empayre/OTX-Python-SDK
14
0
Fork 0
mirror of https://github.com/empayre/OTX-Python-SDK.git synced 2024-11-06 09:55:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
953d4f1050
OTX-Python-SDK/howto_use_python_otx_api.ipynb
Chris Doman 48c878fb54 Added PatchPulse object 
Added object to make patching pulses easier
2017-05-04 12:01:10 +01:00

2276 lines
86 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"cells": [
{
"cell_type": "markdown",
"metadata": {},
"source": [
"# Using the OTX-Python-SDK"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## API Key Configuration"
]
},
{
"cell_type": "code",
"execution_count": 24,
"metadata": {
"collapsed": true
},
"outputs": [],
"source": [
"from OTXv2 import OTXv2, IndicatorTypes"
]
},
{
"cell_type": "code",
"execution_count": 5,
"metadata": {
"collapsed": true
},
"outputs": [],
"source": [
"from pandas.io.json import json_normalize"
]
},
{
"cell_type": "code",
"execution_count": 6,
"metadata": {
"collapsed": true
},
"outputs": [],
"source": [
"from datetime import datetime, timedelta"
]
},
{
"cell_type": "code",
"execution_count": 7,
"metadata": {
"collapsed": false
},
"outputs": [],
"source": [
"otx = OTXv2(\"\")"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"Replace YOUR_KEY with your OTX API key. You can find it on your settings page https://otx.alienvault.com/settings."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Subscriptions"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"The getall() method accesses your subscriptions. It downloads all the OTX pulses and their assocciated indicators of compromise (IOCs) from your account. This includes: \n",
"- All pulses you subscribe to directly\n",
"- All pulses by users you subscribe to\n",
"- OTX pulses you created (including private pulses)\n",
"If this is the first time you are using your account, the download includes all pulses created by AlienVault. All users are subscribed to the AlienVault user by default."
]
},
{
"cell_type": "code",
"execution_count": 4,
"metadata": {
"collapsed": true
},
"outputs": [],
"source": [
"pulses = otx.getall()"
]
},
{
"cell_type": "code",
"execution_count": 5,
"metadata": {
"collapsed": false
},
"outputs": [
{
"data": {
"text/plain": [
"266"
]
},
"execution_count": 5,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"len(pulses)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"Let's list a few pulses:"
]
},
{
"cell_type": "code",
"execution_count": 6,
"metadata": {
"collapsed": false,
"scrolled": true
},
"outputs": [
{
"data": {
"text/html": [
"<div>\n",
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: right;\">\n",
" <th></th>\n",
" <th>author_name</th>\n",
" <th>created</th>\n",
" <th>description</th>\n",
" <th>id</th>\n",
" <th>indicators</th>\n",
" <th>modified</th>\n",
" <th>name</th>\n",
" <th>references</th>\n",
" <th>revision</th>\n",
" <th>tags</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <th>0</th>\n",
" <td>AlienVault</td>\n",
" <td>2015-07-23T19:07:22.591000</td>\n",
" <td>Lately we informed you how a fake Dubsmash app...</td>\n",
" <td>55b13b6ab45ff52d687ccc3c</td>\n",
" <td>[{u'indicator': u'd59b2c7a28ae19ff2b85db9c2eee...</td>\n",
" <td>2015-07-23T19:07:22.591000</td>\n",
" <td>Porn clicker keeps infecting apps on Google Play</td>\n",
" <td>[http://www.welivesecurity.com/2015/07/23/porn...</td>\n",
" <td>1</td>\n",
" <td>[dubsmash, play store, trojan, google play, an...</td>\n",
" </tr>\n",
" <tr>\n",
" <th>1</th>\n",
" <td>Malwaremustdie</td>\n",
" <td>2015-07-23T03:27:06.425000</td>\n",
" <td>.IptabLex &amp; .IptabLes ELF DDoS malware is the ...</td>\n",
" <td>55b05f0ab45ff5326594e6cc</td>\n",
" <td>[{u'indicator': u'fc50bcf33e7c50681947d7d1d1ea...</td>\n",
" <td>2015-07-23T03:28:09.789000</td>\n",
" <td>MMD-0035-2015 - .IptabLex or .IptabLes on shel...</td>\n",
" <td>[http://blog.malwaremustdie.org/2015/06/mmd-00...</td>\n",
" <td>3</td>\n",
" <td>[shellshock, IptableSx, linux, chinaz, billgat...</td>\n",
" </tr>\n",
" <tr>\n",
" <th>2</th>\n",
" <td>AlienVault</td>\n",
" <td>2015-07-22T17:16:35.665000</td>\n",
" <td>Recent weeks have seen the outing of two new a...</td>\n",
" <td>55afcff3b45ff57d4094e6b3</td>\n",
" <td>[{u'indicator': u'https://cognimuse.cs.ntua.gr...</td>\n",
" <td>2015-07-22T17:16:35.665000</td>\n",
" <td>Duke APT group's latest tools: cloud services ...</td>\n",
" <td>[https://www.f-secure.com/weblog/archives/0000...</td>\n",
" <td>1</td>\n",
" <td>[cloudduke, duke, onedrive, seaduke, cozyduke,...</td>\n",
" </tr>\n",
" <tr>\n",
" <th>3</th>\n",
" <td>AlienVault</td>\n",
" <td>2015-07-22T17:04:34.663000</td>\n",
" <td>The summer months dawn on us and the financial...</td>\n",
" <td>55afcd22b45ff5798794e6a3</td>\n",
" <td>[{u'indicator': u'05bc4a9b603c1aa319d799c8fba7...</td>\n",
" <td>2015-07-22T17:04:55.684000</td>\n",
" <td>APT on Taiwan - insight into advances of adver...</td>\n",
" <td>[http://blog.dragonthreatlabs.com/2015/07/dtl-...</td>\n",
" <td>2</td>\n",
" <td>[apt, taiwan, mocelpa, Phishing]</td>\n",
" </tr>\n",
" <tr>\n",
" <th>4</th>\n",
" <td>AlienVault</td>\n",
" <td>2015-07-21T22:12:44.198000</td>\n",
" <td>UrlZone is a banking trojan that appeared in 2...</td>\n",
" <td>55aec3dcb45ff53bb694e6b1</td>\n",
" <td>[{u'indicator': u'39bbde33922cd6366d7c2a252c4a...</td>\n",
" <td>2015-07-21T22:13:16.529000</td>\n",
" <td>An Update on the UrlZone Banker</td>\n",
" <td>[https://asert.arbornetworks.com/an-update-on-...</td>\n",
" <td>2</td>\n",
" <td>[urlzone, dga, bebloh, shiotob, banker, arbor]</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>\n",
"</div>"
],
"text/plain": [
" author_name created \\\n",
"0 AlienVault 2015-07-23T19:07:22.591000 \n",
"1 Malwaremustdie 2015-07-23T03:27:06.425000 \n",
"2 AlienVault 2015-07-22T17:16:35.665000 \n",
"3 AlienVault 2015-07-22T17:04:34.663000 \n",
"4 AlienVault 2015-07-21T22:12:44.198000 \n",
"\n",
" description \\\n",
"0 Lately we informed you how a fake Dubsmash app... \n",
"1 .IptabLex & .IptabLes ELF DDoS malware is the ... \n",
"2 Recent weeks have seen the outing of two new a... \n",
"3 The summer months dawn on us and the financial... \n",
"4 UrlZone is a banking trojan that appeared in 2... \n",
"\n",
" id \\\n",
"0 55b13b6ab45ff52d687ccc3c \n",
"1 55b05f0ab45ff5326594e6cc \n",
"2 55afcff3b45ff57d4094e6b3 \n",
"3 55afcd22b45ff5798794e6a3 \n",
"4 55aec3dcb45ff53bb694e6b1 \n",
"\n",
" indicators \\\n",
"0 [{u'indicator': u'd59b2c7a28ae19ff2b85db9c2eee... \n",
"1 [{u'indicator': u'fc50bcf33e7c50681947d7d1d1ea... \n",
"2 [{u'indicator': u'https://cognimuse.cs.ntua.gr... \n",
"3 [{u'indicator': u'05bc4a9b603c1aa319d799c8fba7... \n",
"4 [{u'indicator': u'39bbde33922cd6366d7c2a252c4a... \n",
"\n",
" modified \\\n",
"0 2015-07-23T19:07:22.591000 \n",
"1 2015-07-23T03:28:09.789000 \n",
"2 2015-07-22T17:16:35.665000 \n",
"3 2015-07-22T17:04:55.684000 \n",
"4 2015-07-21T22:13:16.529000 \n",
"\n",
" name \\\n",
"0 Porn clicker keeps infecting apps on Google Play \n",
"1 MMD-0035-2015 - .IptabLex or .IptabLes on shel... \n",
"2 Duke APT group's latest tools: cloud services ... \n",
"3 APT on Taiwan - insight into advances of adver... \n",
"4 An Update on the UrlZone Banker \n",
"\n",
" references revision \\\n",
"0 [http://www.welivesecurity.com/2015/07/23/porn... 1 \n",
"1 [http://blog.malwaremustdie.org/2015/06/mmd-00... 3 \n",
"2 [https://www.f-secure.com/weblog/archives/0000... 1 \n",
"3 [http://blog.dragonthreatlabs.com/2015/07/dtl-... 2 \n",
"4 [https://asert.arbornetworks.com/an-update-on-... 2 \n",
"\n",
" tags \n",
"0 [dubsmash, play store, trojan, google play, an... \n",
"1 [shellshock, IptableSx, linux, chinaz, billgat... \n",
"2 [cloudduke, duke, onedrive, seaduke, cozyduke,... \n",
"3 [apt, taiwan, mocelpa, Phishing] \n",
"4 [urlzone, dga, bebloh, shiotob, banker, arbor] "
]
},
"execution_count": 6,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"json_normalize(pulses)[0:5]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"- author_name: The username of the OTX User that created the pulse\n",
"- created: Date when the pulse was created in the system\n",
"- description: Describes the pulse in terms of the type of threat it poses, and any other facts that may link it to other threat indicators.\n",
"- id: Unique identifier of the pulse\n",
"- indicators: Collection of Indicators Of Compromise \n",
"- modified: Date when the pulse was last modified\n",
