Incoming feed - AlienVault OTX Pulses Feed

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Configure incoming feeds general options.

Specifications

Transport types

AlienVault OTX Pulses Feed

Content type

AlienVault OTX Pulses JSON

Ingested data

Ingests pulses you subscribe to on AlienVault OTX as reports and related entities on the platform.

Endpoint(s)

/api/v1/pulses/subscribed

Processed data

See Data mapping.

Requirements

  • AlienVault OTX API key.

Configure the incoming feed

  1. Create or edit an incoming feed.

  2. Under Transport and content, fill out these fields:

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select AlienVault OTX Pulses Feed from the drop-down menu.

    Content type*

    Select AlienVault OTX Pulses JSON from the drop-down menu.

    API URL*

    By default, this is set to https://otx.alienvault.com.

    API key*

    Set this to your AlienVault OTX API key.

    SSL verification

    Selected by default. Select this option to enable SSL for this feed.

    Path to SSL certificate file.

    Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

    For more information, see SSL certificates.

    Start ingesting from*

    Ingest data from the feed source starting from this date and time. Use the drop-down calendar to select the date and time you want to start ingesting feed data from.

  3. Store your changes by selecting Save.

SSL certificates

To use an SSL certificate with the platform, it must be:

  • Accessible on the EclecticIQ Platform host.

  • Placed in a location that can be accessed by the eclecticiq user.

  • Owned by eclecticiq:eclecticiq.

To make sure that the platform can access the SSL certificate:

  1. Upload the SSL certificate to a location on the platform host.

  2. On the platform host, open the terminal.

  3. Change ownership of the SSL certificate by running as root in the terminal:

    chown eclecticiq:eclecticiq /path/to/cert.pem

    Where /path/to/cert.pem is the location of the SSL certificate the platform needs to access.

Limitations

A maximum of 100 IoCs can be ingested per pulse, not including the pulse itself. This cannot be changed.

Data mapping

The sections below contain non-exhaustive information about how AlienVault OTX Pulses Feed data is mapped to EclecticIQ Platform entities and observables.

Generally:

  • The ingested pulse is ingested as a Report entity.

    • Pulse metadata such as tags, ATT&CK IDs, and Malware Families are attached to the resulting Report as tags.

    • If a pulse is associated with an adversary, that adversary is ingested as a Threat Actor entity.

  • IoCs associated with the pulse are ingested as the appropriate entity types. For example, File hash IoCs are ingested as Indicators with file type observables, related to the report.

  • CVE IoCs are ingested as Exploit Targets.

  • YARA IoCs are ingested as Indicators, and set as that Indicator entity’s Test Mechanism.

More details in the following sections:

Mapped relationships

  • Report –> Threat Actor

  • Report –> Exploit Target

  • Report –> Indicators

Map pulse to reports

Each pulse ingested from AlienVault OTX Pulses Feed produces a Report entity.

Field name

Mapped from feed source

Example value

Description

Title

name

Pulse: UNC2198 Updates Tactics to Deploy EGREGOR Ransomware instead of MAZE Ransomware in Post ICEDID Infections

Title of report, prefixed with “Pulse”.

Description

description

FireEye tracks the shifting tactics, techniques, and procedures of … has started to deploy EGREGOR ransomware in favor of MAZE ransomware following access acquired from ICEDID infections.

Text description of ingested pulse.

Tags

  • tags

  • malware_families

  • attack_ids

  • industries

UNC2198 IceID Egregor T1003

Tags added to the Report entity are:

  • Tags attached to the ingested pulse.

  • Malware families from the ingested pulse.

  • ATT&CK IDs from the ingested pulse.

  • Associated industries from the ingested pulse.

Estimated time

  • Various

See Map Report timestamps

See Map Report timestamps

Information source

  • Various

See Map information source

See Map information source

Map adversary to Threat Actor

If a pulse is associated with an adversary, that adversary is ingested as a Threat Actor entity.

Field name

Mapped from feed source

Example value

Description

Title

adversary

Threat Actor: UNC2198

Name of adversary. We derive this from the adversary field of an ingested pulse.

Tags

  • industries

Defense Manufacturing Energy

Associated industries from the ingested pulse are also added to the entity.

Information source

  • Various

See Map information source

See Map information source

Map CVE to Exploit Target

Field name

Mapped from feed source

Example value

Description

Title

if indicators[].type is CVE, this takes the value of indicators[].indicator

CVE-2021-26858

CVE ID.

Analysis

  • indicators[].title

  • indicators[].description

  • indicators[].role


Additional information about the CVE, if available from the ingested pulse.

