicator. |
| DBotScore.Vendor | String | The AlienVault OTX vendor. |
| DBotScore.Indicator | String | The indicator that was tested. |
Command Example
!alienvault-search-hostname hostname=demisto.com
Context Example
{
"AlienVaultOTX": {
"Endpoint": {
"Alexa": "http://www.alexa.com/siteinfo/demisto.com",
"Hostname": "demisto.com",
"Whois": "http://whois.domaintools.com/demisto.com"
}
},
"DBotScore": {
"Indicator": "demisto.com",
"Score": 0,
"Type": "hostname",
"Vendor": "AlienVault OTX v2"
},
"Endpoint": {
"Hostname": "demisto.com"
}
}
Human Readable Output
AlienVault OTX v2 - Results for Hostname query
| Alexa | Hostname | Whois |
|---|---|---|
| http://www.alexa.com/siteinfo/demisto.com | demisto.com | http://whois.domaintools.com/demisto.com |
5. file
Query a file in AlienVault OTX.
Base Command
file
Input
| Argument Name | Description | Required |
|---|---|---|
| file | The file hash to query. | Required |
| threshold | If the number of pulses is bigger than the threshold, the file is considered as malicious. If the threshold is not specified, the default indicator threshold is used, which is configured in the instance settings. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| File.MD5 | String | The MD5 hash of the file. |
| File.SHA1 | String | The SHA1 hash of the file. |
| File.SHA256 | String | The SHA256 hash of the file. |
| File.Malicious.PulseIDs | String | IDs of pulses which are marked as malicious. |
| File.Type | String | The file type, as determined by libmagic (same as displayed in file entries). |
| File.Size | Number | The size of the file in bytes. |
| File.SSDeep | String | The SSDeep hash of the file (same as displayed in file entries). |
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Score | Number | The actual score. |
| DBotScore.Type | String | The type of the indicator. |
| DBotScore.Vendor | String | The AlienVault OTX vendor. |
Command Example
!file file=6c5360d41bd2b14b1565f5b18e5c203cf512e493"
Context Example
{
"DBotScore": {
"Indicator": "6c5360d41bd2b14b1565f5b18e5c203cf512e493",
"Score": 0,
"Type": "file",
"Vendor": "AlienVault OTX v2"
},
"File": {
"MD5": "2eb14920c75d5e73264f77cfa273ad2c",
"Malicious": {
"PulseIDs": []
},
"SHA1": "6c5360d41bd2b14b1565f5b18e5c203cf512e493",
"SHA256": "4cf9322c49adebf63311a599dc225bbcbf16a253eca59bbe1a02e4ae1d824412",
"SSDeep": "",
"Size": "437760",
"Type": "PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows"
}
}
Human Readable Output
AlienVault OTX v2 - Results for File hash query
| MD5 | Malicious | SHA1 | SHA256 | SSDeep | Size | Type |
|---|---|---|---|---|---|---|
| 2eb14920c75d5e73264f77cfa273ad2c | PulseIDs: | 6c5360d41bd2b14b1565f5b18e5c203cf512e493 | 4cf9322c49adebf63311a599dc225bbcbf16a253eca59bbe1a02e4ae1d824412 | 437760 | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
6. alienvault-search-cve
Query Common Vulnerabilities and Exposures (CVE) in AlienVault OTX.
