Author: Thomas Roccia | @fr0gger_
The Pulsedive Lookup module in MSTICPy allows you to easily access the Pulsedive threat intelligence platform from within your Python scripts. With this module, you can search, scan, and enrich IPs, URLs, domains, and other Indicator of Compromise (IOC) from Open Source Intelligence (OSINT) feeds or even submit your own data.
This notebook serves as a demonstration of how to use the Pulsedive module in MSTICpy to perform threat enrichment tasks. With this module, you can quickly and easily retrieve information about known threats, scan indicators for potential threats, and explore the Pulsedive database using various search criteria.
To learn more about the Pulsedive API and the various functions available through the module, please visit the official Pulsedive API documentation at https://pulsedive.com/api/.
The Pulsedive support in MSTICPy has two components
PDLookup class, which has other operations and lookup types
available.Before you can use the Pulsedive API you must create
an account at the site and obtain and API key. You can
use the API key interactively or configure
a Pulsedive entry in your msticpyconfig.yaml
TIProviders:
...
Pulsedive:
Args:
AuthKey: your_pd_api_key
Primary: True
Provider: Pulsedive
Adding a configuration for Pulsedive to msticpyconfig.yaml
also adds Pulsedive as a regular MSTICPy TI Provider that you
can use as follows:
ti_lookup = TILookup()
single_result = ti_lookup.lookup_ioc("21.3.4.5", providers=["Pulsedive"])
# multiple observables - you can include multiple observable types
# in the same list
ip_list = ["21.3.4.5", "19.8.7.6", "201.45.178.2", ...]
ti_lookup.lookup_iocs(my_ip_list, providers=["Pulsedive"])
If you supply no value for providers, all configured providers will
be used.
You can also use the MSTICPy pivot interface to lookup specific observable types:
IpAddress.ti.lookup_ip(ip_list)
The PDLookup class lets you perform operations in Pulsedive, beyond simple indicator lookup, such as: threat lookup, domain scanning, and the Pulsedive query explorer interface.
# import the Pulsedive module
from msticpy.context.tiproviders.pulsedive import PDlookup
# Use the PDlookup class to get more details about the IOC. Specify your API key here.
pdlookup = PDlookup(pd_key='')
The lookup_ioc function is used to request data from the Pulsedive API by providing an observable and a Pulsedive type. The observable is the specific data being requested, such as a domain name or IP, and the Pulsedive type corresponds to the type of data being requested.
You can use lookup_ioc to perform all types of lookup operations by supplying the
appropriate value for pd_type. The default for lookup_ioc is "indicator".
Alteratively you can use the direct methods:
The available Pulsedive types are:
pddetail = pdlookup.lookup_ioc(observable = "alvoportas.com.br", pd_type = "indicator")
display(pddetail)
pddetail = pdlookup.lookup_threa(observable="zeus")
display(pddetail)
The query language allows you to search across the dataset with boolean logic and wildcards. You can search indicators by value, type, risk, last seen timestamp, threat, feed, attribute, and property, or any combination. More details here: https://pulsedive.com/explore/
The below tables show the field that can be used for this request:
| Search Field | Description | Example Query |
|---|---|---|
| ioc | Search by indicator value. Default if the search field is omitted. | ioc=pulsedive.com, ioc=pulsedive* |
| attribute | Search by attribute. Includes ports, protocols, and technologies. | port=443, protocol=http*, technology=apache, port=80 and port=443 |
| property | Search by property. | dns.a=45.55.106.210, meta=pulsedive, content-type=text/html, ssl="let's encrypt*" |
| threat | Search by threat name or alias. | threat=ryuk, threat=zeus |
| feed | Search by feed name or organization. | feed=urlhaus, feed=abuse.ch |
| type | Search by indicator type. | type=url, type=domain,ip,ipv6 |
| risk | Search by indicator risk. | risk=critical, risk=low,medium, risk=high+, risk=low- |
| seen | Search by Last Seen timestamp. (UTC) | seen=day, seen=week, seen=month, seen=2020-01-01, seen=2022-01-01+, seen=2021-12-31-, seen=2020-01-01-2020-12-31 |
| active, retired | Search by active or retired status. | active=true, retired=0 |
Explore queries allow for AND, OR, and NOT operations. Wildcards are also allowed.
| Operation | Operator | Example Query | |
|---|---|---|---|
| AND | &, &&, and | pulsedive.com && type=domain | |
| pulsedive.com type=domain | |||
| OR | or | google.com or pulsedive* | |
| (pulsedive and type=domain) | threat=phishing | ||
| NOT | != | risk!=medium- | |
| Wildcard | * | pulsedive |
pddetail = pdlookup.explore(query="ioc=pulsedive.com or threat=AgentTesla")
pddetail
This type allows you to analyze a specific indicator such as a domain name or IP address by sending a request to the Pulsedive API. The function returns the result in the form of a Pandas DataFrame, however, it should be noted that this process can take some time as the indicator is being analyzed. This function is useful for analyzing indicators that have not yet been seen in the Pulsedive database and can provide additional information and context.
pdscan = pdlookup.scan(observable= "alvoportas.com.br")
pdscan