# VT Graphs in Jupyter Notebook

In this notebook we will explore how to obtain attributes and relationship for different entities using VirusTotal API v3. Finally we can render all the relationships we have obtained using VTGraph.

## Import libraries

In [1]:
from msticpy.sectools.vtlookupv3 import VTLookupV3

import networkx as nx
import matplotlib.pyplot as plt
import os
import pandas as pd

import nest_asyncio
nest_asyncio.apply()

## Create Lookup instance

In [3]:
# Obtain key from env varaible
vt_key = os.environ["VT_API_KEY"]
# Instanciate vt_lookup object
vt_lookup = VTLookupV3(vt_key)

## Types of DataFrames

Our functions will return and accept two different types of DataFrames.

- **Attributes DataFrame**: Contains the properties of a entity. It has the columns:
    - id
    - type
    - ..properties
- **Relationships DataFrames**: Contains the relationship between two entities, and the type of relationship. It contains the columns:
    - source
    - target
    - source_type
    - target_type
    - relationship_type

In [4]:
FILE = 'ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa'

In [5]:
example_attribute_df = vt_lookup.lookup_ioc(observable=FILE, vt_type='file')
example_attribute_df

Unnamed: 0_level_0,last_submission_date,type_description,times_submitted,meaningful_name,first_submission_date,size,detections,scans,type
id,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1,Unnamed: 9_level_1
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa,1598616375,Win32 EXE,1472,diskpart.exe,1494574270,3514368,63,73,file


In [6]:
example_relationship_df = vt_lookup.lookup_ioc_relationships(
    observable=FILE, 
    vt_type='file', 
    relationship='execution_parents')
example_relationship_df

Unnamed: 0_level_0,Unnamed: 1_level_0,target_type,source_type,relationship_type
source,target,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa,24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c,file,file,execution_parents
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa,32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf,file,file,execution_parents
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa,bd927d915f19a89468391133465b1f2fb78d7a58178867933c44411f4d5de8eb,file,file,execution_parents
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa,9f35e3393e442b4a35422e4b927e530712bac8ee2034a884b6ef724f0d8ec0ef,file,file,execution_parents
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa,f0105b922f41b0ee8595e0e7d989c9ba69d4a38337211dcbe86e0bdce346853d,file,file,execution_parents
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa,...,...,...,...
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa,64488ed709c5ca9bf23bf943711e85faea008b341fbf662c8982649240aa8203,file,file,execution_parents
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa,06c676bf8f5c6af99172c1cf63a84348628ae3f39df9e523c42447e2045e00ff,file,file,execution_parents
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa,9a2e1e8da634aa1cce446a9ee8f4de2a357eb76debf27938e43f6ac0d6c71009,file,file,execution_parents
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa,36dadfcae878c299ea1b563eac0240a7b352a0ff24c599225b42b503ea2f63a9,file,file,execution_parents


### Obtaining result for multiple entities

The function `lookup_iocs` is able to obtain attributes for all the rows in a DataFrame. If no `observable_column` and `observable_type` parameters are specified, the function will obtain the attributes of all the entities that are in the column `target`, and will obtain their types from the `target_type` column.

This function is especially usefull when a user has obtained a set of relationships, and would like to obtain their attributes.

In [7]:
example_multiple_attribute_df = vt_lookup.lookup_iocs(example_relationship_df)
example_multiple_attribute_df

Unnamed: 0_level_0,last_submission_date,type_description,times_submitted,meaningful_name,first_submission_date,size,detections,scans,type
id,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1,Unnamed: 9_level_1
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c,1591271694,Win32 EXE,252,lhdfrgui.exe,1494579471,3723264,65,73,file
32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf,1583504867,Win32 EXE,59,lhdfrgui.exe,1494763431,3723264,64,73,file
bd927d915f19a89468391133465b1f2fb78d7a58178867933c44411f4d5de8eb,1577642121,Win32 EXE,18,lhdfrgui.exe,1494796916,3723264,67,73,file
9f35e3393e442b4a35422e4b927e530712bac8ee2034a884b6ef724f0d8ec0ef,1577647004,Win32 EXE,12,lhdfrgui.exe,1494831892,3723264,68,74,file
f0105b922f41b0ee8595e0e7d989c9ba69d4a38337211dcbe86e0bdce346853d,1571667977,Win32 EXE,9,lhdfrgui.exe,1494880301,3723264,66,71,file
...,...,...,...,...,...,...,...,...,...
64488ed709c5ca9bf23bf943711e85faea008b341fbf662c8982649240aa8203,1594903025,Win32 EXE,2,ransom.exe,1594903025,4315347,48,77,file
06c676bf8f5c6af99172c1cf63a84348628ae3f39df9e523c42447e2045e00ff,1595479073,Win32 EXE,1,car.exe,1595479073,4535704,40,75,file
9a2e1e8da634aa1cce446a9ee8f4de2a357eb76debf27938e43f6ac0d6c71009,1595858169,Win32 EXE,1,hideprojessbsod.exe,1595858169,25829,45,75,file
36dadfcae878c299ea1b563eac0240a7b352a0ff24c599225b42b503ea2f63a9,1596029248,Win32 EXE,1,locjavcompkfaclo‮gpj.exe,1596029248,4374699,50,75,file


Also, if we would like to obtain the relationships for a set of entities, we have the function `lookup_iocs_relationships`. Here also, if no `observable_column` and `observable_type` parameters are specified, the function will obtain the relationships of all the entities that are in the column `target`, and will obtain their types from the `target_type` column.

In [None]:
example_multiple_relationship_df = vt_lookup.lookup_iocs_relationships(example_relationship_df, 'contacted_domains')
example_multiple_relationship_df

## Integration with VTGraph

Once we have some DataFrames with the relationships, we are able to generate and visualize a VT Graph in our notebook. The function `create_vt_graph` accepts as input a **list of Relationship DataFrames**.

In [None]:
graph_id = vt_lookup.create_vt_graph(
    relationship_dfs=[example_relationship_df, example_multiple_relationship_df],
    name="My first Jupyter Notebook Graph"
)
graph_id

In [10]:
vt_lookup.render_vt_graph(
    graph_id = graph_id,
    width = 800,
    height = 500
)