Base Command
alienvault-search-cve
Input
| Argument Name | Description | Required |
|---|---|---|
| cve_id | The CVE to query. | Required |
| threshold | If the number of pulses is bigger than the threshold, the CVE is considered as malicious. If the threshold is not specified, the default indicator threshold is used, which is configured in the instance settings. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| CVE.ID | String | The ID of the CVE. For example, "CVE-2015-1653". |
| CVE.CVSS | String | The CVSS of the CVE. For example, "10.0". |
| CVE.Published | String | The timestamp of when the CVE was published. |
| CVE.Modified | String | The timestamp of when the CVE was last modified. |
| CVE.Description | String | A description of the CVE. |
| DBotScore.Score | Number | The actual score. |
| DBotScore.Type | String | The type of indicator. |
| DBotScore.Vendor | String | The AlienVault OTX vendor. |
| DBotScore.Indicator | String | The indicator that was tested. |
Command Example
!alienvault-search-cve cve_id=CVE-2014-0160
Context Example
{
"CVE": {
"CVSS": "5.0",
"Description": "The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.",
"ID": "CVE-2014-0160",
"Modified": "2019-10-09T19:09:21",
"Published": "2014-04-07T18:55:03"
},
"DBotScore": {
"Indicator": "CVE-2014-0160",
"Score": 3,
"Type": "cve",
"Vendor": "AlienVault OTX v2"
}
}
Human Readable Output
AlienVault OTX v2 - Results for Hostname query
| CVSS | Description | ID | Modified | Published |
|---|---|---|---|---|
| 5.0 | The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug. | CVE-2014-0160 | 2019-10-09T19:09:21 | 2014-04-07T18:55:03 |
7. alienvault-get-related-urls-by-indicator
Returns related URLs by indicator.
Base Command
alienvault-get-related-urls-by-indicator
Input
| Argument Name | Description | Required |
|---|---|---|
| indicator_type | The type of the indicator. Can be: "IPv4", "IPv6", "domain", "hostname", or "url". | Required |
| indicator | The indicator for which to search related URLs. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| AlienVaultOTX.URL.Data | Unknown | The path of the related URLs. |
Command Example
!alienvault-get-related-urls-by-indicator indicator=8.8.8.8 indicator_type=IPv4
Context Example
{
"AlienVaultOTX": {
"URL": [
{
"Data": "http://8.8.8.8/w/cohernece.txt"
},
{
"Data": "https://dns.google.com/resolve?name=apv3.stel.com&type=ANY&random_padding=HUmzJ9Da0EHn5FZ7yfdbqJOhiVBKnWl5DjWYk4Ba4ooy3vVFHsQmu1hM5BYEgFSKmUcfu1mcd0sBv10gOvN09oERfhQG2da2sJBpPVpk6rR2AmIxzO7FQ"
},
{
"Data": "http://8.8.8.8/siteepres/horatrtbdg.asp"
},
{
"Data": "https://dns.google.com/experimental?ct=application%2Fdns-udpwireformat&dns"
},
{
"Data": "https://dns.google/dns"
},
{
"Data": "https://dns.google.com/resolve?name=apv2.stel.com&type=ANY&random_padding=FKWsRuGcTpuYcyBx3LEJVC2dx25ihCICFP303ZhUndPC3DwfcCqp2jpO"
},
{
"Data": "https://tagnet.app/itlikf/login.php?l%3D_JeHFUq_VJOXK0QWHtoGYDw1774256418%26fid.13InboxLight.aspxn.1774256418%26fid.125289964252813InboxLight99642_Product-userid%26userid%3D"
},
{
"Data": "http://8.8.8.8/XmWLPDQ2M"
},
{
"Data": "https://paulvmoreau.github.io/BeltFedNPCs"
}
]
}
}
Human Readable Output
AlienVault OTX v2 - Related url list to queried indicator
| Data |
|---|
| https://8.8.8.8/x8me1s |
| http://8.8.8.8/w/cohernece.txt |
| https://dns.google.com/resolve?name=apv3.stel.com&type=ANY&random_padding=HUmzJ9Da0EHn5FZ7yfdbqJOhiVBKnWl5DjWYk4Ba4ooy3vVFHsQmu1hM5BYEgFSKmUcfu1mcd0sBv10gOvN09oERfhQG2da2sJBpPVpk6rR2AmIxzO7FQ |
| http://8.8.8.8/siteepres/horatrtbdg.asp |
| https://dns.google.com/experimental?ct=application%2Fdns-udpwireformat&dns |
| https://dns.google/dns |
| https://dns.google.com/resolve?name=apv2.stel.com&type=ANY&random_padding=FKWsRuGcTpuYcyBx3LEJVC2dx25ihCICFP303ZhUndPC3DwfcCqp2jpO |
| https://tagnet.app/itlikf/login.php?l%3D_JeHFUq_VJOXK0QWHtoGYDw1774256418%26fid.13InboxLight.aspxn.1774256418%26fid.125289964252813InboxLight99642_Product-userid%26userid%3D |
| http://8.8.8.8/XmWLPDQ2M |
| https://paulvmoreau.github.io/BeltFedNPCs |
8. alienvault-get-related-hashes-by-indicator
Returns related hashes by indicator.
