AlienVault OTX v2

AlienVault OTX integration

Query Indicators of Compromise in AlienVault OTX. This integration was integrated and tested with version 1.0 of AlienVault OTX v2

Use Cases

  • IPv4/v6, domain, hostname, file hashes, dns enrichment
  • Pulses searches

Configure AlienVault OTX v2 on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for AlienVault OTX v2.
  3. Click Add instance to create and configure a new integration instance.
  4. Name : a textual name for the integration instance.
  5. Server address
  6. API Token
  7. Indicator Threshold. The minimum number of pulses to consider the indicator as malicious.
  8. Trust any certificate (not secure)
  9. Use system proxy settings
  10. Click Test to validate the new instance.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. ip
  2. domain
  3. alienvault-search-ipv6
  4. alienvault-search-hostname
  5. file
  6. alienvault-search-cve
  7. alienvault-get-related-urls-by-indicator
  8. alienvault-get-related-hashes-by-indicator
  9. alienvault-get-passive-dns-data-by-indicator
  10. alienvault-search-pulses
  11. alienvault-get-pulse-details
  12. url: url

1. ip


Queries an IP address in AlienVault OTX.

Base Command

ip

Input
Argument Name Description Required
ip The IP address to query. Required
threshold If the number of pulses is bigger than the threshold, the IP address is considered as malicious. If the threshold is not specified, the default indicator threshold is used, which is configured in the instance settings. Optional

Context Output
Path Type Description
IP.Address String The address of the IP.
IP.ASN String The autonomous system name for the IP address. For example, "AS8948".
IP.Geo.Country String The country where the IP address is located.
IP.Geo.Location String The geolocation where the IP address is located, in the format: latitude:longitude.
AlienVaultOTX.IP.Reputation String The reputation of the IP address.
AlienVaultOTX.IP.IP String IP address
DBotScore.Score Number The actual score.
DBotScore.Type String The type of indicator.
DBotScore.Vendor String The AlienVault OTX vendor.
DBotScore.Indicator String The indicator that was tested.

Command Example

!ip ip=8.8.8.8"

Context Example
{
    "AlienVaultOTX": {
        "IP": {
            "IP": "8.8.8.8",
            "Reputation": 0
        }
    },
    "DBotScore": {
        "Indicator": "8.8.8.8",
        "Score": 3,
        "Type": "IPv4",
        "Vendor": "AlienVault OTX v2"
    },
    "IP": {
        "ASN": "AS15169 Google LLC",
        "Address": "8.8.8.8",
        "Geo": {
            "Country": "US",
            "Location": "37.751,-97.822"
        }
    }
}
Human Readable Output

AlienVault OTX v2 - Results for IPv4 query

ASN Address Geo
AS15169 Google LLC 8.8.8.8 Country: US
Location: 37.751,-97.822

2. domain


Queries a domain in AlienVault OTX.

Base Command

domain

Input
Argument Name Description Required
domain The domain to query. Required
threshold If the number of pulses is bigger than the threshold, the domain is considered as malicious. If the threshold is not specified, the default indicator threshold is used, which is configured in the instance settings. Optional

Context Output
Path Type Description
Domain.Name String The domain name. For example, "google.com".
AlienVaultOTX.Domain.Alexa String Alexa URL for the domain data.
AlienVaultOTX.Domain.Whois String Whois URL for the domain data.
DBotScore.Indicator String The indicator that was tested.
DBotScore.Score Number The actual score.
DBotScore.Type String The type of indicator.
DBotScore.Vendor String The AlienVault OTX vendor.

Command Example

!domain domain=google.com"

Context Example
{
    "AlienVaultOTX": {
      "Domain": {
        "Alexa": "http://www.alexa.com/siteinfo/google.com",
        "Name": "google.com",
        "Whois": "http://whois.domaintools.com/google.com"
      }
    },
    "DBotScore": {
        "Indicator": "google.com",
        "Score": 3,
        "Type": "domain",
        "Vendor": "AlienVault OTX v2"
    },
    "Domain": {
        "Name": "google.com"
    }
}
Human Readable Output

AlienVault OTX v2 - Results for Domain query

Alexa Name Whois
http://www.alexa.com/siteinfo/google.com google.com http://whois.domaintools.com/google.com

3. alienvault-search-ipv6


Queries IPv6 in AlienVault OTX.

Base Command

alienvault-search-ipv6

Input
Argument Name Description Required
ip The IP address to query. Required
threshold If the number of pulses is bigger than the threshold, the IP address is considered as malicious. If the threshold is not specified, the default indicator threshold is used, which is configured in the instance settings. Optional

Context Output
Path Type Description
IP.Address String The IP address.
IP.ASN String The autonomous system name for the IP address. For example, "AS8948".
IP.AlienVaultOTX.Reputation String The IP reputation in AlienVault OTX.
DBotScore.Indicator String The indicator that was tested.
DBotScore.Score Number The actual score.
DBotScore.Type String The type of the indicator.
DBotScore.Vendor String The AlienVault OTX vendor.

Command Example

!alienvault-search-ipv6 ip=2001:4860:4860::8888

Context Example
{
    "AlienVaultOTX": {
        "IP": {
            "IP": "2001:4860:4860::8888",
            "Reputation": 0
        }
    },
    "DBotScore": {
        "Indicator": "2001:4860:4860::8888",
        "Score": 0,
        "Type": "IPv6",
        "Vendor": "AlienVault OTX v2"
    },
    "IP": {
        "ASN": "AS15169 Google LLC",
        "Address": "2001:4860:4860::8888",
        "Geo": {
            "Country": "US",
            "Location": "37.751,-97.822"
        }
    }
}
Human Readable Output

AlienVault OTX v2 - Results for IPv6 query

ASN Address Geo
AS15169 Google LLC 2001:4860:4860::8888 Country: US
Location: 37.751,-97.822

4. alienvault-search-hostname


Searches for a host name in AlienVault OTX.

Base Command

alienvault-search-hostname

Input
Argument Name Description Required
hostname The host name to query. Required
threshold If the number of pulses is bigger than the threshold, the host name is considered as malicious. If the threshold is not specified, the default indicator threshold is used, which is configured in the instance settings. Optional

Context Output
Path Type Description
Endpoint.Hostname String The hostname that is mapped to the endpoint.
AlienVaultOTX.Endpoint.Hostname String The hostname that is mapped to the endpoint.
AlienVaultOTX.Endpoint.Alexa String The Alexa URL endpoint.
AlienVaultOTX.Endpoint.Whois String The Whois URL endpoint.
DBotScore.Score Number The actual score.
DBotScore.Type String The type of the indicator.
DBotScore.Vendor String The AlienVault OTX vendor.
DBotScore.Indicator String The indicator that was tested.

Command Example

!alienvault-search-hostname hostname=demisto.com

Context Example
{
    "AlienVaultOTX": {
        "Endpoint": {
          "Alexa": "http://www.alexa.com/siteinfo/demisto.com",
          "Hostname": "demisto.com",
          "Whois": "http://whois.domaintools.com/demisto.com"
        } 
    },
    "DBotScore": {
        "Indicator": "demisto.com",
        "Score": 0,
        "Type": "hostname",
        "Vendor": "AlienVault OTX v2"
    },
    "Endpoint": {
        "Hostname": "demisto.com"
    }
}
Human Readable Output

AlienVault OTX v2 - Results for Hostname query

Alexa Hostname Whois
http://www.alexa.com/siteinfo/demisto.com demisto.com http://whois.domaintools.com/demisto.com

5. file


Query a file in AlienVault OTX.

Base Command

file

Input
Argument Name Description Required
file The file hash to query. Required
threshold If the number of pulses is bigger than the threshold, the file is considered as malicious. If the threshold is not specified, the default indicator threshold is used, which is configured in the instance settings. Optional

Context Output
Path Type Description
File.MD5 String The MD5 hash of the file.
File.SHA1 String The SHA1 hash of the file.
File.SHA256 String The SHA256 hash of the file.
File.Malicious.PulseIDs String IDs of pulses which are marked as malicious.
File.Type String The file type, as determined by libmagic (same as displayed in file entries).
File.Size Number The size of the file in bytes.
File.SSDeep String The SSDeep hash of the file (same as displayed in file entries).
DBotScore.Indicator String The indicator that was tested.
DBotScore.Score Number The actual score.
DBotScore.Type String The type of the indicator.
DBotScore.Vendor String The AlienVault OTX vendor.

