## Threat Hunting is More Than Data Retrieval

Until now, we are mostly doing *data retrieval*. Of course, we as threat hunters provide more values than blindly data retrieval:

- Patterns to match.
- Directions to investigate.
- Suspicious entity identification (grouped by Kestrel variables).

However, reading the data retrieved and thinking what data to retrieve is not enough. We also need:

- Data enrichment from other sources like Threat Intelligence feeds.
- Visualizations to help us digest data.
- Pre-programmed detection logic.

Let's `APPLY` any logic (not coded in Kestrel) as a hunt step, to perform complete analysis on a Kestrel variable.

It is easy to wrap a white-box or black-box logic into a Kestrel analytics. Some examples in the [kestrel-analytics repo](https://github.com/opencybersecurityalliance/kestrel-analytics):

- [attribute-plot](/analytics/attributeplot): Plot/visualize select attributes of entities.
- [domain-enrichment](/analytics/domainname): Whois lookup and domain information enrichment to network-traffic.
- [pin-IP-on-map](/analytics/piniponmap): Find geo-location of IP addresses and pin them on a map.
- [scikit-learn-clustering](/analytics/sklearn): cluster entities using scikit-learn.
- [xfe-enrich](/analytics/xfeipenrich): Threat Intelligence enrichment using X-Force Exchange.

Invoke a Kestrel analytics via:
- [Kestrel Python analytics interface](https://kestrel.readthedocs.io/en/stable/source/kestrel_analytics_python.interface.html) (used in this demo)
- [Kestrel Docker analytics interface](https://kestrel.readthedocs.io/en/stable/source/kestrel_analytics_docker.interface.html)
- Kestrel AWS lambda analytics interface (planned)
- Kestrel msticpy analytics interface (planned)

In [1]:
var1 = GET network-traffic FROM file:///home/user/Work/Craftech/Projects/botnet_detector/.data/bundles/sample_stix_bundle12.json
WHERE [x-uri:uri MATCHES '^(?!\/api)(?!.*producto)(?!.*media)(?!.*gateway)(?!\/sites)(?!\/html)[\/].*[\._-].*$']

DISP var1 LIMIT 10



dst_port,end,x_request_header.'User-Agent',x_request_header.'X-Forwarded-For',x_request_method,x_request_value,x_request_version,id,is_active,protocols,src_port,start
80,2023-05-27T23:09:04.135Z,AmazonAPIGateway_t1oxwag6f7,3.216.140.18,GET,/main-menu/list,HTTP/1.1,network-traffic--000985b2-3efe-55b2-83e4-39a26319beb6,0,"[""http""]",0,2023-05-27T20:09:04.134Z
80,2023-05-27T23:08:58.352Z,,,GET,/correccion-satelital-plantiumrt.html,HTTP/2.0,network-traffic--002689d5-5c77-58c0-9b70-9e0e87d633b2,0,"[""http""]",0,2023-05-27T20:08:58.351Z
80,2023-05-27T23:11:45.986Z,,,GET,/tractores-usados-en-santa-fe,HTTP/2.0,network-traffic--002c3754-d2ab-570a-b98d-a6294cd203f7,0,"[""http""]",0,2023-05-27T20:11:45.985Z
80,2023-05-27T23:10:34.18Z,,,GET,/agroleon/logo.svg,HTTP/2.0,network-traffic--003d53a7-8c87-5f49-88f7-a1c915901b79,0,"[""http""]",0,2023-05-27T20:10:34.179Z
80,2023-05-27T23:09:45.888Z,,,GET,/listing-ui-prod-arg/_next/static/chunks/3f2dd09b-f0d5e3b3777b458e.js,HTTP/2.0,network-traffic--0041668f-d7e4-5527-b772-86728fe90a37,0,"[""http""]",0,2023-05-27T20:09:45.887Z
80,2023-05-27T23:11:07.718Z,node-fetch/1.0 (+https://github.com/bitinn/node-fetch),,GET,/br/services-v2/categories-cards,HTTP/1.1,network-traffic--004255f1-3d03-5f03-9ab8-2bbbdad4a7be,0,"[""http""]",0,2023-05-27T20:11:07.717Z
80,2023-05-27T23:09:13.053Z,node-fetch/1.0 (+https://github.com/bitinn/node-fetch),,GET,/ar/services-v2/categories-cards,HTTP/1.1,network-traffic--0049c4c8-6f39-59e1-9084-cd6169cedbd7,0,"[""http""]",0,2023-05-27T20:09:13.052Z
80,2023-05-27T23:11:53.961Z,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",,GET,/nina_0.jpg,HTTP/1.1,network-traffic--004c3a24-63c2-5b9f-a22d-d1290fd3edd5,0,"[""http""]",0,2023-05-27T20:11:53.96Z
80,2023-05-27T23:09:57.777Z,"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.126 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",66.249.66.89,GET,/don-roque-150-a-o-1996-324052.html,HTTP/1.1,network-traffic--006acb64-c26e-5a2e-a95a-642db01adf0f,0,"[""http""]",0,2023-05-27T20:09:57.776Z
80,2023-05-27T23:10:17.33Z,Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html),66.249.66.88,GET,/elevador-de-granos-chimango.html,HTTP/1.1,network-traffic--00871e7f-7229-5885-9c38-3d5469cddba4,0,"[""http""]",0,2023-05-27T20:10:17.329Z