Base Command
alienvault-get-related-hashes-by-indicator
Input
| Argument Name | Description | Required |
|---|---|---|
| indicator | The indicator for which to search for related hashes. | Optional |
| indicator_type | The type of the indicator. Can be: "IPv4", "IPv6", "domain", or "hostname". | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| AlienVaultOTX.File.Hash | Unknown | The path of the url. |
Command Example
!alienvault-get-related-hashes-by-indicator indicator=8.8.8.8 indicator_type=IPv4
Context Example
{
"AlienVaultOTX.File": [
{
"Hash": "ffc2595aefa80b61621023252b5f0ccb22b6e31d7f1640913cd8ff74ddbd8b41"
},
{
"Hash": "0b4d4a7c35a185680bc5102bdd98218297e2cdf0a552bde10e377345f3622c1c"
},
{
"Hash": "d8b8a5c941b6a1c3cb58f7e59489b2554ed14e6c6655d1fbf6852e45404b7516"
},
{
"Hash": "b3d8adc185834ab858ebf55082828cb9fc1170bbe8de222821d225a6056ff5dc"
},
{
"Hash": "e43cf3f5fa5e14972ba3f159dee6e98330bd19dccc1267cfc91b1000aef975d9"
},
{
"Hash": "9e11b1e769da3c8059345b36c62b4a857845bd7e14c7c14af2945ce26570d91f"
},
{
"Hash": "ae695ce9b8ff4bb831721a8c60377c1757d6d4fe579640b54f3c7f62b175f506"
},
{
"Hash": "093bde5d50daba59bfe68b31251cf2c39353bdfe8ad510284935ca027f269637"
},
{
"Hash": "438b531ba399feb19ed7bf73657d3de6996e001ee5054c04af6b2943e41b402e"
},
{
"Hash": "5019a6b3ec69eae63f716b1df74434bf66f090a6c75a594e2392c7a22f1698cc"
}
]
}
Human Readable Output
AlienVault OTX v2 - Related malware list to queried indicator
**No entries.**
9. alienvault-get-passive-dns-data-by-indicator
Returns passive DNS records by indicator.
Base Command
alienvault-get-passive-dns-data-by-indicator
Input
| Argument Name | Description | Required |
|---|---|---|
| indicator_type | The type of the indicator. Can be: "IPv4", "IPv6", "domain", or "hostname". | Required |
| indicator | The indicator for which to search URLs. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| AlienVaultOTX.PassiveDNS.Hostname | String | The domain value. |
| AlienVaultOTX.PassiveDNS.IP | String | The IP passive DNS. |
| AlienVaultOTX.PassiveDNS.Domain | String | The domain value. |
| AlienVaultOTX.PassiveDNS.Type | String | The asset type. |
| AlienVaultOTX.PassiveDNS.FirstSeen | Date | The date first seen. |
| AlienVaultOTX.PassiveDNS.LastSeen | Date | The date last seen. |
Command Example
!alienvault-get-passive-dns-data-by-indicator indicator=8.8.8.8 indicator_type=IPv4
Context Example
{
"AlienVaultOTX":
"PassiveDNS": [
{
"FirstSeen": "2019-10-29T23:41:54+00:00",
"Hostname": "bjnn.com.cn",
"IP": "8.8.8.8",
"LastSeen": "2019-10-29T23:41:54+00:00",
"Type": "hostname"
},
{
"FirstSeen": "2019-10-29T17:01:00+00:00",
"Hostname": "api.cloudapps-sand.dhcs.ca.gov",
"IP": "8.8.8.8",
"LastSeen": "2019-10-29T17:01:00+00:00",
"Type": "hostname"
},
{
"FirstSeen": "2019-10-29T13:21:44+00:00",
"Hostname": "1",
"IP": "8.8.8.8",
"LastSeen": "2019-10-29T13:21:46+00:00",
"Type": "domain"
},
{
"FirstSeen": "2019-10-29T04:10:19+00:00",
"Hostname": "ronssr.xyz",
"IP": "8.8.8.8",
"LastSeen": "2019-10-29T04:10:19+00:00",
"Type": "domain"
},
{
"FirstSeen": "2019-10-29T01:56:59+00:00",
"Hostname": "true.nxtv.cn",
"IP": "8.8.8.8",
"LastSeen": "2019-10-29T01:56:59+00:00",
"Type": "hostname"
},
{
"FirstSeen": "2019-10-28T04:57:51+00:00",
"Hostname": "furymice.com",
"IP": "8.8.8.8",
"LastSeen": "2019-10-28T04:57:51+00:00",
"Type": "domain"
},
{
"FirstSeen": "2019-10-27T23:25:58+00:00",
"Hostname": "diogroup.vn",
"IP": "8.8.8.8",
"LastSeen": "2019-10-27T23:25:58+00:00",
"Type": "domain"
}
]
}
Human Readable Output
AlienVault OTX v2 - Related passive dns list to queried indicator
| FirstSeen | Hostname | IP | LastSeen | Type |
|---|---|---|---|---|
| 2019-10-29T23:41:54+00:00 | bjnn.com.cn | 8.8.8.8 | 2019-10-29T23:41:54+00:00 | hostname |
| 2019-10-29T17:01:00+00:00 | api.cloudapps-sand.dhcs.ca.gov | 8.8.8.8 | 2019-10-29T17:01:00+00:00 | hostname |
| 2019-10-29T13:21:44+00:00 | 2 | 8.8.8.8 | 2019-10-29T13:21:46+00:00 | domain |
| 2019-10-29T04:10:19+00:00 | ronssr.xyz | 8.8.8.8 | 2019-10-29T04:10:19+00:00 | domain |
10. alienvault-search-pulses
Searches for pulses in AlienVault OTX.
Base Command
alienvault-search-pulses
Input
| Argument Name | Description | Required |
|---|---|---|
| page | The page of the pulse to retrieve. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| AlienVaultOTX.Pulses.ID | String | The ID of the pulse. |
| AlienVaultOTX.Pulses.Author.ID | String | The ID of the Author. |
| AlienVaultOTX.Pulses.Author.Username | String | The username of the Author. |
| AlienVaultOTX.Pulses.Count | String | The pulse count. |
| AlienVaultOTX.Pulses.Modified | Date | The date of the pulse modification. |
| AlienVaultOTX.Pulses.Name | String | The name of the pulse. |
| AlienVaultOTX.Pulses.Source | String | The source of the Pulse. |
| AlienVaultOTX.Pulses.SubscriberCount | String | The count of the pulse subscriber. |
| AlienVaultOTX.Pulses.Tags | String | The tags of the pulse. |
| AlienVaultOTX.Pulses.Description | String | The description of the pulse. |
Command Example
!alienvault-search-pulses page=1
Context Example
{
"AlienVaultOTX.Pulses": [
{
"Author": {
"ID": "2",