"- name: Name of the pulse\n",
"- references: List of references to papers, websites or blogs related to the threat described in the pulse\n",
"- revision: Revision number that increments each time pulse contents change\n",
"- tags: List of tags that provide information about pulse content, for example, Phshing, malware, C&C, and apt."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"Let's explore the indicators object:"
]
},
{
"cell_type": "code",
"execution_count": 8,
"metadata": {
"collapsed": false,
"scrolled": false
},
"outputs": [
{
"data": {
"text/html": [
"<div>\n",
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: right;\">\n",
" <th></th>\n",
" <th>_id</th>\n",
" <th>created</th>\n",
" <th>description</th>\n",
" <th>indicator</th>\n",
" <th>type</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <th>0</th>\n",
" <td>55b05f0ab45ff5326594e69a</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>fc50bcf33e7c50681947d7d1d1eac47617399c09d8c6d2...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>1</th>\n",
" <td>55b05f0ab45ff5326594e69b</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>3f6e4df766b6736dd8a37d7a523e2476421c531e36301b...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>2</th>\n",
" <td>55b05f0ab45ff5326594e69c</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>cb46167d5ece696f9b7d5f7861ffcbb4244ea21e660c47...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>3</th>\n",
" <td>55b05f0ab45ff5326594e69d</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>c6c123c729d59c7a0a25926a23ac198ad5ed006a9c4559...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>4</th>\n",
" <td>55b05f0ab45ff5326594e69e</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>bca528538a2d67768ec63627dba12a43db1c2ecb86b3d4...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>5</th>\n",
" <td>55b05f0ab45ff5326594e69f</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>59e6c285b930ab0c2f83bae0807a4aeff6a1c2c17a556b...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>6</th>\n",
" <td>55b05f0ab45ff5326594e6a0</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>2a76a717108c43eadaafbfed4d26f3374fa116bf048654...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>7</th>\n",
" <td>55b05f0ab45ff5326594e6a1</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>25a477a2487be6e6583ea47b042ebc2660cb29dbe98b53...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>8</th>\n",
" <td>55b05f0ab45ff5326594e6a2</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>6ee18a546f9e91417a788fdaf9cf0e4b14970282adf2b9...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>9</th>\n",
" <td>55b05f0ab45ff5326594e6a3</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>447fc68b78593a8a4d877887fe28bc729f6f082d453d66...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>10</th>\n",
" <td>55b05f0ab45ff5326594e6a4</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>86fab139e8a28bdbb8ab8ed94124447f5e7ab67c441397...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>11</th>\n",
" <td>55b05f0ab45ff5326594e6a5</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>ad2e6e71653a382ff7617946cbd4f07af3a36ce4e50a1f...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>12</th>\n",
" <td>55b05f0ab45ff5326594e6a6</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>4f3d7e0f2ee9ed72a1c6b26e4967ee6dc902713878fd8c...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>13</th>\n",
" <td>55b05f0ab45ff5326594e6a7</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>f8b0f1cac88af33668ea0d70038cb38de8928c32a9170a...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>14</th>\n",
" <td>55b05f0ab45ff5326594e6a8</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>95f20839325428b11238ebf348554cc5abd6aca74ba1e8...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>15</th>\n",
" <td>55b05f0ab45ff5326594e6a9</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>37c9e95174cbc066af0df69a737af6d2e7dcfbae3a6324...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>16</th>\n",
" <td>55b05f0ab45ff5326594e6aa</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>73f91640ce2bc9b1b9ef3ff434d095c802b20e5f815606...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>17</th>\n",
" <td>55b05f0ab45ff5326594e6ab</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>b6ad7fa59edd48c2764ff5a55af56590f7f9bc112cb45b...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>18</th>\n",
" <td>55b05f0ab45ff5326594e6ac</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>7a3d0736a3a635c7aae9a094fcff8fb714eca02c3774c7...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>19</th>\n",
" <td>55b05f0ab45ff5326594e6ad</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>f862eaca7217430a7076f456d2f71628978e9f572b431d...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>20</th>\n",
" <td>55b05f0ab45ff5326594e6ae</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>7751d97317974d826c09653b13aa1b81eae6440cac9f65...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>21</th>\n",
" <td>55b05f0ab45ff5326594e6af</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>972bcbee0e37648863976226511d13de610ecae99cb180...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>22</th>\n",
" <td>55b05f0ab45ff5326594e6b0</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>3da2c1036a61097580db0a872a8bc3569bea35769749b8...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>23</th>\n",
" <td>55b05f0ab45ff5326594e6b1</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>d640b7012eeb14233fe993a67264aab9a243babb287d4a...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>24</th>\n",
" <td>55b05f0ab45ff5326594e6b2</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>1e0560f24242cbba1a11ea9a3f49488a69f24b9cb27285...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>25</th>\n",
" <td>55b05f0ab45ff5326594e6b3</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>f7224962ee3f2f8960b645af0e14105c767b998409d8d8...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>26</th>\n",
" <td>55b05f0ab45ff5326594e6b4</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>274c1994cd174945334a9bd11e72bc53e4e56d489dc0b4...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>27</th>\n",
" <td>55b05f0ab45ff5326594e6b5</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>2c37f104ec1e9f70a9fa316757e1a512241d72dbd95ad0...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>28</th>\n",
" <td>55b05f0ab45ff5326594e6b6</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>7a95839cf6f72e2d2b2ef13079cf86527dcf3455aaa13b...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>29</th>\n",
" <td>55b05f0ab45ff5326594e6b7</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>6a625d8586087c2d054229364f52512b02706da9d1dc59...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>30</th>\n",
" <td>55b05f0ab45ff5326594e6b8</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>522ef4df99c93db5a164b8655359e993cf8dfd40c142d5...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>31</th>\n",
" <td>55b05f0ab45ff5326594e6b9</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>bef8a9f5a79cf34f0859ced695064fe15b767c2a778442...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>32</th>\n",
" <td>55b05f0ab45ff5326594e6ba</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>611f3978c8e1802a7ffc32857ae8e588127080898a1b77...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>33</th>\n",
" <td>55b05f0ab45ff5326594e6bb</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>8d25712c1d45d2059557a8f58c8513a8c76b71e6eab1da...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>34</th>\n",
" <td>55b05f0ab45ff5326594e6bc</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>838892b6d7443afd63f9968fefc375e439e712cfffcaae...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>35</th>\n",
" <td>55b05f0ab45ff5326594e6bd</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>90c7b9ab085420daa003c3add5e3c910dfc155568c0064...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>36</th>\n",
" <td>55b05f0ab45ff5326594e6be</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>8b5821e339c7ca0056067495c29683192c51c11ea1f6cf...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>37</th>\n",
" <td>55b05f0ab45ff5326594e6bf</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>e6a98e9fbff5cacdfc4e13d82d431fc23275ec7edcac36...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>38</th>\n",
