AlienVault OTX v2

AlienVault OTX integration

Query Indicators of Compromise in AlienVault OTX. This integration was integrated and tested with version 1.0 of AlienVault OTX v2

Use Cases

  • IPv4/v6, domain, hostname, file hashes, dns enrichment
  • Pulses searches

Configure AlienVault OTX v2 on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for AlienVault OTX v2.
  3. Click Add instance to create and configure a new integration instance.
  4. Name : a textual name for the integration instance.
  5. Server address
  6. API Token
  7. Indicator Threshold. The minimum number of pulses to consider the indicator as malicious.
  8. Trust any certificate (not secure)
  9. Use system proxy settings
  • Click Test to validate the new instance.
  • Commands

    You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

    1. ip
    2. domain
    3. alienvault-search-ipv6
    4. alienvault-search-hostname
    5. file
    6. alienvault-search-cve
    7. alienvault-get-related-urls-by-indicator
    8. alienvault-get-related-hashes-by-indicator
    9. alienvault-get-passive-dns-data-by-indicator
    10. alienvault-search-pulses
    11. alienvault-get-pulse-details
    12. url: url

    1. ip


    Queries an IP address in AlienVault OTX.

    Base Command

    ip

    Input
    Argument Name Description Required
    ip The IP address to query. Required
    threshold If the number of pulses is bigger than the threshold, the IP address is considered as malicious. If the threshold is not specified, the default indicator threshold is used, which is configured in the instance settings. Optional

    Context Output
    Path Type Description
    IP.Address String The address of the IP.
    IP.ASN String The autonomous system name for the IP address. For example, "AS8948".
    IP.Geo.Country String The country where the IP address is located.
    IP.Geo.Location String The geolocation where the IP address is located, in the format: latitude:longitude.
    AlienVaultOTX.IP.Reputation String The reputation of the IP address.
    AlienVaultOTX.IP.IP String IP address
    DBotScore.Score Number The actual score.
    DBotScore.Type String The type of indicator.
    DBotScore.Vendor String The AlienVault OTX vendor.
    DBotScore.Indicator String The indicator that was tested.

    Command Example

    !ip ip=8.8.8.8"

    Context Example
    {
        "AlienVaultOTX": {
            "IP": {
                "IP": "8.8.8.8",
                "Reputation": 0
            }
        },
        "DBotScore": {
            "Indicator": "8.8.8.8",
            "Score": 3,
            "Type": "IPv4",
            "Vendor": "AlienVault OTX v2"
        },
        "IP": {
            "ASN": "AS15169 Google LLC",
            "Address": "8.8.8.8",
            "Geo": {
                "Country": "US",
                "Location": "37.751,-97.822"
            }
        }
    }
    
    Human Readable Output

    AlienVault OTX v2 - Results for IPv4 query

    ASN Address Geo
    AS15169 Google LLC 8.8.8.8 Country: US
    Location: 37.751,-97.822

    2. domain


    Queries a domain in AlienVault OTX.

    Base Command

    domain

    Input
    Argument Name Description Required
    domain The domain to query. Required
    threshold If the number of pulses is bigger than the threshold, the domain is considered as malicious. If the threshold is not specified, the default indicator threshold is used, which is configured in the instance settings. Optional

    Context Output
    Path Type Description
    Domain.Name String The domain name. For example, "google.com".
    AlienVaultOTX.Domain.Alexa String Alexa URL for the domain data.
    AlienVaultOTX.Domain.Whois String Whois URL for the domain data.
    DBotScore.Indicator String The indicator that was tested.
    DBotScore.Score Number The actual score.
    DBotScore.Type String The type of indicator.
    DBotScore.Vendor String The AlienVault OTX vendor.

    Command Example

    !domain domain=google.com"

    Context Example
    {
        "AlienVaultOTX": {
          "Domain": {
            "Alexa": "http://www.alexa.com/siteinfo/google.com",
            "Name": "google.com",
            "Whois": "http://whois.domaintools.com/google.com"
          }
        },
        "DBotScore": {
            "Indicator": "google.com",
            "Score": 3,
            "Type": "domain",
            "Vendor": "AlienVault OTX v2"
        },
        "Domain": {
            "Name": "google.com"
        }
    }
    
    Human Readable Output

    AlienVault OTX v2 - Results for Domain query

    Alexa Name Whois
    http://www.alexa.com/siteinfo/google.com google.com http://whois.domaintools.com/google.com

    3. alienvault-search-ipv6


    Queries IPv6 in AlienVault OTX.