Command Example

!file file=6c5360d41bd2b14b1565f5b18e5c203cf512e493"

Context Example
{
    "DBotScore": {
        "Indicator": "6c5360d41bd2b14b1565f5b18e5c203cf512e493",
        "Score": 0,
        "Type": "file",
        "Vendor": "AlienVault OTX v2"
    },
    "File": {
        "MD5": "2eb14920c75d5e73264f77cfa273ad2c",
        "Malicious": {
            "PulseIDs": []
        },
        "SHA1": "6c5360d41bd2b14b1565f5b18e5c203cf512e493",
        "SHA256": "4cf9322c49adebf63311a599dc225bbcbf16a253eca59bbe1a02e4ae1d824412",
        "SSDeep": "",
        "Size": "437760",
        "Type": "PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows"
    }
}
Human Readable Output

AlienVault OTX v2 - Results for File hash query

MD5 Malicious SHA1 SHA256 SSDeep Size Type
2eb14920c75d5e73264f77cfa273ad2c PulseIDs: 6c5360d41bd2b14b1565f5b18e5c203cf512e493 4cf9322c49adebf63311a599dc225bbcbf16a253eca59bbe1a02e4ae1d824412 437760 PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

6. alienvault-search-cve


Query Common Vulnerabilities and Exposures (CVE) in AlienVault OTX.

Base Command

alienvault-search-cve

Input
Argument Name Description Required
cve_id The CVE to query. Required
threshold If the number of pulses is bigger than the threshold, the CVE is considered as malicious. If the threshold is not specified, the default indicator threshold is used, which is configured in the instance settings. Optional

Context Output
Path Type Description
CVE.ID String The ID of the CVE. For example, "CVE-2015-1653".
CVE.CVSS String The CVSS of the CVE. For example, "10.0".
CVE.Published String The timestamp of when the CVE was published.
CVE.Modified String The timestamp of when the CVE was last modified.
CVE.Description String A description of the CVE.
DBotScore.Score Number The actual score.
DBotScore.Type String The type of indicator.
DBotScore.Vendor String The AlienVault OTX vendor.
DBotScore.Indicator String The indicator that was tested.

Command Example

!alienvault-search-cve cve_id=CVE-2014-0160

Context Example
{
    "CVE": {
        "CVSS": "5.0",
        "Description": "The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.",
        "ID": "CVE-2014-0160",
        "Modified": "2019-10-09T19:09:21",
        "Published": "2014-04-07T18:55:03"
    },
    "DBotScore": {
        "Indicator": "CVE-2014-0160",
        "Score": 3,
        "Type": "cve",
        "Vendor": "AlienVault OTX v2"
    }
}
Human Readable Output

AlienVault OTX v2 - Results for Hostname query

CVSS Description ID Modified Published
5.0 The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug. CVE-2014-0160 2019-10-09T19:09:21 2014-04-07T18:55:03

7. alienvault-get-related-urls-by-indicator


Returns related URLs by indicator.

Base Command

alienvault-get-related-urls-by-indicator

Input
Argument Name Description Required
indicator_type The type of the indicator. Can be: "IPv4", "IPv6", "domain", "hostname", or "url". Required
indicator The indicator for which to search related URLs. Required

Context Output
Path Type Description
AlienVaultOTX.URL.Data Unknown The path of the related URLs.

Command Example

!alienvault-get-related-urls-by-indicator indicator=8.8.8.8 indicator_type=IPv4

Context Example
{
    "AlienVaultOTX": {
      "URL": [
          {
              "Data": "http://8.8.8.8/w/cohernece.txt"
          },
          {
              "Data": "https://dns.google.com/resolve?name=apv3.stel.com&type=ANY&random_padding=HUmzJ9Da0EHn5FZ7yfdbqJOhiVBKnWl5DjWYk4Ba4ooy3vVFHsQmu1hM5BYEgFSKmUcfu1mcd0sBv10gOvN09oERfhQG2da2sJBpPVpk6rR2AmIxzO7FQ"
          },
          {
              "Data": "http://8.8.8.8/siteepres/horatrtbdg.asp"
          },
          {
              "Data": "https://dns.google.com/experimental?ct=application%2Fdns-udpwireformat&dns"
          },
          {
              "Data": "https://dns.google/dns"
          },
          {
              "Data": "https://dns.google.com/resolve?name=apv2.stel.com&type=ANY&random_padding=FKWsRuGcTpuYcyBx3LEJVC2dx25ihCICFP303ZhUndPC3DwfcCqp2jpO"
          },
          {
              "Data": "https://tagnet.app/itlikf/login.php?l%3D_JeHFUq_VJOXK0QWHtoGYDw1774256418%26fid.13InboxLight.aspxn.1774256418%26fid.125289964252813InboxLight99642_Product-userid%26userid%3D"
          },
          {
              "Data": "http://8.8.8.8/XmWLPDQ2M"
          },
          {
              "Data": "https://paulvmoreau.github.io/BeltFedNPCs"
          }
      ]
    }
}
Human Readable Output