" <td>55b05f0ab45ff5326594e6c0</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>c47ea2bcc4b6dea0f2616da68764641ac88deaa2ed3c42...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>39</th>\n",
" <td>55b05f0ab45ff5326594e6c1</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>v8.f1122.org</td>\n",
" <td>hostname</td>\n",
" </tr>\n",
" <tr>\n",
" <th>40</th>\n",
" <td>55b05f0ab45ff5326594e6c2</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>udp.f1122.org</td>\n",
" <td>hostname</td>\n",
" </tr>\n",
" <tr>\n",
" <th>41</th>\n",
" <td>55b05f0ab45ff5326594e6c3</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>ddos.zanj.cn</td>\n",
" <td>hostname</td>\n",
" </tr>\n",
" <tr>\n",
" <th>42</th>\n",
" <td>55b05f0ab45ff5326594e6c4</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>8d18ddc23603726181ebb77931aa11f3</td>\n",
" <td>FileHash-MD5</td>\n",
" </tr>\n",
" <tr>\n",
" <th>43</th>\n",
" <td>55b05f0ab45ff5326594e6c5</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>20eddc49ea55c7964d91450412f7fb40</td>\n",
" <td>FileHash-MD5</td>\n",
" </tr>\n",
" <tr>\n",
" <th>44</th>\n",
" <td>55b05f0ab45ff5326594e6c6</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>3a21e46485d50b3117b3a9224ce12bd7</td>\n",
" <td>FileHash-MD5</td>\n",
" </tr>\n",
" <tr>\n",
" <th>45</th>\n",
" <td>55b05f0ab45ff5326594e6c7</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>84d431618cbbbf56fe0cc3d34f62a655</td>\n",
" <td>FileHash-MD5</td>\n",
" </tr>\n",
" <tr>\n",
" <th>46</th>\n",
" <td>55b05f0ab45ff5326594e6c8</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>58eefd9183ac89a1b99dda02e0ab4092</td>\n",
" <td>FileHash-MD5</td>\n",
" </tr>\n",
" <tr>\n",
" <th>47</th>\n",
" <td>55b05f0ab45ff5326594e6c9</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>202.103.243.104</td>\n",
" <td>IPv4</td>\n",
" </tr>\n",
" <tr>\n",
" <th>48</th>\n",
" <td>55b05f0ab45ff5326594e6ca</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>58.221.254.153</td>\n",
" <td>IPv4</td>\n",
" </tr>\n",
" <tr>\n",
" <th>49</th>\n",
" <td>55b05f0ab45ff5326594e6cb</td>\n",
" <td>2015-07-23T03:27:06.425</td>\n",
" <td></td>\n",
" <td>58.213.123.107</td>\n",
" <td>IPv4</td>\n",
" </tr>\n",
" <tr>\n",
" <th>50</th>\n",
" <td>55b05f49b45ff532d094e699</td>\n",
" <td>2015-07-23T03:28:09.789</td>\n",
" <td></td>\n",
" <td>CVE-2014-6271</td>\n",
" <td>CVE</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>\n",
"</div>"
],
"text/plain": [
" _id created description \\\n",
"0 55b05f0ab45ff5326594e69a 2015-07-23T03:27:06.425 \n",
"1 55b05f0ab45ff5326594e69b 2015-07-23T03:27:06.425 \n",
"2 55b05f0ab45ff5326594e69c 2015-07-23T03:27:06.425 \n",
"3 55b05f0ab45ff5326594e69d 2015-07-23T03:27:06.425 \n",
"4 55b05f0ab45ff5326594e69e 2015-07-23T03:27:06.425 \n",
"5 55b05f0ab45ff5326594e69f 2015-07-23T03:27:06.425 \n",
"6 55b05f0ab45ff5326594e6a0 2015-07-23T03:27:06.425 \n",
"7 55b05f0ab45ff5326594e6a1 2015-07-23T03:27:06.425 \n",
"8 55b05f0ab45ff5326594e6a2 2015-07-23T03:27:06.425 \n",
"9 55b05f0ab45ff5326594e6a3 2015-07-23T03:27:06.425 \n",
"10 55b05f0ab45ff5326594e6a4 2015-07-23T03:27:06.425 \n",
"11 55b05f0ab45ff5326594e6a5 2015-07-23T03:27:06.425 \n",
"12 55b05f0ab45ff5326594e6a6 2015-07-23T03:27:06.425 \n",
"13 55b05f0ab45ff5326594e6a7 2015-07-23T03:27:06.425 \n",
"14 55b05f0ab45ff5326594e6a8 2015-07-23T03:27:06.425 \n",
"15 55b05f0ab45ff5326594e6a9 2015-07-23T03:27:06.425 \n",
"16 55b05f0ab45ff5326594e6aa 2015-07-23T03:27:06.425 \n",
"17 55b05f0ab45ff5326594e6ab 2015-07-23T03:27:06.425 \n",
"18 55b05f0ab45ff5326594e6ac 2015-07-23T03:27:06.425 \n",
"19 55b05f0ab45ff5326594e6ad 2015-07-23T03:27:06.425 \n",
"20 55b05f0ab45ff5326594e6ae 2015-07-23T03:27:06.425 \n",
"21 55b05f0ab45ff5326594e6af 2015-07-23T03:27:06.425 \n",
"22 55b05f0ab45ff5326594e6b0 2015-07-23T03:27:06.425 \n",
"23 55b05f0ab45ff5326594e6b1 2015-07-23T03:27:06.425 \n",
"24 55b05f0ab45ff5326594e6b2 2015-07-23T03:27:06.425 \n",
"25 55b05f0ab45ff5326594e6b3 2015-07-23T03:27:06.425 \n",
"26 55b05f0ab45ff5326594e6b4 2015-07-23T03:27:06.425 \n",
"27 55b05f0ab45ff5326594e6b5 2015-07-23T03:27:06.425 \n",
"28 55b05f0ab45ff5326594e6b6 2015-07-23T03:27:06.425 \n",
"29 55b05f0ab45ff5326594e6b7 2015-07-23T03:27:06.425 \n",
"30 55b05f0ab45ff5326594e6b8 2015-07-23T03:27:06.425 \n",
"31 55b05f0ab45ff5326594e6b9 2015-07-23T03:27:06.425 \n",
"32 55b05f0ab45ff5326594e6ba 2015-07-23T03:27:06.425 \n",
"33 55b05f0ab45ff5326594e6bb 2015-07-23T03:27:06.425 \n",
"34 55b05f0ab45ff5326594e6bc 2015-07-23T03:27:06.425 \n",
"35 55b05f0ab45ff5326594e6bd 2015-07-23T03:27:06.425 \n",
"36 55b05f0ab45ff5326594e6be 2015-07-23T03:27:06.425 \n",
"37 55b05f0ab45ff5326594e6bf 2015-07-23T03:27:06.425 \n",
"38 55b05f0ab45ff5326594e6c0 2015-07-23T03:27:06.425 \n",
"39 55b05f0ab45ff5326594e6c1 2015-07-23T03:27:06.425 \n",
"40 55b05f0ab45ff5326594e6c2 2015-07-23T03:27:06.425 \n",
"41 55b05f0ab45ff5326594e6c3 2015-07-23T03:27:06.425 \n",
"42 55b05f0ab45ff5326594e6c4 2015-07-23T03:27:06.425 \n",
"43 55b05f0ab45ff5326594e6c5 2015-07-23T03:27:06.425 \n",
"44 55b05f0ab45ff5326594e6c6 2015-07-23T03:27:06.425 \n",
"45 55b05f0ab45ff5326594e6c7 2015-07-23T03:27:06.425 \n",
"46 55b05f0ab45ff5326594e6c8 2015-07-23T03:27:06.425 \n",
"47 55b05f0ab45ff5326594e6c9 2015-07-23T03:27:06.425 \n",
"48 55b05f0ab45ff5326594e6ca 2015-07-23T03:27:06.425 \n",
"49 55b05f0ab45ff5326594e6cb 2015-07-23T03:27:06.425 \n",
"50 55b05f49b45ff532d094e699 2015-07-23T03:28:09.789 \n",
"\n",
" indicator type \n",
"0 fc50bcf33e7c50681947d7d1d1eac47617399c09d8c6d2... FileHash-SHA256 \n",
"1 3f6e4df766b6736dd8a37d7a523e2476421c531e36301b... FileHash-SHA256 \n",
"2 cb46167d5ece696f9b7d5f7861ffcbb4244ea21e660c47... FileHash-SHA256 \n",
"3 c6c123c729d59c7a0a25926a23ac198ad5ed006a9c4559... FileHash-SHA256 \n",
"4 bca528538a2d67768ec63627dba12a43db1c2ecb86b3d4... FileHash-SHA256 \n",
"5 59e6c285b930ab0c2f83bae0807a4aeff6a1c2c17a556b... FileHash-SHA256 \n",
"6 2a76a717108c43eadaafbfed4d26f3374fa116bf048654... FileHash-SHA256 \n",
"7 25a477a2487be6e6583ea47b042ebc2660cb29dbe98b53... FileHash-SHA256 \n",
"8 6ee18a546f9e91417a788fdaf9cf0e4b14970282adf2b9... FileHash-SHA256 \n",
"9 447fc68b78593a8a4d877887fe28bc729f6f082d453d66... FileHash-SHA256 \n",
"10 86fab139e8a28bdbb8ab8ed94124447f5e7ab67c441397... FileHash-SHA256 \n",
"11 ad2e6e71653a382ff7617946cbd4f07af3a36ce4e50a1f... FileHash-SHA256 \n",
"12 4f3d7e0f2ee9ed72a1c6b26e4967ee6dc902713878fd8c... FileHash-SHA256 \n",
"13 f8b0f1cac88af33668ea0d70038cb38de8928c32a9170a... FileHash-SHA256 \n",
"14 95f20839325428b11238ebf348554cc5abd6aca74ba1e8... FileHash-SHA256 \n",
"15 37c9e95174cbc066af0df69a737af6d2e7dcfbae3a6324... FileHash-SHA256 \n",
"16 73f91640ce2bc9b1b9ef3ff434d095c802b20e5f815606... FileHash-SHA256 \n",
"17 b6ad7fa59edd48c2764ff5a55af56590f7f9bc112cb45b... FileHash-SHA256 \n",
"18 7a3d0736a3a635c7aae9a094fcff8fb714eca02c3774c7... FileHash-SHA256 \n",
"19 f862eaca7217430a7076f456d2f71628978e9f572b431d... FileHash-SHA256 \n",
"20 7751d97317974d826c09653b13aa1b81eae6440cac9f65... FileHash-SHA256 \n",
"21 972bcbee0e37648863976226511d13de610ecae99cb180... FileHash-SHA256 \n",
"22 3da2c1036a61097580db0a872a8bc3569bea35769749b8... FileHash-SHA256 \n",
"23 d640b7012eeb14233fe993a67264aab9a243babb287d4a... FileHash-SHA256 \n",
"24 1e0560f24242cbba1a11ea9a3f49488a69f24b9cb27285... FileHash-SHA256 \n",
"25 f7224962ee3f2f8960b645af0e14105c767b998409d8d8... FileHash-SHA256 \n",
"26 274c1994cd174945334a9bd11e72bc53e4e56d489dc0b4... FileHash-SHA256 \n",
"27 2c37f104ec1e9f70a9fa316757e1a512241d72dbd95ad0... FileHash-SHA256 \n",
"28 7a95839cf6f72e2d2b2ef13079cf86527dcf3455aaa13b... FileHash-SHA256 \n",
"29 6a625d8586087c2d054229364f52512b02706da9d1dc59... FileHash-SHA256 \n",
"30 522ef4df99c93db5a164b8655359e993cf8dfd40c142d5... FileHash-SHA256 \n",
"31 bef8a9f5a79cf34f0859ced695064fe15b767c2a778442... FileHash-SHA256 \n",
"32 611f3978c8e1802a7ffc32857ae8e588127080898a1b77... FileHash-SHA256 \n",
"33 8d25712c1d45d2059557a8f58c8513a8c76b71e6eab1da... FileHash-SHA256 \n",
"34 838892b6d7443afd63f9968fefc375e439e712cfffcaae... FileHash-SHA256 \n",
"35 90c7b9ab085420daa003c3add5e3c910dfc155568c0064... FileHash-SHA256 \n",
"36 8b5821e339c7ca0056067495c29683192c51c11ea1f6cf... FileHash-SHA256 \n",
"37 e6a98e9fbff5cacdfc4e13d82d431fc23275ec7edcac36... FileHash-SHA256 \n",