    Base Command

    alienvault-search-ipv6

    Input
    Argument Name Description Required
    ip The IP address to query. Required
    threshold If the number of pulses is bigger than the threshold, the IP address is considered as malicious. If the threshold is not specified, the default indicator threshold is used, which is configured in the instance settings. Optional

    Context Output
    Path Type Description
    IP.Address String The IP address.
    IP.ASN String The autonomous system name for the IP address. For example, "AS8948".
    IP.AlienVaultOTX.Reputation String The IP reputation in AlienVault OTX.
    DBotScore.Indicator String The indicator that was tested.
    DBotScore.Score Number The actual score.
    DBotScore.Type String The type of the indicator.
    DBotScore.Vendor String The AlienVault OTX vendor.

    Command Example

    !alienvault-search-ipv6 ip=2001:4860:4860::8888

    Context Example
    {
        "AlienVaultOTX": {
            "IP": {
                "IP": "2001:4860:4860::8888",
                "Reputation": 0
            }
        },
        "DBotScore": {
            "Indicator": "2001:4860:4860::8888",
            "Score": 0,
            "Type": "IPv6",
            "Vendor": "AlienVault OTX v2"
        },
        "IP": {
            "ASN": "AS15169 Google LLC",
            "Address": "2001:4860:4860::8888",
            "Geo": {
                "Country": "US",
                "Location": "37.751,-97.822"
            }
        }
    }
    
    Human Readable Output

    AlienVault OTX v2 - Results for IPv6 query

    ASN Address Geo
    AS15169 Google LLC 2001:4860:4860::8888 Country: US
    Location: 37.751,-97.822

    4. alienvault-search-hostname


    Searches for a host name in AlienVault OTX.

    Base Command

    alienvault-search-hostname

    Input
    Argument Name Description Required
    hostname The host name to query. Required
    threshold If the number of pulses is bigger than the threshold, the host name is considered as malicious. If the threshold is not specified, the default indicator threshold is used, which is configured in the instance settings. Optional

    Context Output
    Path Type Description
    Endpoint.Hostname String The hostname that is mapped to the endpoint.
    AlienVaultOTX.Endpoint.Hostname String The hostname that is mapped to the endpoint.
    AlienVaultOTX.Endpoint.Alexa String The Alexa URL endpoint.
    AlienVaultOTX.Endpoint.Whois String The Whois URL endpoint.
    DBotScore.Score Number The actual score.
    DBotScore.Type String The type of the indicator.
    DBotScore.Vendor String The AlienVault OTX vendor.
    DBotScore.Indicator String The indicator that was tested.

    Command Example

    !alienvault-search-hostname hostname=demisto.com

    Context Example
    {
        "AlienVaultOTX": {
            "Endpoint": {
              "Alexa": "http://www.alexa.com/siteinfo/demisto.com",
              "Hostname": "demisto.com",
              "Whois": "http://whois.domaintools.com/demisto.com"
            } 
        },
        "DBotScore": {
            "Indicator": "demisto.com",
            "Score": 0,
            "Type": "hostname",
            "Vendor": "AlienVault OTX v2"
        },
        "Endpoint": {
            "Hostname": "demisto.com"
        }
    }
    
    Human Readable Output

    AlienVault OTX v2 - Results for Hostname query

    Alexa Hostname Whois
    http://www.alexa.com/siteinfo/demisto.com demisto.com http://whois.domaintools.com/demisto.com

    5. file


    Query a file in AlienVault OTX.

    Base Command

    file

    Input
    Argument Name Description Required
    file The file hash to query. Required
    threshold If the number of pulses is bigger than the threshold, the file is considered as malicious. If the threshold is not specified, the default indicator threshold is used, which is configured in the instance settings. Optional

    Context Output
    Path Type Description
    File.MD5 String The MD5 hash of the file.
    File.SHA1 String The SHA1 hash of the file.
    File.SHA256 String The SHA256 hash of the file.
    File.Malicious.PulseIDs String IDs of pulses which are marked as malicious.
    File.Type String The file type, as determined by libmagic (same as displayed in file entries).
    File.Size Number The size of the file in bytes.
    File.SSDeep String The SSDeep hash of the file (same as displayed in file entries).
    DBotScore.Indicator String The indicator that was tested.
    DBotScore.Score Number The actual score.
    DBotScore.Type String The type of the indicator.
    DBotScore.Vendor String The AlienVault OTX vendor.