"Username": "AlienVault"
},
"Count": 28,
"ID": "546ce8eb11d40838dc6e43f1",
"Modified": "728 days ago ",
"Name": "PoS Scammers Toolbox",
"Source": "web",
"SubscriberCount": 94133
},
{
"Author": {
"ID": "2",
"Username": "AlienVault"
},
"Count": 11,
"ID": "546cf5ba11d40839ea8821ca",
"Modified": "1553 days ago ",
"Name": " RAZOR BLADES IN THE CANDY JAR",
"Source": "web",
"SubscriberCount": 94115
},
{
"Author": {
"ID": "2",
"Username": "AlienVault"
},
"Count": 10,
"ID": "546e2e4f11d4083bc021c37d",
"Modified": "796 days ago ",
"Name": "Linking Asprox, Zemot, Rovix and Rerdom Malware Families ",
"Source": "web",
"SubscriberCount": 94108,
"Tags": [
"Asprox",
"Zemot",
"Rovix"
]
},
{
"Author": {
"ID": "2",
"Username": "AlienVault"
},
"Count": 23,
"ID": "546fc7bf11d4083bc021c37f",
"Modified": "796 days ago ",
"Name": "Operation Double Tap",
"Source": "web",
"SubscriberCount": 94113
},
{
"Author": {
"ID": "2",
"Username": "AlienVault"
},
"Count": 60,
"Description": "Regin is a multi-purpose data collection tool which dates back several years. Symantec first began looking into this threat in the fall of 2013. Multiple versions of Regin were found in the wild, targeting several corporations, institutions, academics, and individuals.\nRegin has a wide range of standard capabilities, particularly around monitoring targets and stealing data. It also has the ability to load custom features tailored to individual targets. Some of Regin\u2019s custom payloads point to a high level of specialist knowledge in particular sectors, such as telecoms infrastructure software, on the part of\nthe developers.",
"ID": "5473709d11d4083bc021c387",
"Modified": "279 days ago ",
"Name": "Regin",
"Source": "web",
"SubscriberCount": 94092
}
]
}
Human Readable Output
AlienVault OTX v2 - pulse page 1
| Author | Count | ID | Modified | Name | Source | SubscriberCount |
|---|---|---|---|---|---|---|
|
ID: 2
Username: AlienVault |
28 | 546ce8eb11d40838dc6e43f1 | 728 days ago | PoS Scammers Toolbox | web | 94133 |
|
ID: 2
Username: AlienVault |
11 | 546cf5ba11d40839ea8821ca | 1553 days ago | RAZOR BLADES IN THE CANDY JAR | web | 94115 |
|
ID: 2
Username: AlienVault |
10 | 546e2e4f11d4083bc021c37d | 796 days ago | Linking Asprox, Zemot, Rovix and Rerdom Malware Families | web | 94108 |
|
ID: 2
Username: AlienVault |
23 | 546fc7bf11d4083bc021c37f | 796 days ago | Operation Double Tap | web | 94113 |
|
ID: 2
Username: AlienVault |
60 | 5473709d11d4083bc021c387 | 279 days ago | Regin | web | 94092 |
11. alienvault-get-pulse-details
Returns pulse details.