"38 c47ea2bcc4b6dea0f2616da68764641ac88deaa2ed3c42... FileHash-SHA256 \n",
"39 v8.f1122.org hostname \n",
"40 udp.f1122.org hostname \n",
"41 ddos.zanj.cn hostname \n",
"42 8d18ddc23603726181ebb77931aa11f3 FileHash-MD5 \n",
"43 20eddc49ea55c7964d91450412f7fb40 FileHash-MD5 \n",
"44 3a21e46485d50b3117b3a9224ce12bd7 FileHash-MD5 \n",
"45 84d431618cbbbf56fe0cc3d34f62a655 FileHash-MD5 \n",
"46 58eefd9183ac89a1b99dda02e0ab4092 FileHash-MD5 \n",
"47 202.103.243.104 IPv4 \n",
"48 58.221.254.153 IPv4 \n",
"49 58.213.123.107 IPv4 \n",
"50 CVE-2014-6271 CVE "
]
},
"execution_count": 8,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"json_normalize(pulses[1][\"indicators\"])"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"- _id: Unique identifier of the IOC\n",
"- created: Date IOC was added to the pulse\n",
"- description: Describe the Indicator Of Compromise\n",
"- indicator: The IOC\n",
"- indicator_type: Type of indicator\n",
"\n",
"The following Indicator Types are supported (also defined in IndicatorTypes.py):"
]
},
{
"cell_type": "code",
"execution_count": 12,
"metadata": {
"collapsed": true
},
"outputs": [],
"source": [
"indicator_types = [\n",
"\t\t\t{\n",
"\t\t\t \"name\": \"IPv4\", \n",
"\t\t\t \"description\": \"An IPv4 address indicating the online location of a server or other computer.\"\n",
"\t\t\t}, \n",
"\t\t\t{\n",
"\t\t\t \"name\": \"IPv6\", \n",
"\t\t\t \"description\": \"An IPv6 address indicating the online location of a server or other computer.\"\n",
"\t\t\t}, \n",
"\t\t\t{\n",
"\t\t\t \"name\": \"domain\", \n",
"\t\t\t \"description\": \"A domain name for a website or server. Domains encompass a series of hostnames.\"\n",
"\t\t\t}, \n",
"\t\t\t{\n",
"\t\t\t \"name\": \"hostname\", \n",
"\t\t\t \"description\": \"The hostname for a server located within a domain.\"\n",
"\t\t\t}, \n",
"\t\t\t{\n",
"\t\t\t \n",
"\t\t\t \"name\": \"email\", \n",
"\t\t\t \"description\": \"An email associated with suspicious activity.\"\n",
"\t\t\t}, \n",
"\t\t\t{\n",
"\t\t\t \"name\": \"URL\", \n",
"\t\t\t \"description\": \" Uniform Resource Location (URL) summarizing the online location of a file or resource.\"\n",
"\t\t\t}, \n",
"\t\t\t{\n",
"\t\t\t \n",
"\t\t\t \"name\": \"URI\", \n",
"\t\t\t \"description\": \"Uniform Resource Indicator (URI) describing the explicit path to a file hosted online.\"\n",
"\t\t\t}, \n",
"\t\t\t{\n",
"\t\t\t \"name\": \"FileHash-MD5\", \n",
"\t\t\t \"description\": \"A MD5-format hash that summarizes the architecture and content of a file.\"\n",
"\t\t\t}, \n",
"\t\t\t{\n",
"\t\t\t \"name\": \"FileHash-SHA1\", \n",
"\t\t\t \"description\": \"A SHA-format hash that summarizes the architecture and content of a file.\"\n",
"\t\t\t}, \n",
"\t\t\t{\n",
"\t\t\t \"name\": \"FileHash-SHA256\", \n",
"\t\t\t \"description\": \"A SHA-256-format hash that summarizes the architecture and content of a file.\"\n",
"\t\t\t}, \n",
"\t\t\t{\n",
"\t\t\t \n",
"\t\t\t \"name\": \"FileHash-PEHASH\", \n",
"\t\t\t \"description\": \"A PEPHASH-format hash that summarizes the architecture and content of a file.\"\n",
"\t\t\t}, \n",
"\t\t\t{\n",
"\t\t\t \n",
"\t\t\t \"name\": \"FileHash-IMPHASH\", \n",
"\t\t\t \"description\": \"An IMPHASH-format hash that summarizes the architecture and content of a file.\"\n",
"\t\t\t}, \n",
"\t\t\t{\n",
"\t\t\t \"name\": \"CIDR\", \n",
"\t\t\t \"description\": \"Classless Inter-Domain Routing (CIDR) address, which describes both a server's IP address and the network architecture (routing path) surrounding that server.\"\n",
"\t\t\t}, \n",
"\t\t\t{\n",
"\t\t\t \n",
"\t\t\t \"name\": \"FilePath\", \n",
"\t\t\t \"description\": \"A unique location in a file system.\"\n",
"\t\t\t}, \n",
"\t\t\t{\n",
"\t\t\t \n",
"\t\t\t \"name\": \"Mutex\", \n",
"\t\t\t \"description\": \"The name of a mutex resource describing the execution architecture of a file.\"\n",
"\t\t\t}, \n",
"\t\t\t{\n",
"\t\t\t \"name\": \"CVE\", \n",
"\t\t\t \"description\": \"Common Vulnerability and Exposure (CVE) entry describing a software vulnerability that can be exploited to engage in malicious activity.\"\n",
"\t\t\t}]"
]
},
{
"cell_type": "code",
"execution_count": 13,
"metadata": {
"collapsed": false,
"scrolled": true
},
"outputs": [
{
"data": {
"text/html": [
"<div>\n",
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: right;\">\n",
" <th></th>\n",
" <th>description</th>\n",
" <th>name</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <th>0</th>\n",
" <td>An IPv4 address indicating the online location...</td>\n",
" <td>IPv4</td>\n",
" </tr>\n",
" <tr>\n",
" <th>1</th>\n",
" <td>An IPv6 address indicating the online location...</td>\n",
" <td>IPv6</td>\n",
" </tr>\n",
" <tr>\n",
" <th>2</th>\n",
" <td>A domain name for a website or server. Domains...</td>\n",
" <td>domain</td>\n",
" </tr>\n",
" <tr>\n",
" <th>3</th>\n",
" <td>The hostname for a server located within a dom...</td>\n",
" <td>hostname</td>\n",
" </tr>\n",
" <tr>\n",
" <th>4</th>\n",
" <td>An email associated with suspicious activity.</td>\n",
" <td>email</td>\n",
" </tr>\n",
" <tr>\n",
" <th>5</th>\n",
" <td>Uniform Resource Location (URL) summarizing t...</td>\n",
" <td>URL</td>\n",
" </tr>\n",
" <tr>\n",
" <th>6</th>\n",
" <td>Uniform Resource Indicator (URI) describing th...</td>\n",
" <td>URI</td>\n",
" </tr>\n",
" <tr>\n",
" <th>7</th>\n",
" <td>A MD5-format hash that summarizes the architec...</td>\n",
" <td>FileHash-MD5</td>\n",
" </tr>\n",
" <tr>\n",
" <th>8</th>\n",
" <td>A SHA-format hash that summarizes the architec...</td>\n",
" <td>FileHash-SHA1</td>\n",
" </tr>\n",
" <tr>\n",
" <th>9</th>\n",
" <td>A SHA-256-format hash that summarizes the arch...</td>\n",
" <td>FileHash-SHA256</td>\n",
" </tr>\n",
" <tr>\n",
" <th>10</th>\n",
" <td>A PEPHASH-format hash that summarizes the arch...</td>\n",
" <td>FileHash-PEHASH</td>\n",
" </tr>\n",
" <tr>\n",
" <th>11</th>\n",
" <td>An IMPHASH-format hash that summarizes the arc...</td>\n",
" <td>FileHash-IMPHASH</td>\n",
" </tr>\n",
" <tr>\n",
" <th>12</th>\n",
" <td>Classless Inter-Domain Routing (CIDR) address,...</td>\n",
" <td>CIDR</td>\n",
" </tr>\n",
" <tr>\n",
" <th>13</th>\n",
" <td>A unique location in a file system.</td>\n",
" <td>FilePath</td>\n",
" </tr>\n",
" <tr>\n",
" <th>14</th>\n",
" <td>The name of a mutex resource describing the ex...</td>\n",
" <td>Mutex</td>\n",
" </tr>\n",
" <tr>\n",
" <th>15</th>\n",
" <td>Common Vulnerability and Exposure (CVE) entry ...</td>\n",
" <td>CVE</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>\n",
"</div>"
],
"text/plain": [
" description name\n",
"0 An IPv4 address indicating the online location... IPv4\n",
"1 An IPv6 address indicating the online location... IPv6\n",
"2 A domain name for a website or server. Domains... domain\n",
"3 The hostname for a server located within a dom... hostname\n",
"4 An email associated with suspicious activity. email\n",
"5 Uniform Resource Location (URL) summarizing t... URL\n",
"6 Uniform Resource Indicator (URI) describing th... URI\n",
"7 A MD5-format hash that summarizes the architec... FileHash-MD5\n",
"8 A SHA-format hash that summarizes the architec... FileHash-SHA1\n",
"9 A SHA-256-format hash that summarizes the arch... FileHash-SHA256\n",
"10 A PEPHASH-format hash that summarizes the arch... FileHash-PEHASH\n",
"11 An IMPHASH-format hash that summarizes the arc... FileHash-IMPHASH\n",
"12 Classless Inter-Domain Routing (CIDR) address,... CIDR\n",
"13 A unique location in a file system. FilePath\n",
"14 The name of a mutex resource describing the ex... Mutex\n",
"15 Common Vulnerability and Exposure (CVE) entry ... CVE"
]
},
"execution_count": 13,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"json_normalize(indicator_types)"
]
},
{
"cell_type": "code",
"execution_count": 27,
"metadata": {
"collapsed": true
},
"outputs": [],
"source": [
"mtime = (datetime.now() - timedelta(days=1)).isoformat()"
]
},
{
"cell_type": "code",
"execution_count": 28,
"metadata": {
"collapsed": false
},
"outputs": [
{
"data": {
"text/plain": [
"'2015-07-23T18:29:49.657037'"
]
},
"execution_count": 28,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"mtime"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Events"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"Besides receiving the pulse information, there is another function that can retrieve different events that are ocurring in the OTX system and affect your account."