    Command Example

    !file file=6c5360d41bd2b14b1565f5b18e5c203cf512e493"

    Context Example
    {
        "DBotScore": {
            "Indicator": "6c5360d41bd2b14b1565f5b18e5c203cf512e493",
            "Score": 0,
            "Type": "file",
            "Vendor": "AlienVault OTX v2"
        },
        "File": {
            "MD5": "2eb14920c75d5e73264f77cfa273ad2c",
            "Malicious": {
                "PulseIDs": []
            },
            "SHA1": "6c5360d41bd2b14b1565f5b18e5c203cf512e493",
            "SHA256": "4cf9322c49adebf63311a599dc225bbcbf16a253eca59bbe1a02e4ae1d824412",
            "SSDeep": "",
            "Size": "437760",
            "Type": "PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows"
        }
    }
    
    Human Readable Output

    AlienVault OTX v2 - Results for File hash query

    MD5 Malicious SHA1 SHA256 SSDeep Size Type
    2eb14920c75d5e73264f77cfa273ad2c PulseIDs: 6c5360d41bd2b14b1565f5b18e5c203cf512e493 4cf9322c49adebf63311a599dc225bbcbf16a253eca59bbe1a02e4ae1d824412 437760 PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

    6. alienvault-search-cve


    Query Common Vulnerabilities and Exposures (CVE) in AlienVault OTX.

    Base Command

    alienvault-search-cve

    Input
    Argument Name Description Required
    cve_id The CVE to query. Required
    threshold If the number of pulses is bigger than the threshold, the CVE is considered as malicious. If the threshold is not specified, the default indicator threshold is used, which is configured in the instance settings. Optional

    Context Output
    Path Type Description
    CVE.ID String The ID of the CVE. For example, "CVE-2015-1653".
    CVE.CVSS String The CVSS of the CVE. For example, "10.0".
    CVE.Published String The timestamp of when the CVE was published.
    CVE.Modified String The timestamp of when the CVE was last modified.
    CVE.Description String A description of the CVE.
    DBotScore.Score Number The actual score.
    DBotScore.Type String The type of indicator.
    DBotScore.Vendor String The AlienVault OTX vendor.
    DBotScore.Indicator String The indicator that was tested.

    Command Example

    !alienvault-search-cve cve_id=CVE-2014-0160

    Context Example
    {
        "CVE": {
            "CVSS": "5.0",
            "Description": "The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.",
            "ID": "CVE-2014-0160",
            "Modified": "2019-10-09T19:09:21",
            "Published": "2014-04-07T18:55:03"
        },
        "DBotScore": {
            "Indicator": "CVE-2014-0160",
            "Score": 3,
            "Type": "cve",
            "Vendor": "AlienVault OTX v2"
        }
    }
    
    Human Readable Output

    AlienVault OTX v2 - Results for Hostname query

    CVSS Description ID Modified Published
    5.0 The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug. CVE-2014-0160 2019-10-09T19:09:21 2014-04-07T18:55:03

    7. alienvault-get-related-urls-by-indicator


    Returns related URLs by indicator.

    Base Command

    alienvault-get-related-urls-by-indicator

    Input
    Argument Name Description Required
    indicator_type The type of the indicator. Can be: "IPv4", "IPv6", "domain", "hostname", or "url". Required
    indicator The indicator for which to search related URLs. Required

    Context Output
    Path Type Description
    AlienVaultOTX.URL.Data Unknown The path of the related URLs.

    Command Example

    !alienvault-get-related-urls-by-indicator indicator=8.8.8.8 indicator_type=IPv4

    Context Example
    {
        "AlienVaultOTX": {
          "URL": [
              {
                  "Data": "http://8.8.8.8/w/cohernece.txt"
              },
              {
                  "Data": "https://dns.google.com/resolve?name=apv3.stel.com&type=ANY&random_padding=HUmzJ9Da0EHn5FZ7yfdbqJOhiVBKnWl5DjWYk4Ba4ooy3vVFHsQmu1hM5BYEgFSKmUcfu1mcd0sBv10gOvN09oERfhQG2da2sJBpPVpk6rR2AmIxzO7FQ"
              },
              {
                  "Data": "http://8.8.8.8/siteepres/horatrtbdg.asp"
              },
              {
                  "Data": "https://dns.google.com/experimental?ct=application%2Fdns-udpwireformat&dns"
              },
              {
                  "Data": "https://dns.google/dns"
              },
              {
                  "Data": "https://dns.google.com/resolve?name=apv2.stel.com&type=ANY&random_padding=FKWsRuGcTpuYcyBx3LEJVC2dx25ihCICFP303ZhUndPC3DwfcCqp2jpO"
              },
              {
                  "Data": "https://tagnet.app/itlikf/login.php?l%3D_JeHFUq_VJOXK0QWHtoGYDw1774256418%26fid.13InboxLight.aspxn.1774256418%26fid.125289964252813InboxLight99642_Product-userid%26userid%3D"
              },
              {
                  "Data": "http://8.8.8.8/XmWLPDQ2M"
              },
              {
                  "Data": "https://paulvmoreau.github.io/BeltFedNPCs"
              }
          ]
        }
    }
    
    Human Readable Output

    AlienVault OTX v2 - Related url list to queried indicator

    Data
    https://8.8.8.8/x8me1s
    http://8.8.8.8/w/cohernece.txt
    https://dns.google.com/resolve?name=apv3.stel.com&type=ANY&random_padding=HUmzJ9Da0EHn5FZ7yfdbqJOhiVBKnWl5DjWYk4Ba4ooy3vVFHsQmu1hM5BYEgFSKmUcfu1mcd0sBv10gOvN09oERfhQG2da2sJBpPVpk6rR2AmIxzO7FQ
    http://8.8.8.8/siteepres/horatrtbdg.asp
    https://dns.google.com/experimental?ct=application%2Fdns-udpwireformat&dns
    https://dns.google/dns
    https://dns.google.com/resolve?name=apv2.stel.com&type=ANY&random_padding=FKWsRuGcTpuYcyBx3LEJVC2dx25ihCICFP303ZhUndPC3DwfcCqp2jpO
    https://tagnet.app/itlikf/login.php?l%3D_JeHFUq_VJOXK0QWHtoGYDw1774256418%26fid.13InboxLight.aspxn.1774256418%26fid.125289964252813InboxLight99642_Product-userid%26userid%3D
    http://8.8.8.8/XmWLPDQ2M
    https://paulvmoreau.github.io/BeltFedNPCs

    8. alienvault-get-related-hashes-by-indicator


    Returns related hashes by indicator.

    Base Command

    alienvault-get-related-hashes-by-indicator

    Input
    Argument Name Description Required
    indicator The indicator for which to search for related hashes. Optional
    indicator_type The type of the indicator. Can be: "IPv4", "IPv6", "domain", or "hostname". Optional

    Context Output
    Path Type Description
    AlienVaultOTX.File.Hash Unknown The path of the url.

    Command Example

    !alienvault-get-related-hashes-by-indicator indicator=8.8.8.8 indicator_type=IPv4

    Context Example
    {
        "AlienVaultOTX.File": [
            {
                "Hash": "ffc2595aefa80b61621023252b5f0ccb22b6e31d7f1640913cd8ff74ddbd8b41"
            },
            {
                "Hash": "0b4d4a7c35a185680bc5102bdd98218297e2cdf0a552bde10e377345f3622c1c"
            },
            {
                "Hash": "d8b8a5c941b6a1c3cb58f7e59489b2554ed14e6c6655d1fbf6852e45404b7516"
            },
            {
                "Hash": "b3d8adc185834ab858ebf55082828cb9fc1170bbe8de222821d225a6056ff5dc"
            },
            {
                "Hash": "e43cf3f5fa5e14972ba3f159dee6e98330bd19dccc1267cfc91b1000aef975d9"
            },
            {
                "Hash": "9e11b1e769da3c8059345b36c62b4a857845bd7e14c7c14af2945ce26570d91f"
            },
            {
                "Hash": "ae695ce9b8ff4bb831721a8c60377c1757d6d4fe579640b54f3c7f62b175f506"
            },
            {
                "Hash": "093bde5d50daba59bfe68b31251cf2c39353bdfe8ad510284935ca027f269637"
            },
            {
                "Hash": "438b531ba399feb19ed7bf73657d3de6996e001ee5054c04af6b2943e41b402e"
            },
            {
                "Hash": "5019a6b3ec69eae63f716b1df74434bf66f090a6c75a594e2392c7a22f1698cc"
            }
        ]
    }
    
    Human Readable Output

    AlienVault OTX v2 - Related malware list to queried indicator

    **No entries.**

    9. alienvault-get-passive-dns-data-by-indicator


    Returns passive DNS records by indicator.

