OTX and Community Feeds

Purpose and Scope

AlienVault Open Threat Exchange (OTX) is a community driven threat intelligence sharing platform. Along with other community feeds, it provides free access to indicators, context, and detection rules. This playbook covers how to effectively use OTX and community feeds in SOC operations.

Prerequisites

• OTX account: Free account at otx.alienvault.com
• API key: For programmatic access and integration
• SIEM or TIP: Platform to ingest and correlate threat feeds
• Feed evaluation criteria: Understanding of how to assess feed quality

Understanding OTX

Pulses

Pulses are collections of indicators with context:

• IOCs (IPs, domains, URLs, hashes)
• Descriptions and context about the threat
• MITRE ATT&CK mapping
• Related malware families and campaigns
• Detection rules (YARA, Snort, etc.)

Subscriptions

• Subscribe to pulses from trusted authors
• Subscribe to groups focused on specific threats
• Follow industry or regional feeds
• Get notifications when subscribed pulses update

Indicators

OTX supports multiple indicator types:

• IPv4 and IPv6 addresses
• Domain names and hostnames
• URLs
• File hashes (MD5, SHA1, SHA256)
• Email addresses
• CVE identifiers
• CIDR ranges

OTX Workflow

1. Subscribe to Relevant Feeds

• Search for pulses related to your industry or threat profile
• Evaluate pulse authors for credibility
• Subscribe to official vendor and research group feeds
• Follow feeds focused on specific malware families you see

2. Integrate with SIEM

• Configure OTX DirectConnect or API integration
• Map indicators to appropriate log fields
• Set up alerting for indicator matches
• Configure refresh intervals for feed updates

3. Investigate Matches

When an indicator matches:

• Review the pulse context for threat details
• Check when the indicator was added
• Assess relevance to your environment
• Validate against other sources
• Investigate affected systems

4. Contribute Back

• Share indicators from your investigations
• Add context and analysis to pulses
• Validate or refute community contributions
• Build reputation as a trusted contributor

Other Community Feeds

Abuse.ch Projects

• URLhaus: Malware distribution URLs
• Feodo Tracker: Botnet C2 servers
• MalwareBazaar: Malware sample repository
• ThreatFox: IOCs from various malware

MISP Feeds

• CIRCL OSINT Feed
• Botvrij.eu
• Malware Information Sharing Platform community

Other Free Feeds

• Emerging Threats: Snort and Suricata rules
• PhishTank: Community verified phishing URLs
• OpenPhish: Phishing intelligence
• Spamhaus: Spam and malware blocklists
• SSL Blacklist: Malicious SSL certificates

Feed Quality Assessment

Evaluation Criteria

• Accuracy: False positive rate in your environment
• Timeliness: How quickly indicators are published
• Coverage: Relevance to threats you face
• Context: Quality of associated information
• Reliability: Consistent updates and maintenance

Feed Hygiene

• Set expiration periods for indicators
• Remove stale feeds that are not maintained
• Track false positive rates by feed
• Weight indicators by source confidence
• Review and prune subscriptions periodically

Integration Best Practices

SIEM Integration

• Normalize indicator formats across feeds
• Deduplicate indicators from multiple sources
• Assign confidence scores based on source
• Correlate with internal telemetry
• Create tiered alerting based on confidence

Enrichment Workflows

• Automatically query OTX for alert indicators
• Pull pulse context into alert enrichment
• Link related indicators from the same campaign
• Add MITRE ATT&CK context to investigations

Handling False Positives

• Validate matches before taking action
• Check indicator age and pulse context
• Cross reference with other intelligence sources
• Maintain local allowlists for known good indicators
• Provide feedback to pulse authors when appropriate

Escalation Guidance

Escalate when feed matches indicate:

• Active C2 communication in your network
• Known malware samples on endpoints
• Phishing infrastructure targeting your users
• Indicators from campaigns actively targeting your sector

Privacy Considerations

• Do not share internal IP addresses or hostnames publicly
• Sanitize data before contributing to community
• Consider legal and compliance requirements
• Review sharing agreements before contributing

References

• AlienVault OTX: otx.alienvault.com
• Abuse.ch: abuse.ch
• URLhaus: urlhaus.abuse.ch
• MISP Project: misp-project.org
• Emerging Threats: rules.emergingthreats.net
• PhishTank: phishtank.org