]
},
{
"cell_type": "code",
"execution_count": 29,
"metadata": {
"collapsed": true
},
"outputs": [],
"source": [
"events = otx.getevents_since(mtime)"
]
},
{
"cell_type": "code",
"execution_count": 30,
"metadata": {
"collapsed": false
},
"outputs": [
{
"data": {
"text/html": [
"<div>\n",
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: right;\">\n",
" <th></th>\n",
" <th>action</th>\n",
" <th>created</th>\n",
" <th>id</th>\n",
" <th>object_id</th>\n",
" <th>object_type</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <th>0</th>\n",
" <td>subscribe</td>\n",
" <td>2015-07-24T20:46:59.508000</td>\n",
" <td>55b2a443b45ff532057ccc08</td>\n",
" <td>55b290e5b45ff508d47ccc10</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>1</th>\n",
" <td>subscribe</td>\n",
" <td>2015-07-24T20:55:20.630000</td>\n",
" <td>55b2a638b45ff5366d7ccc08</td>\n",
" <td>55b04cbeb45ff52d6c94e6bd</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>2</th>\n",
" <td>subscribe</td>\n",
" <td>2015-07-24T20:55:21.552000</td>\n",
" <td>55b2a639b45ff536837ccc08</td>\n",
" <td>55b05f0ab45ff5326594e6cc</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>3</th>\n",
" <td>subscribe</td>\n",
" <td>2015-07-24T20:55:22.537000</td>\n",
" <td>55b2a63ab45ff5367d7ccc08</td>\n",
" <td>55b11b85b45ff51d9a7ccc0d</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>4</th>\n",
" <td>unsubscribe</td>\n",
" <td>2015-07-24T20:55:24.746000</td>\n",
" <td>55b2a63cb45ff536727ccc08</td>\n",
" <td>55b05f0ab45ff5326594e6cc</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>5</th>\n",
" <td>unsubscribe</td>\n",
" <td>2015-07-24T21:09:46.722000</td>\n",
" <td>55b2a99ab45ff53da77ccc08</td>\n",
" <td>55b04cbeb45ff52d6c94e6bd</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>6</th>\n",
" <td>unsubscribe</td>\n",
" <td>2015-07-24T21:09:47.608000</td>\n",
" <td>55b2a99bb45ff53dc47ccc08</td>\n",
" <td>55b11b85b45ff51d9a7ccc0d</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>7</th>\n",
" <td>unsubscribe</td>\n",
" <td>2015-07-24T21:09:47.993000</td>\n",
" <td>55b2a99bb45ff53da67ccc08</td>\n",
" <td>55b290e5b45ff508d47ccc10</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>8</th>\n",
" <td>subscribe</td>\n",
" <td>2015-07-24T21:09:49.474000</td>\n",
" <td>55b2a99db45ff53dec7ccc08</td>\n",
" <td>55b05f0ab45ff5326594e6cc</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>9</th>\n",
" <td>unsubscribe</td>\n",
" <td>2015-07-24T21:09:53.078000</td>\n",
" <td>55b2a9a1b45ff53dec7ccc09</td>\n",
" <td>55b05f0ab45ff5326594e6cc</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>10</th>\n",
" <td>subscribe</td>\n",
" <td>2015-07-24T21:09:53.205000</td>\n",
" <td>55b2a9a1b45ff53dec7ccc0a</td>\n",
" <td>55b05f0ab45ff5326594e6cc</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>11</th>\n",
" <td>unsubscribe</td>\n",
" <td>2015-07-24T21:09:53.335000</td>\n",
" <td>55b2a9a1b45ff53df17ccc08</td>\n",
" <td>55b05f0ab45ff5326594e6cc</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>12</th>\n",
" <td>subscribe</td>\n",
" <td>2015-07-24T21:09:53.378000</td>\n",
" <td>55b2a9a1b45ff53d967ccc08</td>\n",
" <td>55b05f0ab45ff5326594e6cc</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>13</th>\n",
" <td>unsubscribe</td>\n",
" <td>2015-07-24T21:09:53.477000</td>\n",
" <td>55b2a9a1b45ff53df17ccc09</td>\n",
" <td>55b05f0ab45ff5326594e6cc</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>14</th>\n",
" <td>subscribe</td>\n",
" <td>2015-07-24T21:09:53.606000</td>\n",
" <td>55b2a9a1b45ff53dec7ccc0b</td>\n",
" <td>55b05f0ab45ff5326594e6cc</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>15</th>\n",
" <td>unsubscribe</td>\n",
" <td>2015-07-24T21:09:53.742000</td>\n",
" <td>55b2a9a1b45ff53dec7ccc0c</td>\n",
" <td>55b05f0ab45ff5326594e6cc</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>16</th>\n",
" <td>subscribe</td>\n",
" <td>2015-07-24T21:09:53.870000</td>\n",
" <td>55b2a9a1b45ff53dec7ccc0d</td>\n",
" <td>55b05f0ab45ff5326594e6cc</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>17</th>\n",
" <td>unsubscribe</td>\n",
" <td>2015-07-25T01:28:34.246000</td>\n",
" <td>55b2e642b45ff5718c7ccc08</td>\n",
" <td>55b05f0ab45ff5326594e6cc</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>18</th>\n",
" <td>subscribe</td>\n",
" <td>2015-07-25T01:28:37.666000</td>\n",
" <td>55b2e645b45ff5718b7ccc08</td>\n",
" <td>55b05f0ab45ff5326594e6cc</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>19</th>\n",
" <td>unsubscribe</td>\n",
" <td>2015-07-25T01:28:42.096000</td>\n",
" <td>55b2e64ab45ff5711d7ccc08</td>\n",
" <td>55b05f0ab45ff5326594e6cc</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>20</th>\n",
" <td>subscribe</td>\n",
" <td>2015-07-25T01:28:43.478000</td>\n",
" <td>55b2e64bb45ff5719c7ccc08</td>\n",
" <td>55b05f0ab45ff5326594e6cc</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>21</th>\n",
" <td>unsubscribe</td>\n",
" <td>2015-07-25T01:28:43.845000</td>\n",
" <td>55b2e64bb45ff571937ccc08</td>\n",
" <td>55b05f0ab45ff5326594e6cc</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>22</th>\n",
" <td>subscribe</td>\n",
" <td>2015-07-25T01:28:44.001000</td>\n",
" <td>55b2e64cb45ff571777ccc08</td>\n",
" <td>55b05f0ab45ff5326594e6cc</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>23</th>\n",
" <td>unsubscribe</td>\n",
" <td>2015-07-25T01:28:44.173000</td>\n",
" <td>55b2e64cb45ff571757ccc08</td>\n",
" <td>55b05f0ab45ff5326594e6cc</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>24</th>\n",
" <td>subscribe</td>\n",
" <td>2015-07-25T01:28:45.219000</td>\n",
" <td>55b2e64db45ff5719f7ccc08</td>\n",
" <td>55b05f0ab45ff5326594e6cc</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>25</th>\n",
" <td>unsubscribe</td>\n",
" <td>2015-07-25T01:28:45.344000</td>\n",
" <td>55b2e64db45ff571a37ccc08</td>\n",