    Base Command

    alienvault-get-passive-dns-data-by-indicator

    Input
    Argument Name Description Required
    indicator_type The type of the indicator. Can be: "IPv4", "IPv6", "domain", or "hostname". Required
    indicator The indicator for which to search URLs. Required

    Context Output
    Path Type Description
    AlienVaultOTX.PassiveDNS.Hostname String The domain value.
    AlienVaultOTX.PassiveDNS.IP String The IP passive DNS.
    AlienVaultOTX.PassiveDNS.Domain String The domain value.
    AlienVaultOTX.PassiveDNS.Type String The asset type.
    AlienVaultOTX.PassiveDNS.FirstSeen Date The date first seen.
    AlienVaultOTX.PassiveDNS.LastSeen Date The date last seen.

    Command Example

    !alienvault-get-passive-dns-data-by-indicator indicator=8.8.8.8 indicator_type=IPv4

    Context Example
    {
        "AlienVaultOTX":
          "PassiveDNS": [
            {
                "FirstSeen": "2019-10-29T23:41:54+00:00",
                "Hostname": "bjnn.com.cn",
                "IP": "8.8.8.8",
                "LastSeen": "2019-10-29T23:41:54+00:00",
                "Type": "hostname"
            },
            {
                "FirstSeen": "2019-10-29T17:01:00+00:00",
                "Hostname": "api.cloudapps-sand.dhcs.ca.gov",
                "IP": "8.8.8.8",
                "LastSeen": "2019-10-29T17:01:00+00:00",
                "Type": "hostname"
            },
            {
                "FirstSeen": "2019-10-29T13:21:44+00:00",
                "Hostname": "1",
                "IP": "8.8.8.8",
                "LastSeen": "2019-10-29T13:21:46+00:00",
                "Type": "domain"
            },
            {
                "FirstSeen": "2019-10-29T04:10:19+00:00",
                "Hostname": "ronssr.xyz",
                "IP": "8.8.8.8",
                "LastSeen": "2019-10-29T04:10:19+00:00",
                "Type": "domain"
            },
            {
                "FirstSeen": "2019-10-29T01:56:59+00:00",
                "Hostname": "true.nxtv.cn",
                "IP": "8.8.8.8",
                "LastSeen": "2019-10-29T01:56:59+00:00",
                "Type": "hostname"
            },
            {
                "FirstSeen": "2019-10-28T04:57:51+00:00",
                "Hostname": "furymice.com",
                "IP": "8.8.8.8",
                "LastSeen": "2019-10-28T04:57:51+00:00",
                "Type": "domain"
            },
            {
                "FirstSeen": "2019-10-27T23:25:58+00:00",
                "Hostname": "diogroup.vn",
                "IP": "8.8.8.8",
                "LastSeen": "2019-10-27T23:25:58+00:00",
                "Type": "domain"
            }
        ]
    }
    
    Human Readable Output

    AlienVault OTX v2 - Related passive dns list to queried indicator

    FirstSeen Hostname IP LastSeen Type
    2019-10-29T23:41:54+00:00 bjnn.com.cn 8.8.8.8 2019-10-29T23:41:54+00:00 hostname
    2019-10-29T17:01:00+00:00 api.cloudapps-sand.dhcs.ca.gov 8.8.8.8 2019-10-29T17:01:00+00:00 hostname
    2019-10-29T13:21:44+00:00 2 8.8.8.8 2019-10-29T13:21:46+00:00 domain
    2019-10-29T04:10:19+00:00 ronssr.xyz 8.8.8.8 2019-10-29T04:10:19+00:00 domain

    10. alienvault-search-pulses


    Searches for pulses in AlienVault OTX.

    Base Command

    alienvault-search-pulses

    Input
    Argument Name Description Required
    page The page of the pulse to retrieve. Required

    Context Output
    Path Type Description
    AlienVaultOTX.Pulses.ID String The ID of the pulse.
    AlienVaultOTX.Pulses.Author.ID String The ID of the Author.
    AlienVaultOTX.Pulses.Author.Username String The username of the Author.
    AlienVaultOTX.Pulses.Count String The pulse count.
    AlienVaultOTX.Pulses.Modified Date The date of the pulse modification.
    AlienVaultOTX.Pulses.Name String The name of the pulse.
    AlienVaultOTX.Pulses.Source String The source of the Pulse.
    AlienVaultOTX.Pulses.SubscriberCount String The count of the pulse subscriber.
    AlienVaultOTX.Pulses.Tags String The tags of the pulse.
    AlienVaultOTX.Pulses.Description String The description of the pulse.