VARIABLE,TYPE,#(ENTITIES),#(RECORDS),attack-pattern*,domain-name*,ipv4-addr*,network-traffic*,relationship*,x-action*,x-uri*
var1,network-traffic,4146,4161,0,735,735,0,0,4161,4161


In [2]:
var2 = GET network-traffic FROM file:///home/user/Work/Craftech/Projects/botnet_detector/.data/bundles/sample_stix_bundle12.json
WHERE [domain-name:value NOT LIKE '%.com%']

DISP var2 LIMIT 10



dst_port,end,x_request_header.'User-Agent',x_request_header.'X-Forwarded-For',x_request_method,x_request_value,x_request_version,id,is_active,protocols,src_port,start
80,2023-05-27T23:09:23.999Z,,,GET,/detalle-producto-prod-bra/_next/static/chunks/215.9b0db0b7c93411df.js,HTTP/2.0,network-traffic--000179f1-f3fb-59e7-8191-c040230815fe,0,"[""http""]",0,2023-05-27T20:09:23.998Z
80,2023-05-27T23:11:45.377Z,,,GET,/media/catalog/product/cache/196x196https://brasil.agrofystatic.com/media/catalog/product/cache/196x196/p/-/p-carregadeira-bruto-brasil-br-MovServ-Empilhadeiras-agrofy-2-20230216143941.png,HTTP/2.0,network-traffic--000f2afd-80a3-5031-bd9b-259a6095be74,0,"[""http""]",0,2023-05-27T20:11:45.376Z
80,2023-05-27T23:10:21.003Z,,,GET,/detalle-producto-prod-bra/_next/static/css/4a4c2fb833c5fba7.css,HTTP/2.0,network-traffic--00104534-cb64-5576-98dd-46dadc2e7f90,0,"[""http""]",0,2023-05-27T20:10:21.002Z
80,2023-05-27T23:11:33.617Z,,,GET,/media/catalog/product/cache/196x196/M/a/Maquina-Rueda-Y-Cola-De-Molino-De-Viento-Cassina--8-pies-agrofy-0-20200720140138.jpeg,HTTP/2.0,network-traffic--0021ec36-8f59-5dc4-b709-3cf651a31f64,0,"[""http""]",0,2023-05-27T20:11:33.616Z
80,2023-05-27T23:09:04.951Z,,,POST,/g/collect,HTTP/2.0,network-traffic--002596af-3635-5373-a960-b3a19cce24b2,0,"[""http""]",0,2023-05-27T20:09:04.95Z
80,2023-05-27T23:08:58.352Z,,,GET,/correccion-satelital-plantiumrt.html,HTTP/2.0,network-traffic--002689d5-5c77-58c0-9b70-9e0e87d633b2,0,"[""http""]",0,2023-05-27T20:08:58.351Z
80,2023-05-27T23:11:45.986Z,,,GET,/tractores-usados-en-santa-fe,HTTP/2.0,network-traffic--002c3754-d2ab-570a-b98d-a6294cd203f7,0,"[""http""]",0,2023-05-27T20:11:45.985Z
80,2023-05-27T23:08:58.686Z,,,GET,/media/catalog/product/cache/196x196/t/r/tractor-case-ih-5150-a-o-1996--Criolani-agrofy-0-20220827123102.jpeg,HTTP/2.0,network-traffic--003ce0d3-f874-5737-832d-7a99f1c37a9a,0,"[""http""]",0,2023-05-27T20:08:58.685Z
80,2023-05-27T23:10:34.18Z,,,GET,/agroleon/logo.svg,HTTP/2.0,network-traffic--003d53a7-8c87-5f49-88f7-a1c915901b79,0,"[""http""]",0,2023-05-27T20:10:34.179Z
80,2023-05-27T23:10:50.333Z,,,GET,/detalle-producto/gateway/form-contact-configurations,HTTP/2.0,network-traffic--003f33cc-7af5-5328-9e6c-a5552be37f8b,0,"[""http""]",0,2023-05-27T20:10:50.332Z

