On the same picture, you will notice the “Date Observed:T06:40:55” label on the left. You will find a link to the OTX website in the Detail View panel of each IOC Entity, as highlighted on the picture below, which will provide more information about that particular IOC. There are currently eight types of IOCs that can be obtained from an AlienVault OTX pulse: You can also opt for a more granular approach by choosing which kind of IOC to add to the graph. You can use the To All Indicators Transform to do so. Pulses can be expanded to add the IOCs they contain to your graph. This will save you from polluting your graph with IOCs unrelated to your investigation. Because the creation of a pulse is the result of a semi-automatic process, it is best to check that its source is trustworthy and that it is only aimed at the threat that the pulse is focusing on. This allows you to focus your investigation on a particular threat actor.įinally, the To References Transform brings the URL of the source from which the pulse was created to the graph. It is possible to retrieve this adversary on the graph by using the To Adversary Transform as shown in the image below. When creating a pulse, OTX contributors can associate it with an adversary. The first Transform To Tags returns the tags added by the pulse author, which convey general information about the pulse, such as the victim’s name or the malware family to which belong the hashes linked to the pulse. Maltego offers three Transforms to gather data about the pulses: To choose from which pulses to source indicators, you will need to vet them according to your criteria. This returns ninety-five pulses, as seen on the image above.Įach pulse can contain many IOCs, which would crowd the graph if they were all added to it. For example, to investigate the Microsoft Exchange server hack, one would start from the Phrase Entity “microsoft exchange” and gather related pulses using the Search Pulses Transform. Using AlienVault OTX Pulses via Maltego Transforms □︎Īs stated before, you can search a pulse from different Entities such as a DNS name, an email address, a domain name, a hash, a CVE or even a Phrase Entity. After entering your API key, wait for the installation to finish, and you will be ready to unleash the power of OTX on your Maltego graphs. Sign up for an account here: Īfter doing so, install the AlienVault OTX item in the Maltego Transform Hub. After registering, you will be given an API key, which is required to fully exploit the OTX Transform Hub item. However, registration to the API key is free!Īll you need is a couple of minutes and an email address. Most of the AlienVault OTX Transforms are available for all Maltego users and do not require an API key, except for Transforms for pulse lookups. How to Access AlienVault OTX Transforms in Maltego □︎ To create a pulse, OTX provides its users with an extraction tool to run on documents such as a webpage or a PDF report but also from more industry specific sources like STYX or OpenIOC. A pulse links a collection of indicators to a threat. OTX users can upload indicators by creating a pulse. One of the main features of OTX is its horizontality: Everyone can participate in the discussion and submit indicators. Use Case 2: Investigating A BitCoin Miner with OTX Transforms. Use Case 1: Network Footprinting with OTX Transforms.Using the Transforms: How to Retrieve AlienVault OTX Pulses.About AlienVault OTX Integration in Maltego.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |