How to use AlienVault Open Threat Exchange for IoC

Oloyede Olajumoke Elizabeth
4 min readMay 9, 2022

Hi folks,

It been a while, work has been hectic at my end. From my last post titled “Pyramid of Pain: A Slippery Path in Threat Intelligence/Hunting”, I promised to write on how to use Open Threat Exchange for collection of IoCs.

Open Threat Exchange is the neighborhood watch of the global intelligence community. It enables private companies, independent security researchers, and government agencies to openly collaborate and share the latest information about emerging threats, attack methods, and malicious actors, promoting greater security across the entire community. You need to register with active email address to use this platform.

The interface

After successful registration and sign in, you will be directed to dashboard that contain Pulses. What is Pulses? Pulses are summary of a threat, it contain detail information about the indicator of compromise attached to the threat.

AlienVault Dashboard

On top of the pulses is “Mustang Panda new malware deployment” which was created 4 days ago and by the right hand side, you can see I have subscribed to this pulse, which have over 186k subscribers, if you have not subscribed to before, you can subscribe to different pulse of interest.

Browse Menu

Beside the dashboard is Browse Tab that houses different sub tabs that contain different information. Pulses, Users, Groups, Indicators, Malware Families, Industries and Adversaries

AlienVault Browse Tab View

Pulses as explained earlier contain summary of threats and associated IoCs. You can choose any of this to expand. For this tutorial, I will expand Webscanners 2018–02–09 thru current day. The threat which was created 4 years ago but modified 4 minutes ago as at the end of writing is a threat against web application and can aid endpoint security by scanning this particular threat with the provided IoCs (majorly IP addresses). This particular pulse is attributed to different groups like Bad Bots, Cloud security, MISP etc. You can download this pulse by clicking on the download button at the top right corner of the page.

Users Tab contain the list of users that submitted pulses in ascending order.

AlienVault Users Tab

Group Tab contains pulses based on different attack groups such as ransomware, advance persistent groups, blue team intelligence to mention but few. Each of this can be explore to find more information

AlienVault Group Tab

Indicators Tab contain different indicator of compromise in 2 big categroy of Types (CVE, filehash, domain name etc) or Role (adware, backdoor, bruteforce etc).Each category can be search for alternatively for optimum result.

AlienVault Indicators Tab

Malware Families tab: need to gather more intelligence on a particular malware, This is the best tab to get it. It categorizes malware based on families

AlienVault Malware Families Tab

Industries Tab: It is of good, ethical and healthy practice that a threat hunter hunts in her industry sector to avoid distraction and stress. This particular tab gives the right information about threat based on industry sector from aerospace to military to agriculture , education to mention but few.

AlienVault Industries tab

Adversaries Tab: trailing a particular threat actor, the adversaries tab is the best place to gather direct, concise information about each of the listed threat actors.

AlienVault Adversaries Tab


You will agree with me that AlienVault OTX is a blessing to the threat hunting community. They make live easy. There are other IoCs provided such as file hash, Yara rules, Domain name to mention but few provided by AlienVault.



Oloyede Olajumoke Elizabeth

I am a Cyber Threat Intelligence Analyst, Cybersecurity Trainer and Cybersecurity Researcher. Skilled Threat Hunting, Threat Intelligence and Digital Forensics