VARIABLE,TYPE,#(ENTITIES),#(RECORDS),attack-pattern*,domain-name*,ipv4-addr*,network-traffic*,relationship*,x-action*,x-uri*
var2,network-traffic,11225,13906,0,1340,1340,11058,0,27654,27654


In [3]:
var3 = var1 + var2



VARIABLE,TYPE,#(ENTITIES),#(RECORDS),attack-pattern*,domain-name*,ipv4-addr*,network-traffic*,relationship*,x-action*,x-uri*
var3,network-traffic,12698,15394,0,0,0,0,0,0,0


In [4]:
var4 = GET network-traffic FROM var3
WHERE [ipv4-addr:value != '18.230.10.57']

DISP var4 LIMIT 10



dst_port,end,x_request_header.'User-Agent',x_request_header.'X-Forwarded-For',x_request_method,x_request_value,x_request_version,id,is_active,protocols,src_port,start
80,2023-05-27T23:08:30.934Z,,,GET,/news-detail-news-prod-bra/_next/static/chunks/707-fd25d9abb2285681.js,HTTP/2.0,network-traffic--e36e369d-6047-561f-8939-017d727899fd,0,"[""http""]",0,2023-05-27T20:08:30.933Z
80,2023-05-27T23:08:30.737Z,,,GET,/news-detail-news-prod-bra/_next/static/chunks/pages/_app-3d871d28d9af2577.js,HTTP/2.0,network-traffic--f95e9b36-f77d-5389-89aa-4faa5fdd2b98,0,"[""http""]",0,2023-05-27T20:08:30.736Z
80,2023-05-27T23:08:35.265Z,,,GET,/news-detail-news-prod-bra/_next/static/chunks/870.cee73c2275f18975.js,HTTP/2.0,network-traffic--eb7d95e7-951d-5844-8ca4-a8bac433de6a,0,"[""http""]",0,2023-05-27T20:08:35.264Z
80,2023-05-27T23:08:34.424Z,,,GET,/listing-ui-prod-bra/_next/static/chunks/webpack-ac538c5371d221cc.js,HTTP/2.0,network-traffic--27ba24ed-ec5f-501a-bcc8-6c32ab05bfc4,0,"[""http""]",0,2023-05-27T20:08:34.423Z
80,2023-05-27T23:08:35.96Z,"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/103.0.5060.134 Safari/537.36",40.77.167.255,GET,/tanques-australianos/nuevo/premoldeados-pilar/cordoba,HTTP/1.1,network-traffic--a30abfc4-815c-568b-9d53-721486941d8e,0,"[""http""]",0,2023-05-27T20:08:35.959Z
80,2023-05-27T23:08:39.65Z,Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html),66.249.66.43,GET,/electrificador-boyero-para-alambrados-12v-65-kms.html,HTTP/1.1,network-traffic--5d6e65cd-95f0-54a4-955a-6cf8b106e133,0,"[""http""]",0,2023-05-27T20:08:39.649Z
80,2023-05-27T23:08:35.916Z,,,GET,/br/services-v2/header-buttons,HTTP/2.0,network-traffic--5c18f4c0-4a38-5f11-9cbc-632c70635d88,0,"[""http""]",0,2023-05-27T20:08:35.915Z
80,2023-05-27T23:08:38.607Z,,,GET,/fw4uexlxoaifixk-205031.jpeg,HTTP/2.0,network-traffic--d3109f10-34cb-59e7-bf88-7f39abc9757e,0,"[""http""]",0,2023-05-27T20:08:38.606Z
80,2023-05-27T23:08:38.465Z,,,GET,/user4-205027.jpg,HTTP/2.0,network-traffic--f38bd701-a430-5529-8a90-45f13071419d,0,"[""http""]",0,2023-05-27T20:08:38.464Z
80,2023-05-27T23:08:40.565Z,,,GET,/carpa-exclusion2-1-204995.jpeg,HTTP/2.0,network-traffic--c8d0f220-6669-5bca-b2e6-f040455587e1,0,"[""http""]",0,2023-05-27T20:08:40.564Z

