# HW7

## Author: Viswanath S Chirravuri

Setup a CTI feed from a public CTI provider (AlienVault is fine).  You may have to register to get an API Key.  Ensure your API key is not in your source code.  You will need to reference an operating system environment variable.  Test the feed by pulling intel for a particular known bad IP, domain host name or other identifying feature.  Write a short summary of the intel that was downloaded in a markdown cell.

In [2]:
# Just to test my environment variable
import os

api_key = os.getenv("ALIENVAULT_API_KEY")
if api_key:
    print("API Key successfully retrieved!")
else:
    print("Failed to retrieve API Key.")


API Key successfully retrieved!


In [8]:
import os
import requests

def get_cti_data(ip_or_domain):
    """
    Pulls threat intelligence data for a given IP or domain from AlienVault OTX API.

    :param ip_or_domain: The IP or domain to query (string)
    :return: Parsed JSON data from the API response (dict)
    """
    # Fetch the API key from the environment variable
    api_key = os.getenv("ALIENVAULT_API_KEY")

    if not api_key:
        raise ValueError("AlienVault API key not found in environment variables.")

    url = f"https://otx.alienvault.com/api/v1/indicators/hostname/{ip_or_domain}/passive_dns"
    headers = {"X-OTX-API-KEY": api_key}

    response = requests.get(url, headers=headers)

    if response.status_code == 200:
        return response.json()
    else:
        response.raise_for_status()

In [9]:
# Test the CTI feed setup
if __name__ == "__main__":
    test_domain = "apple-alerts.us"  # Known bad domain (based on my Google search)

    try:
        cti_data = get_cti_data(test_domain)
        print("Threat Intelligence Data:")
        print(cti_data)
    except Exception as e:
        print(f"Error retrieving CTI data: {e}")

Threat Intelligence Data:
{'passive_dns': [{'address': 'ns1.theangeles-here.com', 'first': '2022-06-17T18:33:31', 'last': '2022-06-17T18:33:34', 'hostname': 'www.apple-alerts.us', 'record_type': 'NS', 'indicator_link': '/indicator/hostname/www.apple-alerts.us', 'flag_url': '', 'flag_title': '', 'asset_type': 'hostname', 'asn': None}, {'address': '162.240.32.48', 'first': '2022-06-17T18:33:31', 'last': '2022-06-17T18:33:34', 'hostname': 'www.apple-alerts.us', 'record_type': 'A', 'indicator_link': '/indicator/hostname/www.apple-alerts.us', 'flag_url': 'assets/images/flags/us.png', 'flag_title': 'United States', 'asset_type': 'hostname', 'asn': 'AS46606 unified layer'}, {'address': 'ns2.theangeles-here.com', 'first': '2022-06-17T18:33:31', 'last': '2022-06-17T18:33:34', 'hostname': 'www.apple-alerts.us', 'record_type': 'NS', 'indicator_link': '/indicator/hostname/www.apple-alerts.us', 'flag_url': '', 'flag_title': '', 'asset_type': 'hostname', 'asn': None}, {'address': 'ns1.theangeles-her

## Threat Intelligence Summary

### Overview
The threat intelligence data retrieved provides information about the domain `apple-alerts.us` and its associated indicators. The analysis includes passive DNS records, geolocations, and hosting details. Below is a summary of the findings.

### Key Findings

#### Associated Hostnames and IPs
- **Domain**: `apple-alerts.us`
- **Hostnames**:
  - `www.apple-alerts.us`
- **IP Addresses**:
  - `162.240.32.48` (United States)
  - `194.58.90.124` (Russia)
  - `46.183.163.196` (Russia)
  - `2a00:f940:2:1:2::a61` (Russia)
  - `2a00:f940:2:1:2::47b` (Russia)

#### Hosting and ASN Details
- **United States**:
  - `162.240.32.48`
  - ASN: `AS46606 (Unified Layer)`
- **Russia**:
  - `194.58.90.124`, `46.183.163.196`, `2a00:f940:2:1:2::a61`, `2a00:f940:2:1:2::47b`
  - ASN: `AS197695 (Domain Names Registrar REG.RU Ltd)`

#### Passive DNS Records
- **Record Types**:
  - A: `162.240.32.48`, `194.58.90.124`, `46.183.163.196`
  - AAAA: `2a00:f940:2:1:2::a61`, `2a00:f940:2:1:2::47b`
  - NS: `ns1.theangeles-here.com`, `ns2.theangeles-here.com`
  - SOA: Multiple records found

#### Geolocation Insights
- The hosting infrastructure for this domain is distributed across the United States and Russia, with a significant number of IPs originating from Russia.

#### Additional Observations
- Multiple NS records indicate distributed name server infrastructure.
- Hosting providers are linked to both US-based (Unified Layer) and Russian-based (REG.RU) providers.

### Conclusion
The domain `apple-alerts.us` has suspicious indicators due to its association with Russian hosting providers and IPs, which could signify malicious activity. Further investigation is recommended to assess its involvement in potential cyber threats.