" <td>55b05f0ab45ff5326594e6cc</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>26</th>\n",
" <td>subscribe</td>\n",
" <td>2015-07-25T01:28:46.471000</td>\n",
" <td>55b2e64eb45ff5717c7ccc08</td>\n",
" <td>55b05f0ab45ff5326594e6cc</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>27</th>\n",
" <td>unsubscribe</td>\n",
" <td>2015-07-25T01:28:47.067000</td>\n",
" <td>55b2e64fb45ff571a47ccc08</td>\n",
" <td>55b05f0ab45ff5326594e6cc</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>28</th>\n",
" <td>subscribe</td>\n",
" <td>2015-07-25T01:28:47.826000</td>\n",
" <td>55b2e64fb45ff571a47ccc09</td>\n",
" <td>55b05f0ab45ff5326594e6cc</td>\n",
" <td>pulse</td>\n",
" </tr>\n",
" <tr>\n",
" <th>29</th>\n",
" <td>subscribe</td>\n",
" <td>2015-07-25T01:28:55.745000</td>\n",
" <td>55b2e657b45ff571ad7ccc08</td>\n",
" <td>Malwaremustdie</td>\n",
" <td>user</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>\n",
"</div>"
],
"text/plain": [
" action created id \\\n",
"0 subscribe 2015-07-24T20:46:59.508000 55b2a443b45ff532057ccc08 \n",
"1 subscribe 2015-07-24T20:55:20.630000 55b2a638b45ff5366d7ccc08 \n",
"2 subscribe 2015-07-24T20:55:21.552000 55b2a639b45ff536837ccc08 \n",
"3 subscribe 2015-07-24T20:55:22.537000 55b2a63ab45ff5367d7ccc08 \n",
"4 unsubscribe 2015-07-24T20:55:24.746000 55b2a63cb45ff536727ccc08 \n",
"5 unsubscribe 2015-07-24T21:09:46.722000 55b2a99ab45ff53da77ccc08 \n",
"6 unsubscribe 2015-07-24T21:09:47.608000 55b2a99bb45ff53dc47ccc08 \n",
"7 unsubscribe 2015-07-24T21:09:47.993000 55b2a99bb45ff53da67ccc08 \n",
"8 subscribe 2015-07-24T21:09:49.474000 55b2a99db45ff53dec7ccc08 \n",
"9 unsubscribe 2015-07-24T21:09:53.078000 55b2a9a1b45ff53dec7ccc09 \n",
"10 subscribe 2015-07-24T21:09:53.205000 55b2a9a1b45ff53dec7ccc0a \n",
"11 unsubscribe 2015-07-24T21:09:53.335000 55b2a9a1b45ff53df17ccc08 \n",
"12 subscribe 2015-07-24T21:09:53.378000 55b2a9a1b45ff53d967ccc08 \n",
"13 unsubscribe 2015-07-24T21:09:53.477000 55b2a9a1b45ff53df17ccc09 \n",
"14 subscribe 2015-07-24T21:09:53.606000 55b2a9a1b45ff53dec7ccc0b \n",
"15 unsubscribe 2015-07-24T21:09:53.742000 55b2a9a1b45ff53dec7ccc0c \n",
"16 subscribe 2015-07-24T21:09:53.870000 55b2a9a1b45ff53dec7ccc0d \n",
"17 unsubscribe 2015-07-25T01:28:34.246000 55b2e642b45ff5718c7ccc08 \n",
"18 subscribe 2015-07-25T01:28:37.666000 55b2e645b45ff5718b7ccc08 \n",
"19 unsubscribe 2015-07-25T01:28:42.096000 55b2e64ab45ff5711d7ccc08 \n",
"20 subscribe 2015-07-25T01:28:43.478000 55b2e64bb45ff5719c7ccc08 \n",
"21 unsubscribe 2015-07-25T01:28:43.845000 55b2e64bb45ff571937ccc08 \n",
"22 subscribe 2015-07-25T01:28:44.001000 55b2e64cb45ff571777ccc08 \n",
"23 unsubscribe 2015-07-25T01:28:44.173000 55b2e64cb45ff571757ccc08 \n",
"24 subscribe 2015-07-25T01:28:45.219000 55b2e64db45ff5719f7ccc08 \n",
"25 unsubscribe 2015-07-25T01:28:45.344000 55b2e64db45ff571a37ccc08 \n",
"26 subscribe 2015-07-25T01:28:46.471000 55b2e64eb45ff5717c7ccc08 \n",
"27 unsubscribe 2015-07-25T01:28:47.067000 55b2e64fb45ff571a47ccc08 \n",
"28 subscribe 2015-07-25T01:28:47.826000 55b2e64fb45ff571a47ccc09 \n",
"29 subscribe 2015-07-25T01:28:55.745000 55b2e657b45ff571ad7ccc08 \n",
"\n",
" object_id object_type \n",
"0 55b290e5b45ff508d47ccc10 pulse \n",
"1 55b04cbeb45ff52d6c94e6bd pulse \n",
"2 55b05f0ab45ff5326594e6cc pulse \n",
"3 55b11b85b45ff51d9a7ccc0d pulse \n",
"4 55b05f0ab45ff5326594e6cc pulse \n",
"5 55b04cbeb45ff52d6c94e6bd pulse \n",
"6 55b11b85b45ff51d9a7ccc0d pulse \n",
"7 55b290e5b45ff508d47ccc10 pulse \n",
"8 55b05f0ab45ff5326594e6cc pulse \n",
"9 55b05f0ab45ff5326594e6cc pulse \n",
"10 55b05f0ab45ff5326594e6cc pulse \n",
"11 55b05f0ab45ff5326594e6cc pulse \n",
"12 55b05f0ab45ff5326594e6cc pulse \n",
"13 55b05f0ab45ff5326594e6cc pulse \n",
"14 55b05f0ab45ff5326594e6cc pulse \n",
"15 55b05f0ab45ff5326594e6cc pulse \n",
"16 55b05f0ab45ff5326594e6cc pulse \n",
"17 55b05f0ab45ff5326594e6cc pulse \n",
"18 55b05f0ab45ff5326594e6cc pulse \n",
"19 55b05f0ab45ff5326594e6cc pulse \n",
"20 55b05f0ab45ff5326594e6cc pulse \n",
"21 55b05f0ab45ff5326594e6cc pulse \n",
"22 55b05f0ab45ff5326594e6cc pulse \n",
"23 55b05f0ab45ff5326594e6cc pulse \n",
"24 55b05f0ab45ff5326594e6cc pulse \n",
"25 55b05f0ab45ff5326594e6cc pulse \n",
"26 55b05f0ab45ff5326594e6cc pulse \n",
"27 55b05f0ab45ff5326594e6cc pulse \n",
"28 55b05f0ab45ff5326594e6cc pulse \n",
"29 Malwaremustdie user "
]
},
"execution_count": 30,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"json_normalize(events)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"- id: object id of this event. Unique reference identifier\n",
"- action : \"[subscribe | unsubscribe | delete]\", Currently supports subscribe / unsubscribe events for users and pulses and delete events for pulses\n",
"- object_type : \"[pulse | user]\", // Currently supports events for pulse and user objects\n",
"- object_id : \"[pulse id | author id]\", // Unique id can be used to lookup pulses and users (e.g. to remove them from system, they would remove all pulses by author_id or an individual pulse by pulse \"id\".\n",
"\"created\" : <timestamp of event>"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"When developing an application, you must decide how you want to handle different types of events. For instance, if one OTX user unsubscribes from another user, do you want to delete the IOCs the second user contributed from your application? How do you plan to reconcile the data on the server versus the data in your application?\n",
"The same question comes up when users delete a pulse."
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Using Search and get Pulse by ID"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"The OTX API allows you to search for pulses and users by keyword. This allows you to obtain pulses that you're not (yet) subscribed to."
