• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

OTX Graph not populating

alex.huntalex.hunt

New Life Form
Hi All, 

On my USM appliance the default dashboard when you you log in has data populated, apart from the OTX box in the top right corner? 

There are OTX events in my system but the graph doesn't show the recent activity. 

What is the best way to validate that this part of the dashboard is working correctly? 

Does anyone know where any error messages maybe on the back end?

Thanks  

Share post:

Answers

  • Hello alex.hunt,
       
       That dashboard represents OTX_PULSE data, only. There is a difference between IP_Reputation data and Pulse data. I two tricks for you to validate wether the graph should be showing data. The first, is a #mysql command. The second, is subscribing to a test pulse, and then performing a #curl or #wget command to try to trigger an OTX_Pulse event. Please keep in mind, you must first ensure proper DNS and/or Port Mirroring for OTX/NIDS to be working. 

     1) This trick requires you to ensure you are modifying the dates provided to the last 7 days (because that is what the dashboard shows; the last 7 days). If the result is blank (or 0), the events are either outside of that 7 day window, or those are not OTX_Pulse events... 

    # echo "CALL otx_get_top_pulses('admin', 5, '2019-01-08 00:00:00', '2019-01-15 00:00:00'); | ossim-db


       Again, the graph only shows the last 7 days... if the OTX events that you state you are seeing are older than 7 days, they will not appear in the graph. The above command will show you, if any, the PULSE data that will be reflected in the graph. 





      
    2) Regarding OTX, OTX utilizes DNS in order to match threats and IOC's, in addition to utilizing the SPAN port on your network to 'sniff' the traffic. You can do a quick test from your USM to see if OTX is working properly, or not. As long as your DNS is working correctly, this should show an OTX based Alarm, and show up on the Dashboard widget. 






    p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 14.0px; font: 12.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #000000; background-color: rgba(0, 0, 0, 0)}
    p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 14.0px; font: 12.0px Arial; color: #000000; -webkit-text-stroke: #000000; background-color: #000000; background-color: rgba(0, 0, 0, 0); min-height: 14.0px}
    span.s1 {font-kerning: none}



    First, can you log in to your OTX account, and search for a pulse by the name of "test.com". {{https://otx.alienvault.com/pulse/55e0229a67db8c7bb8cba2b4}}  Once you find it, please subscribe to it. We will then need to ensure that the USM receives the new pulse subscription. From the CLi of the USM, can you :: 


    # apt-get update && alienvault-update --feed 



    It can take 15 - 30 minutes for the USM to receive the pulse. After enough time has passed, can you then issue the following command on your USM :: 


    # dig test.com 



    Shortly there after, you should be able to go to the WebUi of your USM and see that "OTX" activity has occurred. If you do not see see the Alarm, can you verify that your USM is utilizing a valid (internal) DNS server? 


    # cat /etc/resolv.conf 



    If you have verified that DNS is not the issue, but the USM still does not show the OTX activity, see if you can search the Raw Logs of the USM for "test.com" to verify that we picked up the packet. 



       Regards,


     - kratos

Sign In or Register to comment.