AlienVault OTX v2 - Related url list to queried indicator

Data
https://8.8.8.8/x8me1s
http://8.8.8.8/w/cohernece.txt
https://dns.google.com/resolve?name=apv3.stel.com&type=ANY&random_padding=HUmzJ9Da0EHn5FZ7yfdbqJOhiVBKnWl5DjWYk4Ba4ooy3vVFHsQmu1hM5BYEgFSKmUcfu1mcd0sBv10gOvN09oERfhQG2da2sJBpPVpk6rR2AmIxzO7FQ
http://8.8.8.8/siteepres/horatrtbdg.asp
https://dns.google.com/experimental?ct=application%2Fdns-udpwireformat&dns
https://dns.google/dns
https://dns.google.com/resolve?name=apv2.stel.com&type=ANY&random_padding=FKWsRuGcTpuYcyBx3LEJVC2dx25ihCICFP303ZhUndPC3DwfcCqp2jpO
https://tagnet.app/itlikf/login.php?l%3D_JeHFUq_VJOXK0QWHtoGYDw1774256418%26fid.13InboxLight.aspxn.1774256418%26fid.125289964252813InboxLight99642_Product-userid%26userid%3D
http://8.8.8.8/XmWLPDQ2M
https://paulvmoreau.github.io/BeltFedNPCs

8. alienvault-get-related-hashes-by-indicator


Returns related hashes by indicator.

Base Command

alienvault-get-related-hashes-by-indicator

Input
Argument Name Description Required
indicator The indicator for which to search for related hashes. Optional
indicator_type The type of the indicator. Can be: "IPv4", "IPv6", "domain", or "hostname". Optional

Context Output
Path Type Description
AlienVaultOTX.File.Hash Unknown The path of the url.

Command Example

!alienvault-get-related-hashes-by-indicator indicator=8.8.8.8 indicator_type=IPv4

Context Example
{
    "AlienVaultOTX.File": [
        {
            "Hash": "ffc2595aefa80b61621023252b5f0ccb22b6e31d7f1640913cd8ff74ddbd8b41"
        },
        {
            "Hash": "0b4d4a7c35a185680bc5102bdd98218297e2cdf0a552bde10e377345f3622c1c"
        },
        {
            "Hash": "d8b8a5c941b6a1c3cb58f7e59489b2554ed14e6c6655d1fbf6852e45404b7516"
        },
        {
            "Hash": "b3d8adc185834ab858ebf55082828cb9fc1170bbe8de222821d225a6056ff5dc"
        },
        {
            "Hash": "e43cf3f5fa5e14972ba3f159dee6e98330bd19dccc1267cfc91b1000aef975d9"
        },
        {
            "Hash": "9e11b1e769da3c8059345b36c62b4a857845bd7e14c7c14af2945ce26570d91f"
        },
        {
            "Hash": "ae695ce9b8ff4bb831721a8c60377c1757d6d4fe579640b54f3c7f62b175f506"
        },
        {
            "Hash": "093bde5d50daba59bfe68b31251cf2c39353bdfe8ad510284935ca027f269637"
        },
        {
            "Hash": "438b531ba399feb19ed7bf73657d3de6996e001ee5054c04af6b2943e41b402e"
        },
        {
            "Hash": "5019a6b3ec69eae63f716b1df74434bf66f090a6c75a594e2392c7a22f1698cc"
        }
    ]
}
Human Readable Output

AlienVault OTX v2 - Related malware list to queried indicator

**No entries.**

9. alienvault-get-passive-dns-data-by-indicator


Returns passive DNS records by indicator.