Base Command
alienvault-get-pulse-details
Input
| Argument Name | Description | Required |
|---|---|---|
| pulse_id | The ID of the pulse. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| AlienVaultOTX.Pulses.Created | Date | The date the pulse was created. |
| AlienVaultOTX.Pulses.Author.Username | String | The author username of the pulse. |
| AlienVaultOTX.Pulses.ID | String | The ID of the pulse. |
| AlienVaultOTX.Pulses.Name | String | The name of the pulse. |
| AlienVaultOTX.Pulses.Tags | String | The tags of the pulse. |
| AlienVaultOTX.Pulses.TargetedCountries | String | The targeted countries of the pulse. |
| AlienVaultOTX.Pulses.Description | String | The description of the pulse. |
Command Example
!alienvault-get-pulse-details pulse_id=57204e9b3c4c3e015d93cb12
Context Example
{
"AlienVaultOTX.Pulses": {
"Author": {
"Username": "AlienVault"
},
"Created": "2016-04-27T05:31:06.941000",
"Description": "The infamous Remote Access Trojan (RAT) Poison Ivy (hereafter referred to as PIVY) has resurfaced recently, and exhibits some new behaviors. PIVY has been observed targeting a number of Asian countries for various purposes over the past year. Palo Alto Networks\u2019 Unit 42 recently blogged about a new Poison Ivy variant targeting Hong Kong activists dubbed SPIVY that uses DLL sideloading and operates quite differently from a variant recently observed by ASERT that has been active for at least the past 12 months.",
"ID": "57204e9b3c4c3e015d93cb12",
"Name": "Poison Ivy Activity Targeting Myanmar, Asian Countries",
"Tags": [
"rat",
"remote access trojan",
"poison ivy",
"pivy",
"Myanmar",
"asia",
"Hong Kong",
"arbornetworks"
],
"TargetedCountries": []
}
}
Human Readable Output
AlienVault OTX v2 - pulse id details
| Author | Created | Description | ID | Name | Tags | TargetedCountries |
|---|---|---|---|---|---|---|
| Username: AlienVault | 2016-04-27T05:31:06.941000 | The infamous Remote Access Trojan (RAT) Poison Ivy (hereafter referred to as PIVY) has resurfaced recently, and exhibits some new behaviors. PIVY has been observed targeting a number of Asian countries for various purposes over the past year. Palo Alto Networks’ Unit 42 recently blogged about a new Poison Ivy variant targeting Hong Kong activists dubbed SPIVY that uses DLL sideloading and operates quite differently from a variant recently observed by ASERT that has been active for at least the past 12 months. | 57204e9b3c4c3e015d93cb12 | Poison Ivy Activity Targeting Myanmar, Asian Countries |
rat,
remote access trojan, poison ivy, pivy, Myanmar, asia, Hong Kong, arbornetworks |
12. url
Queries a URL in AlienVault OTX.
Base Command
url
Input
| Argument Name | Description | Required |
|---|---|---|
| url | The URL to query. | Required |
| threshold | If the number of pulses is bigger than the threshold, the URL is considered as malicious. If threshold is not specified, the default indicator threshold is used, which is configured in the instance settings. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| URL.Data | String | The URL. |
| AlienVaultOTX.URL.Hostname | String | The host name of the URL. |
| AlienVaultOTX.URL.Domain | String | The domain of the URL. |
| AlienVaultOTX.URL.Alexa | String | The domain data for the Alexa URL. |
| AlienVaultOTX.URL.Url | String | Url |
| AlienVaultOTX.URL.Whois | String | The Whois URL for domain data. |
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Score | Number | The actual score. |
| DBotScore.Type | String | The type of indicator. |
| DBotScore.Vendor | String | The AlienVault OTX vendor. |
Command Example
!url url=http://www.fotoidea.com/sport/4x4_san_ponso/slides/IMG_0068.html/url_list"
Context Example
{
"AlienVaultOTX.URL": {
"Alexa": "http://www.alexa.com/siteinfo/fotoidea.com",
"Domain": "fotoidea.com",
"Hostname": "www.fotoidea.com",
"Url": "http://www.fotoidea.com/sport/4x4_san_ponso/slides/IMG_0068.html/url_list",
"Whois": "http://whois.domaintools.com/fotoidea.com"
},
"DBotScore": {
"Indicator": "http://www.fotoidea.com/sport/4x4_san_ponso/slides/IMG_0068.html/url_list",
"Score": "0",
"Type": "url",
"Vendor": "AlienVault OTX v2"
},
"URL": {
"Data": "http://www.fotoidea.com/sport/4x4_san_ponso/slides/IMG_0068.html/url_list"
}
}
Human Readable Output
AlienVault OTX v2 - Results for url query
| Alexa | Domain | Hostname | Url | Whois |
|---|---|---|---|---|
| http://www.alexa.com/siteinfo/fotoidea.com | fotoidea.com | www.fotoidea.com | http://www.fotoidea.com/sport/4x4_san_ponso/slides/IMG_0068.html/url_list | http://whois.domaintools.com/fotoidea.com |