In [2]:
# By Ismael Valenzuela (@aboutsecurity / @thinkredactblue)

#  Begin by importing the pandas and numpy libraries, two common libraries used for manipulating data, and loading the DNS Analytics data into a pandas DataFrame. A Pandas DataFrame is simply a 2 dimensional data structure, like a 2 dimensional array, or a table with rows and columns of potentially different types. You can think of it like a spreadsheet or SQL table, or a dict of Series objects. It is generally the most commonly used pandas object.

import pandas as pd
import numpy as np
data = pd.read_csv('data.csv')

In [3]:
# Download Cisco Umbrella Top 1 Million file from http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip

top = pd.read_csv('top-1m.csv',names=["Num", "Name"])

In [4]:
print(data)

                   Computer        TimeGenerated [UTC]  EventId      SubType   
0      USDC01.tyrellcorp.us   2/5/2022, 5:43:07.550 PM      257  LookupQuery  \
1      USDC01.tyrellcorp.us   2/5/2022, 5:43:07.550 PM      257  LookupQuery   
2      USDC01.tyrellcorp.us   2/5/2022, 5:43:07.550 PM      257  LookupQuery   
3      USDC01.tyrellcorp.us   2/5/2022, 5:43:07.550 PM      257  LookupQuery   
4      USDC01.tyrellcorp.us   2/3/2022, 9:28:24.910 AM      257  LookupQuery   
...                     ...                        ...      ...          ...   
22140  USDC01.tyrellcorp.us  2/2/2022, 10:16:05.826 PM      257  LookupQuery   
22141  USDC01.tyrellcorp.us  2/2/2022, 10:16:05.812 PM      257  LookupQuery   
22142  USDC01.tyrellcorp.us  2/2/2022, 10:15:59.468 PM      257  LookupQuery   
22143  USDC01.tyrellcorp.us  2/2/2022, 10:15:54.061 PM      257  LookupQuery   
22144  USDC01.tyrellcorp.us  2/2/2022, 10:15:20.311 PM      257  LookupQuery   

            ClientIP                   

In [5]:
data.describe()

Unnamed: 0,EventId,Result,Message,TaskCategory,ResultCode,MaliciousIP,IndicatorThreatType,Description,Confidence,Severity,ReportReferenceLink,RemoteIPLongitude,RemoteIPLatitude,RemoteIPCountry,_ResourceId
count,22145.0,0.0,0.0,0.0,22145.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
mean,257.001897,,,,0.02452,,,,,,,,,,
std,0.04351,,,,0.263001,,,,,,,,,,
min,257.0,,,,0.0,,,,,,,,,,
25%,257.0,,,,0.0,,,,,,,,,,
50%,257.0,,,,0.0,,,,,,,,,,
75%,257.0,,,,0.0,,,,,,,,,,
max,258.0,,,,3.0,,,,,,,,,,


In [6]:
top.describe()

Unnamed: 0,Num
count,1000000.0
mean,500000.5
std,288675.278932
min,1.0
25%,250000.75
50%,500000.5
75%,750000.25
max,1000000.0


In [7]:
# Start reducing the dataset by removing DNS queries to domains in Cisco Umbrella's Top 1 million dataset

reduced = (data[~data.Name.isin(top.Name)])

In [8]:
reduced.describe()

Unnamed: 0,EventId,Result,Message,TaskCategory,ResultCode,MaliciousIP,IndicatorThreatType,Description,Confidence,Severity,ReportReferenceLink,RemoteIPLongitude,RemoteIPLatitude,RemoteIPCountry,_ResourceId
count,3963.0,0.0,0.0,0.0,3963.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
mean,257.010346,,,,0.020691,,,,,,,,,,
std,0.101199,,,,0.202398,,,,,,,,,,
min,257.0,,,,0.0,,,,,,,,,,
25%,257.0,,,,0.0,,,,,,,,,,
50%,257.0,,,,0.0,,,,,,,,,,
75%,257.0,,,,0.0,,,,,,,,,,
max,258.0,,,,2.0,,,,,,,,,,


In [9]:
# Continue reducing the dataset based on duplicated records

reduced = reduced.drop_duplicates(subset='Name', keep='first')
reduced.describe()

Unnamed: 0,EventId,Result,Message,TaskCategory,ResultCode,MaliciousIP,IndicatorThreatType,Description,Confidence,Severity,ReportReferenceLink,RemoteIPLongitude,RemoteIPLatitude,RemoteIPCountry,_ResourceId
count,211.0,0.0,0.0,0.0,211.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
mean,257.009479,,,,0.018957,,,,,,,,,,
std,0.097126,,,,0.194253,,,,,,,,,,
min,257.0,,,,0.0,,,,,,,,,,
25%,257.0,,,,0.0,,,,,,,,,,
50%,257.0,,,,0.0,,,,,,,,,,
75%,257.0,,,,0.0,,,,,,,,,,
max,258.0,,,,2.0,,,,,,,,,,


In [10]:
# Extract coordinates from our reduced dataframe, uses IP-API to get latitude and, and plot them in a map

import folium
import json
import urllib.request

api = "http://ip-api.com/json/"
TIME_PERIOD = 60 

COORD_map = folium.Map(zoom_start=12, 
tiles='cartodbpositron', width=1280, height=1080)

def add_coordinates(domain,computername):
    response = urllib.request.urlopen(api + domain)
    data = response.read()
    value = json.loads(data)

    print (domain+","+str(value['lat'])+","+str(value['lon'])+","+value['status'])

    if (value['status']=='success'):
    
        html = "\
            <font size=1><h1>"+domain+"</h1><ul>\
                <font size=2><li>Country: "+value['country']+"</li>\
                    <li>City: "+value['city']+"</li>\
                        <li>ISP: "+value['isp']+"</li>\
                            <li>Org: "+value['org']+"</li>\
                                <li>Source: "+computername+"</li>\
                            </ul></font>"
        iframe = folium.IFrame(html=html, width=250, height=200)

        folium.Marker(
            location = [(value['lat']),(value['lon'])],
            popup = folium.Popup(iframe, max_width=2650),
            icon=folium.DivIcon(html=f"""
                <div><svg>
                    <circle cx="25" cy="25" r="20" fill="#69b3a2" opacity=".4"/>
                    <rect x="17", y="17" width="15" height="15", fill="red", opacity=".3" 
                </svg></div>""")
        ).add_to(COORD_map)

# Iterate over reduced dataframe

for i in range(10):
    add_coordinates(reduced.iloc[i].Name,reduced.iloc[i].Computer)

# Visualize map 

COORD_map
# COORD_map.save('map.html')

airhobi.com,41.0016,29.1418,success
yudaisuzuki.jp,34.704,135.495,success
zspwolawiazowa.pl,52.401,16.9259,success
i2-wdcymnhaxkxcjgkzxliefkcfaaiqhk.init.cedexis-radar.net,39.018,-77.539,success
www2.embratel.com.br,-22.9201,-43.0811,success
ftp.kuehne-nagel.com,53.5412,9.99418,success
emailweb.sktelecom.com,37.5014,127.0789,success
portal.cttexpresso.pt,38.7373,-9.1945,success
cmedimage.ddns.net,-18.9128,-48.2755,success
nwgtw-prd.poreskaupravars.org,44.8736,17.6597,success