Base Command

alienvault-get-passive-dns-data-by-indicator

Input
Argument Name Description Required
indicator_type The type of the indicator. Can be: "IPv4", "IPv6", "domain", or "hostname". Required
indicator The indicator for which to search URLs. Required

Context Output
Path Type Description
AlienVaultOTX.PassiveDNS.Hostname String The domain value.
AlienVaultOTX.PassiveDNS.IP String The IP passive DNS.
AlienVaultOTX.PassiveDNS.Domain String The domain value.
AlienVaultOTX.PassiveDNS.Type String The asset type.
AlienVaultOTX.PassiveDNS.FirstSeen Date The date first seen.
AlienVaultOTX.PassiveDNS.LastSeen Date The date last seen.

Command Example

!alienvault-get-passive-dns-data-by-indicator indicator=8.8.8.8 indicator_type=IPv4

Context Example
{
    "AlienVaultOTX":
      "PassiveDNS": [
        {
            "FirstSeen": "2019-10-29T23:41:54+00:00",
            "Hostname": "bjnn.com.cn",
            "IP": "8.8.8.8",
            "LastSeen": "2019-10-29T23:41:54+00:00",
            "Type": "hostname"
        },
        {
            "FirstSeen": "2019-10-29T17:01:00+00:00",
            "Hostname": "api.cloudapps-sand.dhcs.ca.gov",
            "IP": "8.8.8.8",
            "LastSeen": "2019-10-29T17:01:00+00:00",
            "Type": "hostname"
        },
        {
            "FirstSeen": "2019-10-29T13:21:44+00:00",
            "Hostname": "1",
            "IP": "8.8.8.8",
            "LastSeen": "2019-10-29T13:21:46+00:00",
            "Type": "domain"
        },
        {
            "FirstSeen": "2019-10-29T04:10:19+00:00",
            "Hostname": "ronssr.xyz",
            "IP": "8.8.8.8",
            "LastSeen": "2019-10-29T04:10:19+00:00",
            "Type": "domain"
        },
        {
            "FirstSeen": "2019-10-29T01:56:59+00:00",
            "Hostname": "true.nxtv.cn",
            "IP": "8.8.8.8",
            "LastSeen": "2019-10-29T01:56:59+00:00",
            "Type": "hostname"
        },
        {
            "FirstSeen": "2019-10-28T04:57:51+00:00",
            "Hostname": "furymice.com",
            "IP": "8.8.8.8",
            "LastSeen": "2019-10-28T04:57:51+00:00",
            "Type": "domain"
        },
        {
            "FirstSeen": "2019-10-27T23:25:58+00:00",
            "Hostname": "diogroup.vn",
            "IP": "8.8.8.8",
            "LastSeen": "2019-10-27T23:25:58+00:00",
            "Type": "domain"
        }
    ]
}
Human Readable Output

AlienVault OTX v2 - Related passive dns list to queried indicator

FirstSeen Hostname IP LastSeen Type
2019-10-29T23:41:54+00:00 bjnn.com.cn 8.8.8.8 2019-10-29T23:41:54+00:00 hostname
2019-10-29T17:01:00+00:00 api.cloudapps-sand.dhcs.ca.gov 8.8.8.8 2019-10-29T17:01:00+00:00 hostname
2019-10-29T13:21:44+00:00 2 8.8.8.8 2019-10-29T13:21:46+00:00 domain
2019-10-29T04:10:19+00:00 ronssr.xyz 8.8.8.8 2019-10-29T04:10:19+00:00 domain

10. alienvault-search-pulses


Searches for pulses in AlienVault OTX.

Base Command

alienvault-search-pulses

Input
Argument Name Description Required
page The page of the pulse to retrieve. Required

Context Output
Path Type Description
AlienVaultOTX.Pulses.ID String The ID of the pulse.
AlienVaultOTX.Pulses.Author.ID String The ID of the Author.
AlienVaultOTX.Pulses.Author.Username String The username of the Author.
AlienVaultOTX.Pulses.Count String The pulse count.
AlienVaultOTX.Pulses.Modified Date The date of the pulse modification.
AlienVaultOTX.Pulses.Name String The name of the pulse.
AlienVaultOTX.Pulses.Source String The source of the Pulse.
AlienVaultOTX.Pulses.SubscriberCount String The count of the pulse subscriber.
AlienVaultOTX.Pulses.Tags String The tags of the pulse.
AlienVaultOTX.Pulses.Description String The description of the pulse.

