AlientVault OTX <> Graphistry: LockerGoga investigation



In [ ]:

    
#!pip install graphistry -q
#!pip install OTXv2 -q



In [ ]:

    
import graphistry
import pandas as pd
from OTXv2 import OTXv2, IndicatorTypes
from gotx import G_OTX



In [ ]:

    
#graphistry.register(key='MY_API_KEY', server='labs.graphistry.com')
otx = OTXv2("MY_KEY")
g_otx = G_OTX(graphistry, otx)

Start: rough hits

We find there are 3 clusters of activity



In [ ]:

    
lockergoga_pulses = otx.search_pulses('LockerGoga').get('results')



In [ ]:

    
lockergoga_pulses_df = g_otx.pulses_to_df(lockergoga_pulses)
lockergoga_indicators_df = g_otx.pulses_to_indicators_df(lockergoga_pulses)

g = g_otx.indicatormap(lockergoga_pulses_df, lockergoga_indicators_df)

g.plot()

Continue: Expand on IPv4 hits

Let's expand the small cluster related to "Powershell Backdoor calling back on port 443". Use the OTX API to get other pulses containing the same IP address and then expand them and create a new graph



In [ ]:

    
ip_pulses = otx.get_indicator_details_by_section(IndicatorTypes.IPv4, lockergoga_indicators_df[lockergoga_indicators_df['indicator_type'] == 'IPv4'].values[0][0])



In [ ]:

    
ip_pulses_df = g_otx.indicator_details_by_section_to_pulses_df(ip_pulses)
ip_indicators_df = g_otx.indicator_details_by_section_to_indicators_df(ip_pulses)

g_otx.indicatormap(ip_pulses_df, ip_indicators_df).plot()