Open Threat Exchange®

Viewing Pulse Information and Detail

Returning to the pulse activity feed displayed on the Home page, OTX provides a continuous stream of pulses, in reverse chronological order (latest is first), based on when a pulse was created or modified. By default, with the Pulses tab selected, OTX only displays pulses you’ve Subscribed to, plus pulses from other OTX members you have subscribed to.

Note: The default pulse activity feed only shows pulses to which you’ve already subscribed, or those contributed by AT&T Alien Labs™. To view all new pulses, select the New subtab option from the list of Pulse menu options.

OTX pulse activity feed

The summary description for each pulse provides information such as the following:

  • Avatar of the user who created the pulse.
  • Creation date of the pulse or the date it was last updated with new information.
  • Number of comments on the pulse.
  • A short description of the pulse.
  • Up to four tags that OTX analytics tools or the pulse creator uses to categorize activities related to a pulse. (The Detailed view shows additional tags beyond four.)
  • Number of pulse subscribers and whether you are subscribed to the pulse or OTX member.
  • Number of votes ranking promotion or demotion of the pulse.

To get more details about a pulse, click on its name or summary description. OTX expands the display to show additional details about the pulse, along with a listing of Indicators of Compromise (IOCs) related to the pulse, and additional options for operations such as subscribing to the pulse, providing comments or suggested edits, and downloading of pulse details.

Pulse detail display

After clicking on a pulse summary and clicking the more option, the middle portion of the display shows an expanded/detailed view of the information for a selected pulse.

Pulse display expanded view

Next to the expanded summary display, OTX provides a row of buttons to perform specific operations.

Pulse action options

These options perform the following functions:

The lower portion of the pulse details display provides a comment section and information on Indicators of Compromise (IOCs) for the selected pulse.

Indicator of Compromise summary display

You can click on an individual Indicator in the list to expand the information displayed for the selected indicator. In addition, on the right side of each indicator row, the Copy ( ) button lets you copy the indicator information, which you may be able to use elsewhere in your security monitoring operation, and the Go to Details ( ) button, which displays an expanded detail view of the selected indicator on a separate page.

The Type column next to each indicator describes the type of each indicator associated with the pulse, such as IP address, domain, or file hashA one direction checksum value produced to uniquely represent and identify text. The result of a hash function can be used to validate if a file has been altered, without having to compare the files to each other. Frequently used hash functions are MD5 and SHA1., such as MD5 or SHA-1. A file hash is an indicator of compromise commonly used in identifying malware such as viruses, trojans, ransomware, or other types of malicious software. For more information on IOC types, see Indicators of Compromise Types.

Depending on the particular indicator of compromise, the Indicator Details page can be very simple or it can include a great deal of information and research, based on how much information is available or known about the indicator at any given time. The following display shows an example:

Indicator of Compromise details page

Additional links on the page let you quickly jump to external reference data for a pulse, such as a CVE reference page, or detail on a particular exploit sequence.

At the very bottom of the page, OTX provides a comment page, so you can add any comments you might have on a pulse or share any experience you have had with the pulse threat or indicators of the pulse. You can enter a comment in which your name and avatar will appear next to your comment, or you can enter a comment anonymously.