VARIABLE,TYPE,#(ENTITIES),#(RECORDS),attack-pattern*,domain-name*,ipv4-addr*,network-traffic*,relationship*,x-action*,x-uri*
var4,network-traffic,12698,15394,0,0,0,0,0,0,0


In [5]:
var5 = GET network-traffic FROM var4
WHERE [x_request_header.'User-Agent' LIKE ('%curl%') OR x_request_header.'User-Agent' NOT LIKE ('%N/A%') OR x_request_header.'User-Agent' LIKE ('%bot%') OR x_request_header.'User-Agent' LIKE ('%Bot%') OR x_request_header.'User-Agent' LIKE ('%python%') OR x_request_header.'User-Agent' LIKE ('%grab%') OR x_request_header.'User-Agent' LIKE ('%NT%')]

DISP var5 LIMIT 10



dst_port,end,x_request_header.'User-Agent',x_request_header.'X-Forwarded-For',x_request_method,x_request_value,x_request_version,id,is_active,protocols,src_port,start
80,2023-05-27T23:08:35.96Z,"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/103.0.5060.134 Safari/537.36",40.77.167.255,GET,/tanques-australianos/nuevo/premoldeados-pilar/cordoba,HTTP/1.1,network-traffic--a30abfc4-815c-568b-9d53-721486941d8e,0,"[""http""]",0,2023-05-27T20:08:35.959Z
80,2023-05-27T23:08:39.65Z,Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html),66.249.66.43,GET,/electrificador-boyero-para-alambrados-12v-65-kms.html,HTTP/1.1,network-traffic--5d6e65cd-95f0-54a4-955a-6cf8b106e133,0,"[""http""]",0,2023-05-27T20:08:39.649Z
80,2023-05-27T23:08:38.878Z,"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/103.0.5060.134 Safari/537.36",52.167.144.167,GET,/herbicidas/cultivo-centeno/lengua-de-vaca-rumex-crispus-malezas/aplicacion-foliar/sistemico,HTTP/1.1,network-traffic--ed7fb4f1-6c5b-5188-98e4-1159a6afbe47,0,"[""http""]",0,2023-05-27T20:08:38.877Z
80,2023-05-27T23:08:35.121Z,AmazonAPIGateway_t1oxwag6f7,,GET,/massey-ferguson%2Fusado,HTTP/1.1,network-traffic--c115794f-864a-5fc1-ae98-8455a44bfcc4,0,"[""http""]",0,2023-05-27T20:08:35.12Z
80,2023-05-27T23:08:38.988Z,AmazonAPIGateway_t1oxwag6f7,3.216.142.120,GET,/main-menu/list,HTTP/1.1,network-traffic--0c130b29-1ca3-5bab-a183-98f48a52209a,0,"[""http""]",0,2023-05-27T20:08:38.987Z
80,2023-05-27T23:08:41.119Z,AmazonAPIGateway_t1oxwag6f7,3.216.136.61,GET,/main-menu/list,HTTP/1.1,network-traffic--b5fb486e-c615-51d2-89b8-55dae1c56637,0,"[""http""]",0,2023-05-27T20:08:41.118Z
80,2023-05-27T23:08:42.521Z,"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/103.0.5060.134 Safari/537.36",52.167.144.150,GET,/tractores/zanello/buenos-aires/mayor-a-201/traccion-doble/ano-1995/articulado,HTTP/1.1,network-traffic--bcadc156-8208-51d6-8900-d3264f3f6844,0,"[""http""]",0,2023-05-27T20:08:42.52Z
80,2023-05-27T23:08:36.932Z,"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/103.0.5060.134 Safari/537.36",52.167.144.167,GET,/motor/mercedes-benz/camion-frigorifico,HTTP/1.1,network-traffic--1ff40819-2527-53ef-8215-a79d19e73e62,0,"[""http""]",0,2023-05-27T20:08:36.931Z
80,2023-05-27T23:08:41.647Z,"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/103.0.5060.134 Safari/537.36",40.77.167.190,GET,/excavadoras/ano-2023/fr150d,HTTP/1.1,network-traffic--f9c11ca8-fadc-5b53-bc9e-8c772fc9051b,0,"[""http""]",0,2023-05-27T20:08:41.646Z
80,2023-05-27T23:08:44.172Z,"Mozilla/5.0 (Linux; Android 13; SM-A226BR Build/TP1A.220624.014) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/113.0.5672.131 Mobile Safari/537.36 GNews Android/2022131834",190.188.27.112,GET,/formulario-cotizacion-prod-arg/static/js/bundle.js,HTTP/1.1,network-traffic--75d4badb-6f27-5dea-ad9d-526ecca88245,0,"[""http""]",0,2023-05-27T20:08:44.171Z