Command Example

!alienvault-search-pulses page=1

Context Example
{
    "AlienVaultOTX.Pulses": [
        {
            "Author": {
                "ID": "2",
                "Username": "AlienVault"
            },
            "Count": 28,
            "ID": "546ce8eb11d40838dc6e43f1",
            "Modified": "728 days ago ",
            "Name": "PoS Scammers Toolbox",
            "Source": "web",
            "SubscriberCount": 94133
        },
        {
            "Author": {
                "ID": "2",
                "Username": "AlienVault"
            },
            "Count": 11,
            "ID": "546cf5ba11d40839ea8821ca",
            "Modified": "1553 days ago ",
            "Name": " RAZOR BLADES IN THE CANDY JAR",
            "Source": "web",
            "SubscriberCount": 94115
        },
        {
            "Author": {
                "ID": "2",
                "Username": "AlienVault"
            },
            "Count": 10,
            "ID": "546e2e4f11d4083bc021c37d",
            "Modified": "796 days ago ",
            "Name": "Linking Asprox, Zemot, Rovix and  Rerdom Malware Families ",
            "Source": "web",
            "SubscriberCount": 94108,
            "Tags": [
                "Asprox",
                "Zemot",
                "Rovix"
            ]
        },
        {
            "Author": {
                "ID": "2",
                "Username": "AlienVault"
            },
            "Count": 23,
            "ID": "546fc7bf11d4083bc021c37f",
            "Modified": "796 days ago ",
            "Name": "Operation Double Tap",
            "Source": "web",
            "SubscriberCount": 94113
        },
        {
            "Author": {
                "ID": "2",
                "Username": "AlienVault"
            },
            "Count": 60,
            "Description": "Regin is a multi-purpose data collection tool which dates back several years. Symantec first began looking into this threat in the fall of 2013. Multiple versions of Regin were found in the wild, targeting several corporations, institutions, academics, and individuals.\nRegin has a wide range of standard capabilities, particularly around monitoring targets and stealing data. It also has the ability to load custom features tailored to individual targets. Some of Regin\u2019s custom payloads point to a high level of specialist knowledge in particular sectors, such as telecoms infrastructure software, on the part of\nthe developers.",
            "ID": "5473709d11d4083bc021c387",
            "Modified": "279 days ago ",
            "Name": "Regin",
            "Source": "web",
            "SubscriberCount": 94092
        }
    ]
}
Human Readable Output

AlienVault OTX v2 - pulse page 1

Author Count ID Modified Name Source SubscriberCount
ID: 2
Username: AlienVault
28 546ce8eb11d40838dc6e43f1 728 days ago PoS Scammers Toolbox web 94133
ID: 2
Username: AlienVault
11 546cf5ba11d40839ea8821ca 1553 days ago RAZOR BLADES IN THE CANDY JAR web 94115
ID: 2
Username: AlienVault
10 546e2e4f11d4083bc021c37d 796 days ago Linking Asprox, Zemot, Rovix and Rerdom Malware Families web 94108
ID: 2
Username: AlienVault
23 546fc7bf11d4083bc021c37f 796 days ago Operation Double Tap web 94113
ID: 2
Username: AlienVault
60 5473709d11d4083bc021c387 279 days ago Regin web 94092

11. alienvault-get-pulse-details


Returns pulse details.

Base Command

alienvault-get-pulse-details

Input
Argument Name Description Required
pulse_id The ID of the pulse. Required

Context Output
Path Type Description
AlienVaultOTX.Pulses.Created Date The date the pulse was created.
AlienVaultOTX.Pulses.Author.Username String The author username of the pulse.
AlienVaultOTX.Pulses.ID String The ID of the pulse.
AlienVaultOTX.Pulses.Name String The name of the pulse.
AlienVaultOTX.Pulses.Tags String The tags of the pulse.
AlienVaultOTX.Pulses.TargetedCountries String The targeted countries of the pulse.
AlienVaultOTX.Pulses.Description String The description of the pulse.