]
},
{
"cell_type": "code",
"execution_count": 8,
"metadata": {
"collapsed": true
},
"outputs": [],
"source": [
"pulses = otx.search_pulses(\"Russian\")"
]
},
{
"cell_type": "code",
"execution_count": 10,
"metadata": {
"collapsed": false
},
"outputs": [
{
"data": {
"text/html": [
"<div>\n",
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: right;\">\n",
" <th></th>\n",
" <th>TLP</th>\n",
" <th>author.avatar_url</th>\n",
" <th>author.id</th>\n",
" <th>author.username</th>\n",
" <th>cloned_from</th>\n",
" <th>comment_count</th>\n",
" <th>created</th>\n",
" <th>description</th>\n",
" <th>downvotes_count</th>\n",
" <th>export_count</th>\n",
" <th>...</th>\n",
" <th>modified_text</th>\n",
" <th>name</th>\n",
" <th>public</th>\n",
" <th>references</th>\n",
" <th>subscriber_count</th>\n",
" <th>tags</th>\n",
" <th>upvotes_count</th>\n",
" <th>validator_count</th>\n",
" <th>vote</th>\n",
" <th>votes_count</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <th>0</th>\n",
" <td>green</td>\n",
" <td>https://otx20-web-media.s3.amazonaws.com/media...</td>\n",
" <td>55003d1d13432a7f96c2be0a</td>\n",
" <td>AlienVault</td>\n",
" <td>None</td>\n",
" <td>0</td>\n",
" <td>2016-05-18T14:52:41.117000</td>\n",
" <td>Operation Groundbait (Russian: Прикормка, Prik...</td>\n",
" <td>0</td>\n",
" <td>14</td>\n",
" <td>...</td>\n",
" <td>2 days ago</td>\n",
" <td>Operation Groundbait: Analysis of a surveillan...</td>\n",
" <td>True</td>\n",
" <td>[http://www.welivesecurity.com/wp-content/uplo...</td>\n",
" <td>14655</td>\n",
" <td>[Groundbait, russia, ukraine, Prikormka, surve...</td>\n",
" <td>2</td>\n",
" <td>0</td>\n",
" <td>1</td>\n",
" <td>2</td>\n",
" </tr>\n",
" <tr>\n",
" <th>1</th>\n",
" <td>green</td>\n",
" <td>https://otx20-web-media.s3.amazonaws.com/media...</td>\n",
" <td>55bb3ec74637f238607a9c69</td>\n",
" <td>bartblaze</td>\n",
" <td>None</td>\n",
" <td>0</td>\n",
" <td>2016-05-10T10:48:53.586000</td>\n",
" <td>A new ransomware called Enigma was discovered ...</td>\n",
" <td>0</td>\n",
" <td>3</td>\n",
" <td>...</td>\n",
" <td>9 days ago</td>\n",
" <td>Enigma ransomware</td>\n",
" <td>True</td>\n",
" <td>[http://www.bleepingcomputer.com/news/security...</td>\n",
" <td>138</td>\n",
" <td>[enigma, enigma ransomware]</td>\n",
" <td>0</td>\n",
" <td>0</td>\n",
" <td>0</td>\n",
" <td>0</td>\n",
" </tr>\n",
" <tr>\n",
" <th>2</th>\n",
" <td>green</td>\n",
" <td>https://otx20-web-media.s3.amazonaws.com/media...</td>\n",
" <td>55003d1d13432a7f96c2be0a</td>\n",
" <td>AlienVault</td>\n",
" <td>None</td>\n",
" <td>0</td>\n",
" <td>2016-05-10T16:03:54.294000</td>\n",
" <td>Recently the Mobile Malware Research Team of I...</td>\n",
" <td>0</td>\n",
" <td>19</td>\n",
" <td>...</td>\n",
" <td>9 days ago</td>\n",
" <td>Android Malware Clicker.G!Gen Found on Google ...</td>\n",
" <td>True</td>\n",
" <td>[https://blogs.mcafee.com/mcafee-labs/android-...</td>\n",
" <td>14653</td>\n",
" <td>[google play, trojan, android, mobile, malware...</td>\n",
" <td>3</td>\n",
" <td>0</td>\n",
" <td>1</td>\n",
" <td>3</td>\n",
" </tr>\n",
" <tr>\n",
" <th>3</th>\n",
" <td>green</td>\n",
" <td>https://otx20-web-media.s3.amazonaws.com/media...</td>\n",
" <td>5721dc5ca08845015a81565c</td>\n",
" <td>Umbra00</td>\n",
" <td>None</td>\n",
" <td>0</td>\n",
" <td>2016-05-03T11:11:14.151000</td>\n",
" <td>Attempting to append the pot. analysis of the ...</td>\n",
" <td>0</td>\n",
" <td>1</td>\n",
" <td>...</td>\n",
" <td>17 days ago</td>\n",
" <td>Remote Code Execution Attempt / auto append file</td>\n",
" <td>True</td>\n",
" <td>[]</td>\n",
" <td>21</td>\n",
" <td>[R.TXT, ghc.ru, rst.void.ru, 1dt.w0lf]</td>\n",
" <td>0</td>\n",
" <td>0</td>\n",
" <td>0</td>\n",
" <td>0</td>\n",
" </tr>\n",
" <tr>\n",
" <th>4</th>\n",
" <td>green</td>\n",
" <td>https://otx20-web-media.s3.amazonaws.com/media...</td>\n",
" <td>55bb3ec74637f238607a9c69</td>\n",
" <td>bartblaze</td>\n",
" <td>None</td>\n",
" <td>0</td>\n",
" <td>2016-04-29T16:32:35.621000</td>\n",
" <td>BrLock was found on April 18, 2016, but the ex...</td>\n",
" <td>0</td>\n",
" <td>3</td>\n",
" <td>...</td>\n",
" <td>20 days ago</td>\n",
" <td>BrLock ransomware</td>\n",
" <td>True</td>\n",
" <td>[https://www.proofpoint.com/us/threat-insight/...</td>\n",
" <td>138</td>\n",
" <td>[brlock, brlock ransomware]</td>\n",
" <td>1</td>\n",
" <td>0</td>\n",
" <td>0</td>\n",
" <td>1</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>\n",
"<p>5 rows × 36 columns</p>\n",
"</div>"
],
"text/plain": [
" TLP author.avatar_url \\\n",
"0 green https://otx20-web-media.s3.amazonaws.com/media... \n",
"1 green https://otx20-web-media.s3.amazonaws.com/media... \n",
"2 green https://otx20-web-media.s3.amazonaws.com/media... \n",
"3 green https://otx20-web-media.s3.amazonaws.com/media... \n",
"4 green https://otx20-web-media.s3.amazonaws.com/media... \n",
"\n",
" author.id author.username cloned_from comment_count \\\n",
"0 55003d1d13432a7f96c2be0a AlienVault None 0 \n",
"1 55bb3ec74637f238607a9c69 bartblaze None 0 \n",
"2 55003d1d13432a7f96c2be0a AlienVault None 0 \n",
"3 5721dc5ca08845015a81565c Umbra00 None 0 \n",
"4 55bb3ec74637f238607a9c69 bartblaze None 0 \n",
"\n",
" created \\\n",
"0 2016-05-18T14:52:41.117000 \n",
"1 2016-05-10T10:48:53.586000 \n",
"2 2016-05-10T16:03:54.294000 \n",
"3 2016-05-03T11:11:14.151000 \n",
"4 2016-04-29T16:32:35.621000 \n",
"\n",
" description downvotes_count \\\n",
"0 Operation Groundbait (Russian: Прикормка, Prik... 0 \n",
"1 A new ransomware called Enigma was discovered ... 0 \n",
"2 Recently the Mobile Malware Research Team of I... 0 \n",
"3 Attempting to append the pot. analysis of the ... 0 \n",
"4 BrLock was found on April 18, 2016, but the ex... 0 \n",
"\n",
" export_count ... modified_text \\\n",
"0 14 ... 2 days ago \n",
"1 3 ... 9 days ago \n",
"2 19 ... 9 days ago \n",
"3 1 ... 17 days ago \n",
"4 3 ... 20 days ago \n",
"\n",
" name public \\\n",
"0 Operation Groundbait: Analysis of a surveillan... True \n",
"1 Enigma ransomware True \n",
"2 Android Malware Clicker.G!Gen Found on Google ... True \n",
"3 Remote Code Execution Attempt / auto append file True \n",
"4 BrLock ransomware True \n",
"\n",
" references subscriber_count \\\n",
"0 [http://www.welivesecurity.com/wp-content/uplo... 14655 \n",
"1 [http://www.bleepingcomputer.com/news/security... 138 \n",
"2 [https://blogs.mcafee.com/mcafee-labs/android-... 14653 \n",
"3 [] 21 \n",
"4 [https://www.proofpoint.com/us/threat-insight/... 138 \n",
"\n",
" tags upvotes_count \\\n",
"0 [Groundbait, russia, ukraine, Prikormka, surve... 2 \n",
"1 [enigma, enigma ransomware] 0 \n",
"2 [google play, trojan, android, mobile, malware... 3 \n",
"3 [R.TXT, ghc.ru, rst.void.ru, 1dt.w0lf] 0 \n",
"4 [brlock, brlock ransomware] 1 \n",
"\n",
" validator_count vote votes_count \n",
"0 0 1 2 \n",
"1 0 0 0 \n",
"2 0 1 3 \n",
"3 0 0 0 \n",
"4 0 0 1 \n",
"\n",
"[5 rows x 36 columns]"
]
},
"execution_count": 10,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"json_normalize(pulses[\"results\"])"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"Let's say we're interested in viewing the full details (including indicators) from one of our search results. For example maybe we're interested in the Enigma Ransomware:"
]
},
{
"cell_type": "code",
"execution_count": 16,
"metadata": {
"collapsed": true
},
"outputs": [],
"source": [
"pulse_id = pulses[\"results\"][1][\"id\"]"
]
},
{
"cell_type": "code",
"execution_count": 17,
"metadata": {
"collapsed": false
},
"outputs": [],
"source": [
"pulse_details = otx.get_pulse_details(pulse_id)"
]
},
{
"cell_type": "code",
"execution_count": 18,
"metadata": {
"collapsed": false
},
"outputs": [
{
"data": {
"text/html": [
"<div>\n",
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: right;\">\n",
" <th></th>\n",
" <th>TLP</th>\n",
" <th>author_name</th>\n",
" <th>created</th>\n",
" <th>description</th>\n",
" <th>id</th>\n",
" <th>indicators</th>\n",
" <th>modified</th>\n",
" <th>name</th>\n",
" <th>public</th>\n",
" <th>references</th>\n",
" <th>revision</th>\n",
" <th>tags</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <th>0</th>\n",
" <td>green</td>\n",
" <td>bartblaze</td>\n",
" <td>2016-05-10T10:48:53.586000</td>\n",
" <td>A new ransomware called Enigma was discovered ...</td>\n",
" <td>5731bc95452c27015dad07e0</td>\n",
" <td>[{u'indicator': u'e8c8417f335cd2766ad1570de8b1...</td>\n",
" <td>2016-05-11T12:17:46.494000</td>\n",
" <td>Enigma ransomware</td>\n",
" <td>True</td>\n",
" <td>[http://www.bleepingcomputer.com/news/security...</td>\n",
" <td>2.0</td>\n",
" <td>[enigma, enigma ransomware]</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>\n",
"</div>"
],
"text/plain": [
" TLP author_name created \\\n",
"0 green bartblaze 2016-05-10T10:48:53.586000 \n",
"\n",
" description \\\n",
"0 A new ransomware called Enigma was discovered ... \n",
"\n",
" id \\\n",
"0 5731bc95452c27015dad07e0 \n",
"\n",
" indicators \\\n",
"0 [{u'indicator': u'e8c8417f335cd2766ad1570de8b1... \n",
"\n",
" modified name public \\\n",
"0 2016-05-11T12:17:46.494000 Enigma ransomware True \n",
"\n",
" references revision \\\n",
"0 [http://www.bleepingcomputer.com/news/security... 2.0 \n",
"\n",
" tags \n",
"0 [enigma, enigma ransomware] "
]
},
"execution_count": 18,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"json_normalize(pulse_details)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Indicator details"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"Let's investigate an indicator included in the Enigma Ransomware pulse."