    Command Example

    !alienvault-search-pulses page=1

    Context Example
    {
        "AlienVaultOTX.Pulses": [
            {
                "Author": {
                    "ID": "2",
                    "Username": "AlienVault"
                },
                "Count": 28,
                "ID": "546ce8eb11d40838dc6e43f1",
                "Modified": "728 days ago ",
                "Name": "PoS Scammers Toolbox",
                "Source": "web",
                "SubscriberCount": 94133
            },
            {
                "Author": {
                    "ID": "2",
                    "Username": "AlienVault"
                },
                "Count": 11,
                "ID": "546cf5ba11d40839ea8821ca",
                "Modified": "1553 days ago ",
                "Name": " RAZOR BLADES IN THE CANDY JAR",
                "Source": "web",
                "SubscriberCount": 94115
            },
            {
                "Author": {
                    "ID": "2",
                    "Username": "AlienVault"
                },
                "Count": 10,
                "ID": "546e2e4f11d4083bc021c37d",
                "Modified": "796 days ago ",
                "Name": "Linking Asprox, Zemot, Rovix and  Rerdom Malware Families ",
                "Source": "web",
                "SubscriberCount": 94108,
                "Tags": [
                    "Asprox",
                    "Zemot",
                    "Rovix"
                ]
            },
            {
                "Author": {
                    "ID": "2",
                    "Username": "AlienVault"
                },
                "Count": 23,
                "ID": "546fc7bf11d4083bc021c37f",
                "Modified": "796 days ago ",
                "Name": "Operation Double Tap",
                "Source": "web",
                "SubscriberCount": 94113
            },
            {
                "Author": {
                    "ID": "2",
                    "Username": "AlienVault"
                },
                "Count": 60,
                "Description": "Regin is a multi-purpose data collection tool which dates back several years. Symantec first began looking into this threat in the fall of 2013. Multiple versions of Regin were found in the wild, targeting several corporations, institutions, academics, and individuals.\nRegin has a wide range of standard capabilities, particularly around monitoring targets and stealing data. It also has the ability to load custom features tailored to individual targets. Some of Regin\u2019s custom payloads point to a high level of specialist knowledge in particular sectors, such as telecoms infrastructure software, on the part of\nthe developers.",
                "ID": "5473709d11d4083bc021c387",
                "Modified": "279 days ago ",
                "Name": "Regin",
                "Source": "web",
                "SubscriberCount": 94092
            }
        ]
    }
    
    Human Readable Output

    AlienVault OTX v2 - pulse page 1

    Author Count ID Modified Name Source SubscriberCount
    ID: 2
    Username: AlienVault
    28 546ce8eb11d40838dc6e43f1 728 days ago PoS Scammers Toolbox web 94133
    ID: 2
    Username: AlienVault
    11 546cf5ba11d40839ea8821ca 1553 days ago RAZOR BLADES IN THE CANDY JAR web 94115
    ID: 2
    Username: AlienVault
    10 546e2e4f11d4083bc021c37d 796 days ago Linking Asprox, Zemot, Rovix and Rerdom Malware Families web 94108
    ID: 2
    Username: AlienVault
    23 546fc7bf11d4083bc021c37f 796 days ago Operation Double Tap web 94113
    ID: 2
    Username: AlienVault
    60 5473709d11d4083bc021c387 279 days ago Regin web 94092

    11. alienvault-get-pulse-details


    Returns pulse details.

    Base Command

    alienvault-get-pulse-details

    Input
    Argument Name Description Required
    pulse_id The ID of the pulse. Required

    Context Output
    Path Type Description
    AlienVaultOTX.Pulses.Created Date The date the pulse was created.
    AlienVaultOTX.Pulses.Author.Username String The author username of the pulse.
    AlienVaultOTX.Pulses.ID String The ID of the pulse.
    AlienVaultOTX.Pulses.Name String The name of the pulse.
    AlienVaultOTX.Pulses.Tags String The tags of the pulse.
    AlienVaultOTX.Pulses.TargetedCountries String The targeted countries of the pulse.
    AlienVaultOTX.Pulses.Description String The description of the pulse.