Command Example

!alienvault-get-pulse-details pulse_id=57204e9b3c4c3e015d93cb12

Context Example
{
    "AlienVaultOTX.Pulses": {
        "Author": {
            "Username": "AlienVault"
        },
        "Created": "2016-04-27T05:31:06.941000",
        "Description": "The infamous Remote Access Trojan (RAT) Poison Ivy (hereafter referred to as PIVY) has resurfaced recently, and exhibits some new behaviors. PIVY has been observed targeting a number of Asian countries for various purposes over the past year. Palo Alto Networks\u2019 Unit 42 recently blogged about a new Poison Ivy variant targeting Hong Kong activists dubbed SPIVY that uses DLL sideloading and operates quite differently from a variant recently observed by ASERT that has been active for at least the past 12 months.",
        "ID": "57204e9b3c4c3e015d93cb12",
        "Name": "Poison Ivy Activity Targeting Myanmar, Asian Countries",
        "Tags": [
            "rat",
            "remote access trojan",
            "poison ivy",
            "pivy",
            "Myanmar",
            "asia",
            "Hong Kong",
            "arbornetworks"
        ],
        "TargetedCountries": []
    }
}
Human Readable Output

AlienVault OTX v2 - pulse id details

Author Created Description ID Name Tags TargetedCountries
Username: AlienVault 2016-04-27T05:31:06.941000 The infamous Remote Access Trojan (RAT) Poison Ivy (hereafter referred to as PIVY) has resurfaced recently, and exhibits some new behaviors. PIVY has been observed targeting a number of Asian countries for various purposes over the past year. Palo Alto Networks’ Unit 42 recently blogged about a new Poison Ivy variant targeting Hong Kong activists dubbed SPIVY that uses DLL sideloading and operates quite differently from a variant recently observed by ASERT that has been active for at least the past 12 months. 57204e9b3c4c3e015d93cb12 Poison Ivy Activity Targeting Myanmar, Asian Countries rat,
remote access trojan,
poison ivy,
pivy,
Myanmar,
asia,
Hong Kong,
arbornetworks

12. url


Queries a URL in AlienVault OTX.

Base Command

url

Input
Argument Name Description Required
url The URL to query. Required
threshold If the number of pulses is bigger than the threshold, the URL is considered as malicious. If threshold is not specified, the default indicator threshold is used, which is configured in the instance settings. Optional

Context Output
Path Type Description
URL.Data String The URL.
AlienVaultOTX.URL.Hostname String The host name of the URL.
AlienVaultOTX.URL.Domain String The domain of the URL.
AlienVaultOTX.URL.Alexa String The domain data for the Alexa URL.
AlienVaultOTX.URL.Url String Url
AlienVaultOTX.URL.Whois String The Whois URL for domain data.
DBotScore.Indicator String The indicator that was tested.
DBotScore.Score Number The actual score.
DBotScore.Type String The type of indicator.
DBotScore.Vendor String The AlienVault OTX vendor.

Command Example

!url url=http://www.fotoidea.com/sport/4x4_san_ponso/slides/IMG_0068.html/url_list"

Context Example
{
    "AlienVaultOTX.URL": {
        "Alexa": "http://www.alexa.com/siteinfo/fotoidea.com",
        "Domain": "fotoidea.com",
        "Hostname": "www.fotoidea.com",
        "Url": "http://www.fotoidea.com/sport/4x4_san_ponso/slides/IMG_0068.html/url_list",
        "Whois": "http://whois.domaintools.com/fotoidea.com"
    },
    "DBotScore": {
        "Indicator": "http://www.fotoidea.com/sport/4x4_san_ponso/slides/IMG_0068.html/url_list",
        "Score": "0",
        "Type": "url",
        "Vendor": "AlienVault OTX v2"
    },
    "URL": {
        "Data": "http://www.fotoidea.com/sport/4x4_san_ponso/slides/IMG_0068.html/url_list"
    }
}
Human Readable Output

AlienVault OTX v2 - Results for url query

Alexa Domain Hostname Url Whois
http://www.alexa.com/siteinfo/fotoidea.com fotoidea.com www.fotoidea.com http://www.fotoidea.com/sport/4x4_san_ponso/slides/IMG_0068.html/url_list http://whois.domaintools.com/fotoidea.com