Information may not appear here, as AlienVault OTX appears to pull this from an external information source.

Characteristic > Vulnerability > CVE-ID

  • indicators[].indicator

CVE-2021-26858

Vulnerability characteristic is set as the CVE ID.

Tags

  • industries

Defense Manufacturing Energy

Associated industries from the ingested pulse are also added to the entity.

Estimated time

  • Various

See Map Report timestamps

See Map Report timestamps

Information source

  • Various

See Map information source

See Map information source

Map IoCs to entities

From each IoC ingested, we create:

  • One entity carrying the name of the IoC.

  • An observable with the same name, carrying the IoC type.

For example, the ingesting the IoC 5.149.253.199 creates:

  • One Indicator with title 5.149.253.199.

  • An ipv4 observable with the same title.

The following table shows how IoCs are generally mapped to entities on the platform.

For a list of how IoCs are mapped to entity types and related observables, see Supported IoCs.

Entity field name

Mapped from AlienVault OTX Pulses JSON

Example value

Description

Title

  • indicators[].indicator

5.149.253.199

This is the title of the ingested Indicator.

Analysis

  • items[].phishingDomain.title

example.com

Contains additional information about the IoC, if available.

Characteristics > Test mechanism

  • N/A

  • N/A

If the ingested IoC is:

  • a YARA rule

  • an osquery query

a Test mechanism is added containing additional information.

Tags

  • industries

Defense Manufacturing Energy

Associated industries from the ingested pulse are also added to the entity.

Estimated time

  • Various

Various

See Map Indicator timestamps.

Producer

  • Various

Various

See Map information source.

Supported IoCs

The following table describes IoCs supported, and how they are ingested in the platform.

IoC type

Mapped to Entity type

Created observable type

Description

IPv4

Indicator

ipv4


IPv6

Indicator

ipv6


domain

Indicator

domain


hostname

Indicator

host


email

Indicator

email


URL

Indicator

uri, domain, ipv4 (if available)


URI

Indicator

uri


FileHash-*

Indicator

hash-md5, hash-sha1, hash-sha256, hash-sha512, hash-rich-pe-header, hash-imphash

FileHash-* IoCs are processed to find related hashes:

  • FileHash-MD5

  • FileHash-SHA1

  • FileHash-SHA256

  • FileHash-SHA512

  • FileHash-PEHASH

  • FileHash-IMPHASH

Related file hashes are merged into a single indicator, and the found file hash variants are set as observables for that indicator.

CIDR

Indicator

ipv4


FilePath

Indicator

file


Mutex

Indicator

mutex


CVE

Exploit target

cve

See Map CVE to Exploit Target.

YARA

Indicator

yara

The YARA rule is added to the Indicator as a Characteristics > Test mechanism.

JA3

Indicator

ja3-full


osquery

Indicator

N/A

osquery IoCs are ingested as indicators without a related observable.

The platform currently does not support osquery observables.

The osquery query is added to the Indicator as a Characteristics > Test mechanism.

SSLCertFingerprint

Indicator

N/A

SSLCertFingerprint IoCs are ingested as indicators without a related observable.

The platform currently does not support SSLCertFingerprint observables.

BitcoinAddress

Indicator

bank account


Adversary

Threat Actor

N/A

Adversaries are ingested as Threat Actors. See Map adversary to Threat Actor.

Map Report timestamps

The following table describes how AlienVault OTX Pulses JSON timestamps are mapped to Reports.

Indicator estimated time field

AlienVault OTX Pulses JSON field

Estimated threat start time

created

Estimated observed time

created

Ingested

Date and time ingested.

Map Indicator timestamps

The following table describes how AlienVault OTX Pulses JSON timestamps are mapped to Indicator timestamps on the platform.

Indicator estimated time field

AlienVault OTX Pulses JSON field

Estimated threat start time

indicators[].created

Estimated threat end time

indicators[].expiration

Estimated observed time

indicators[].created

Ingested

Date and time ingested.

Map information source

The following table describes how AlienVault OTX Pulses JSON metadata is mapped information source attributes on the platform.

Field name

Mapped from AlienVault OTX Pulses JSON

Example value

Description

Description

  • N/A

Pulse Creator

Always set to Pulse Creator.

Identity

  • author_name

AlienVault

Takes the value of author_name in AlienVault OTX Pulses JSON if available. Otherwise, defaults to AlienVault.

Roles

  • N/A

Initial Author

Role of information source. Always set to “Initial Author”.

References

references

https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html

One or more links that lead to source information.