    Command Example

    !alienvault-get-pulse-details pulse_id=57204e9b3c4c3e015d93cb12

    Context Example
    {
        "AlienVaultOTX.Pulses": {
            "Author": {
                "Username": "AlienVault"
            },
            "Created": "2016-04-27T05:31:06.941000",
            "Description": "The infamous Remote Access Trojan (RAT) Poison Ivy (hereafter referred to as PIVY) has resurfaced recently, and exhibits some new behaviors. PIVY has been observed targeting a number of Asian countries for various purposes over the past year. Palo Alto Networks\u2019 Unit 42 recently blogged about a new Poison Ivy variant targeting Hong Kong activists dubbed SPIVY that uses DLL sideloading and operates quite differently from a variant recently observed by ASERT that has been active for at least the past 12 months.",
            "ID": "57204e9b3c4c3e015d93cb12",
            "Name": "Poison Ivy Activity Targeting Myanmar, Asian Countries",
            "Tags": [
                "rat",
                "remote access trojan",
                "poison ivy",
                "pivy",
                "Myanmar",
                "asia",
                "Hong Kong",
                "arbornetworks"
            ],
            "TargetedCountries": []
        }
    }
    
    Human Readable Output

    AlienVault OTX v2 - pulse id details

    Author Created Description ID Name Tags TargetedCountries
    Username: AlienVault 2016-04-27T05:31:06.941000 The infamous Remote Access Trojan (RAT) Poison Ivy (hereafter referred to as PIVY) has resurfaced recently, and exhibits some new behaviors. PIVY has been observed targeting a number of Asian countries for various purposes over the past year. Palo Alto Networks’ Unit 42 recently blogged about a new Poison Ivy variant targeting Hong Kong activists dubbed SPIVY that uses DLL sideloading and operates quite differently from a variant recently observed by ASERT that has been active for at least the past 12 months. 57204e9b3c4c3e015d93cb12 Poison Ivy Activity Targeting Myanmar, Asian Countries rat,
    remote access trojan,
    poison ivy,
    pivy,
    Myanmar,
    asia,
    Hong Kong,
    arbornetworks

    12. url


    Queries a URL in AlienVault OTX.

    Base Command

    url

    Input
    Argument Name Description Required
    url The URL to query. Required
    threshold If the number of pulses is bigger than the threshold, the URL is considered as malicious. If threshold is not specified, the default indicator threshold is used, which is configured in the instance settings. Optional

    Context Output
    Path Type Description
    URL.Data String The URL.
    AlienVaultOTX.URL.Hostname String The host name of the URL.
    AlienVaultOTX.URL.Domain String The domain of the URL.
    AlienVaultOTX.URL.Alexa String The domain data for the Alexa URL.
    AlienVaultOTX.URL.Url String Url
    AlienVaultOTX.URL.Whois String The Whois URL for domain data.
    DBotScore.Indicator String The indicator that was tested.
    DBotScore.Score Number The actual score.
    DBotScore.Type String The type of indicator.
    DBotScore.Vendor String The AlienVault OTX vendor.

    Command Example

    !url url=http://www.fotoidea.com/sport/4x4_san_ponso/slides/IMG_0068.html/url_list"

    Context Example
    {
        "AlienVaultOTX.URL": {
            "Alexa": "http://www.alexa.com/siteinfo/fotoidea.com",
            "Domain": "fotoidea.com",
            "Hostname": "www.fotoidea.com",
            "Url": "http://www.fotoidea.com/sport/4x4_san_ponso/slides/IMG_0068.html/url_list",
            "Whois": "http://whois.domaintools.com/fotoidea.com"
        },
        "DBotScore": {
            "Indicator": "http://www.fotoidea.com/sport/4x4_san_ponso/slides/IMG_0068.html/url_list",
            "Score": "0",
            "Type": "url",
            "Vendor": "AlienVault OTX v2"
        },
        "URL": {
            "Data": "http://www.fotoidea.com/sport/4x4_san_ponso/slides/IMG_0068.html/url_list"
        }
    }
    
    Human Readable Output

    AlienVault OTX v2 - Results for url query

    Alexa Domain Hostname Url Whois
    http://www.alexa.com/siteinfo/fotoidea.com fotoidea.com www.fotoidea.com http://www.fotoidea.com/sport/4x4_san_ponso/slides/IMG_0068.html/url_list http://whois.domaintools.com/fotoidea.com