]
},
{
"cell_type": "code",
"execution_count": null,
"metadata": {
"collapsed": true
},
"outputs": [],
"source": [
"indicator = pulse_details[\"indicators\"][4][\"indicator\"]"
]
},
{
"cell_type": "code",
"execution_count": 28,
"metadata": {
"collapsed": false
},
"outputs": [],
"source": [
"indicator_details = otx.get_indicator_details_full(IndicatorTypes.IPv4, indicator)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"Indicator details are divided into sections for convenience:"
]
},
{
"cell_type": "code",
"execution_count": 30,
"metadata": {
"collapsed": false
},
"outputs": [
{
"data": {
"text/plain": [
"['malware', 'passive_dns', 'url_list', 'general', 'reputation', 'geo']"
]
},
"execution_count": 30,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"indicator_details.keys()"
]
},
{
"cell_type": "code",
"execution_count": 37,
"metadata": {
"collapsed": false
},
"outputs": [
{
"data": {
"text/html": [
"<div>\n",
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: right;\">\n",
" <th></th>\n",
" <th>actual_size</th>\n",
" <th>full_size</th>\n",
" <th>has_next</th>\n",
" <th>limit</th>\n",
" <th>page_num</th>\n",
" <th>paged</th>\n",
" <th>url_list</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <th>0</th>\n",
" <td>22</td>\n",
" <td>22</td>\n",
" <td>True</td>\n",
" <td>10</td>\n",
" <td>1</td>\n",
" <td>True</td>\n",
" <td>[{u'domain': u'', u'url': u'http://82.194.84.1...</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>\n",
"</div>"
],
"text/plain": [
" actual_size full_size has_next limit page_num paged \\\n",
"0 22 22 True 10 1 True \n",
"\n",
" url_list \n",
"0 [{u'domain': u'', u'url': u'http://82.194.84.1... "
]
},
"execution_count": 37,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"json_normalize(indicator_details[\"url_list\"])"
]
},
{
"cell_type": "code",
"execution_count": 39,
"metadata": {
"collapsed": false,
"scrolled": false
},
"outputs": [
{
"data": {
"text/html": [
"<div>\n",
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: right;\">\n",
" <th></th>\n",
" <th>address</th>\n",
" <th>asset_type</th>\n",
" <th>first</th>\n",
" <th>flag_title</th>\n",
" <th>flag_url</th>\n",
" <th>hostname</th>\n",
" <th>indicator_link</th>\n",
" <th>last</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <th>0</th>\n",
" <td>82.194.84.120</td>\n",
" <td>domain</td>\n",
" <td>2013-08-29 14:59:51</td>\n",
" <td>Spain</td>\n",
" <td>/static/img/flags/es.png</td>\n",
" <td>comitres.net</td>\n",
" <td>/indicator/domain/comitres.net</td>\n",
" <td>2014-07-24 01:04:39</td>\n",
" </tr>\n",
" <tr>\n",
" <th>1</th>\n",
" <td>82.194.84.120</td>\n",
" <td>domain</td>\n",
" <td>2013-10-09 18:09:10</td>\n",
" <td>Spain</td>\n",
" <td>/static/img/flags/es.png</td>\n",
" <td>apamac.net</td>\n",
" <td>/indicator/domain/apamac.net</td>\n",
" <td>2013-12-16 15:42:58</td>\n",
" </tr>\n",
" <tr>\n",
" <th>2</th>\n",
" <td>82.194.84.120</td>\n",
" <td>domain</td>\n",
" <td>2013-08-31 15:02:04</td>\n",
" <td>Spain</td>\n",
" <td>/static/img/flags/es.png</td>\n",
" <td>estudio-danza-camargo.com</td>\n",
" <td>/indicator/domain/estudio-danza-camargo.com</td>\n",
" <td>2013-08-31 15:02:04</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>\n",
"</div>"
],
"text/plain": [
" address asset_type first flag_title \\\n",
"0 82.194.84.120 domain 2013-08-29 14:59:51 Spain \n",
"1 82.194.84.120 domain 2013-10-09 18:09:10 Spain \n",
"2 82.194.84.120 domain 2013-08-31 15:02:04 Spain \n",
"\n",
" flag_url hostname \\\n",
"0 /static/img/flags/es.png comitres.net \n",
"1 /static/img/flags/es.png apamac.net \n",
"2 /static/img/flags/es.png estudio-danza-camargo.com \n",
"\n",
" indicator_link last \n",
"0 /indicator/domain/comitres.net 2014-07-24 01:04:39 \n",
"1 /indicator/domain/apamac.net 2013-12-16 15:42:58 \n",
"2 /indicator/domain/estudio-danza-camargo.com 2013-08-31 15:02:04 "
]
},
"execution_count": 39,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"json_normalize(indicator_details[\"passive_dns\"].get('passive_dns'))"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"Indicator details are not available for all supported indicator types. IndicatorTypes.supported_api_types contains a list of the indicator types you can use with get_indicator_details_by_section and get_indicator_details_full. "
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Create pulse"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"You can create new pulses using the create_pulse function. A name string is required. Public boolean is also required but will be set True if not provided:"
]
},
{
"cell_type": "code",
"execution_count": 41,
"metadata": {
"collapsed": true
},
"outputs": [],
"source": [
"indicators = [{\"indicator\": \"82.194.84.121\", \"description\":\"\", \"type\": \"IPv4\"}, {\"indicator\": \"82.194.84.122\", \"description\":\"\", \"type\": \"IPv4\"}]"
]
},
{
"cell_type": "code",
"execution_count": 42,
"metadata": {
"collapsed": true
},
"outputs": [],
"source": [
"new_pulse = otx.create_pulse(name=\"IPy Notebook Test\", indicators=indicators, public=False)"
]
},
{
"cell_type": "code",
"execution_count": 43,
"metadata": {
"collapsed": false,
"scrolled": true
},
"outputs": [
{
"data": {
"text/html": [
"<div>\n",
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: right;\">\n",
" <th></th>\n",
" <th>TLP</th>\n",
" <th>active</th>\n",
" <th>author_id</th>\n",
" <th>author_name</th>\n",
" <th>cloned_from</th>\n",
" <th>comments_count</th>\n",
" <th>created</th>\n",
" <th>description</th>\n",
" <th>downvotes</th>\n",
" <th>downvotes_count</th>\n",
" <th>...</th>\n",
" <th>subscribers</th>\n",
" <th>subscribers_count</th>\n",
" <th>tags</th>\n",
" <th>tags_count</th>\n",
" <th>unsubscribed_users</th>\n",
" <th>upvotes</th>\n",
" <th>upvotes_count</th>\n",
" <th>validators</th>\n",
" <th>validators_count</th>\n",
" <th>votes_count</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <th>0</th>\n",
" <td>green</td>\n",
" <td>True</td>\n",
" <td>14830</td>\n",
" <td>hilaryclintonsemailserver</td>\n",
" <td>None</td>\n",
" <td>0</td>\n",
" <td>2016-05-20T16:25:59.670399</td>\n",
" <td></td>\n",
" <td>[]</td>\n",
" <td>0</td>\n",
" <td>...</td>\n",
" <td>[]</td>\n",
" <td>0</td>\n",
" <td>[]</td>\n",
" <td>0</td>\n",
" <td>[]</td>\n",
" <td>[]</td>\n",
" <td>0</td>\n",
" <td>[]</td>\n",
" <td>0</td>\n",
" <td>0</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>\n",
"<p>1 rows × 38 columns</p>\n",
"</div>"
],
"text/plain": [
" TLP active author_id author_name cloned_from \\\n",
"0 green True 14830 hilaryclintonsemailserver None \n",
"\n",
" comments_count created description downvotes \\\n",
"0 0 2016-05-20T16:25:59.670399 [] \n",
"\n",
" downvotes_count ... subscribers subscribers_count tags tags_count \\\n",
"0 0 ... [] 0 [] 0 \n",
"\n",
" unsubscribed_users upvotes upvotes_count validators validators_count \\\n",
"0 [] [] 0 [] 0 \n",
"\n",
" votes_count \n",
"0 0 \n",
"\n",
"[1 rows x 38 columns]"
]
},
"execution_count": 43,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"json_normalize(new_pulse)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"The following fields can be passed into create_pulse:\n",
"- name(string, required) pulse name\n",
"- public(boolean, required) long form description of threat\n",
"- description(string) long form description of threat\n",
"- tlp(string, white/green/amber/red) Traffic Light Protocol level for threat sharing\n",
"- tags(list of strings) short keywords to associate with your pulse\n",
"- references(list of strings, preferably URLs) external references for this threat\n",
"- indicators(list of objects) IOCs to include in pulse"
]
}
],
"metadata": {
"kernelspec": {
"display_name": "Python 2",
"language": "python",
"name": "python2"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 2.0
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython2",
"version": "2.7.10"
}
},
"nbformat": 4,
"nbformat_minor": 0
}
Reference in New Issue View Git Blame Copy Permalink