VARIABLE,TYPE,#(ENTITIES),#(RECORDS),attack-pattern*,domain-name*,ipv4-addr*,network-traffic*,relationship*,x-action*,x-uri*
var5,network-traffic,1474,1489,0,0,0,0,0,0,0


In [6]:
res = FIND ipv4-addr LINKED var5

DISP res LIMIT 10



id,value
ipv4-addr--01a0dd05-4ebd-56bf-9e52-3d1f5ce74429,3.216.143.46
ipv4-addr--01b1a3d7-ac10-506b-84e0-a69b909981e8,130.176.27.73
ipv4-addr--01c5b818-3e4b-536e-95d3-ff9359ba5049,64.252.80.92
ipv4-addr--04804aca-a796-5c7f-a1fa-b56911a9dbc6,3.216.143.241
ipv4-addr--04a6586d-e064-59ac-9363-ce4a2900861f,15.158.27.81
ipv4-addr--054ab590-0798-52b0-9d37-545019729f0a,44.206.7.172
ipv4-addr--05a0f635-6b74-5b08-8e9a-93339a16878f,66.249.84.221
ipv4-addr--066c0baa-f563-5f04-8deb-04b073290856,130.176.27.85
ipv4-addr--06752c41-7077-507e-a341-8667395fbd19,44.210.65.187
ipv4-addr--0725bf46-5798-53b5-a1ff-620c14d64f1c,18.68.20.43

VARIABLE,TYPE,#(ENTITIES),#(RECORDS),attack-pattern*,domain-name*,ipv4-addr*,network-traffic*,relationship*,x-action*,x-uri*
res,ipv4-addr,338,10462,0,1789,1451,33725,0,42931,42931


In [12]:
flow = GET ipv4-addr FROM stixshifter://stixshifter
WHERE [value = '175.178.157.227']
START '2023-05-27T00:00:00.000Z' STOP '2023-05-28T18:00:00.000Z'
       
DISP flow LIMIT 10



id,value,x_aws_interface_id
ipv4-addr--58c3442c-4623-5f31-9c93-1b1f28689cf4,175.178.157.227,eni-0253b0f5c5214efb2

VARIABLE,TYPE,#(ENTITIES),#(RECORDS),attack-pattern*,domain-name*,ipv4-addr*,network-traffic*,relationship*,x-action*,x-aws*,x-uri*
flow,ipv4-addr,1,1097,0,0,2193,1097,0,0,1097,0


In [19]:
susp = GET ipv4-addr FROM res
WHERE [value = '175.178.157.227']





VARIABLE,TYPE,#(ENTITIES),#(RECORDS),attack-pattern*,domain-name*,ipv4-addr*,network-traffic*,relationship*,x-action*,x-aws*,x-uri*
susp,ipv4-addr,1,1097,0,0,0,0,0,0,0,0
