# Using the OTX-Python-SDK

## API Key Configuration

In [1]:
from OTXv2 import OTXv2, IndicatorTypes

In [2]:
from pandas.io.json import json_normalize

In [3]:
from datetime import datetime, timedelta

In [4]:
#otx = OTXv2("56eeceea60fe1afb077026f0d228342a74707e64852ae7dd3cbee8439ff4d59c")
otx = OTXv2("a0709959938ef8b855136a06f118a716df327ae1109c4a6c35685c42e38be4ca")

Replace YOUR_KEY with your OTX API key. You can find it on your settings page https://otx.alienvault.com/settings.

## Subscriptions

The getall() method accesses your subscriptions.  It downloads all the OTX pulses and their assocciated indicators of compromise (IOCs) from your account. This includes:  
- All pulses you subscribe to directly
- All pulses by users you subscribe to
- OTX pulses you created (including private pulses)
If this is the first time you are using your account, the download includes all pulses created by AlienVault. All users are subscribed to the AlienVault user by default.

In [5]:
pulses = otx.getall()

In [6]:
len(pulses)

5

In [7]:
json_normalize(pulses)[0:5]

  json_normalize(pulses)[0:5]


Unnamed: 0,id,name,description,author_name,modified,created,revision,tlp,public,adversary,indicators,tags,targeted_countries,malware_families,attack_ids,references,industries,extract_source,more_indicators
0,60ece5998a5b54a5ffe75cb4,SSH Brute-Force Honeypot Live,every host is banned for 3 hours and receives ...,pr0viehh,2024-03-31T20:31:20.973000,2021-07-13T01:00:09.665000,5,white,1,,"[{'id': 3659063371, 'indicator': '50.229.197.6...","[Bruteforce, Brute-Force, SSH, Honeypot]",[],[],[],[],[],[],False
1,5a64f74f0e543738c12bc973,Webscanners with Bad Requests - HTTP Status 40...,Webscanners who&amp;amp;amp;#39;s requests res...,david3,2024-03-31T20:20:16.926000,2018-01-21T20:25:51.668000,4,white,1,,"[{'id': 3631657412, 'indicator': '5.161.117.81...","[webscanner, bruteforce, badrequest, probing, ...",[],[],[],[],[],[],False
2,6341d1aa0a02a3f6251ab540,Sinking Yachts Phishing Domains,Sinking Yachts is a Discord based anti-phishin...,__akac__,2024-03-31T19:40:30.790000,2022-10-08T19:38:18.341000,14410,white,1,,"[{'id': 3655847998, 'indicator': 'stearncomrnu...","[discord, roblox, steam, phishing]",[],[],[],[],[gaming],[],False
3,64a7c62dda0c66ad822272ec,IPy Notebook Test,,pranavkr,2023-08-06T08:03:47.345000,2023-07-07T08:00:45.157000,1,green,0,,[],[],[],[],[],[],[],[],False
4,64a53b9c7fc8616c4ff6024f,IPy Notebook Test,,pranavkr,2023-08-04T09:00:46.665000,2023-07-05T09:45:00.687000,1,green,0,,[],[],[],[],[],[],[],[],False


- author_name: The username of the OTX User that created the pulse
- created: Date when the pulse was created in the system
- description: Describes the pulse in terms of the type of threat it poses, and any other facts that may link it to other threat indicators.
- id: Unique identifier of the pulse
- indicators: Collection of Indicators Of Compromise 
- modified: Date when the pulse was last modified
- name: Name of the pulse
- references: List of references to papers, websites or blogs related to the threat described in the pulse
- revision: Revision number that increments each time pulse contents change
- tags: List of tags that provide information about pulse content, for example, Phshing, malware, C&C, and apt.

Let's explore the indicators object:

In [8]:
json_normalize(pulses[1]["indicators"])

  json_normalize(pulses[1]["indicators"])


Unnamed: 0,id,indicator,type,created,content,title,description,expiration,is_active,role
0,3631657412,5.161.117.81,IPv4,2023-02-11T00:05:15,,400 BAD REQUEST,,2023-05-12T00:00:00,1,scanning_host
1,3366197086,167.94.138.46,IPv4,2023-02-11T00:10:08,,400 BAD REQUEST,,2023-05-12T00:00:00,1,scanning_host
2,3631724497,176.97.210.177,IPv4,2023-02-11T00:10:16,,400 BAD REQUEST,,2023-05-12T00:00:00,1,scanning_host
3,3631724497,176.97.210.177,IPv4,2023-02-11T00:15:09,,400 BAD REQUEST,,2023-05-12T00:00:00,1,scanning_host
4,3631755626,3.80.221.68,IPv4,2023-02-11T00:15:17,,400 BAD REQUEST,,2023-05-12T00:00:00,1,scanning_host
...,...,...,...,...,...,...,...,...,...,...
29999,2279830927,192.241.230.46,IPv4,2024-03-31T19:50:07,,400 BAD REQUEST,,2024-06-29T00:00:00,1,scanning_host
30000,3548007530,172.104.11.51,IPv4,2024-03-31T20:00:15,,400 BAD REQUEST,,2024-06-29T00:00:00,1,scanning_host
30001,3854241386,166.88.141.168,IPv4,2024-03-31T20:00:17,,400 BAD REQUEST,,2024-06-29T00:00:00,1,scanning_host
30002,3422948472,205.210.31.17,IPv4,2024-03-31T20:10:06,,400 BAD REQUEST,,2024-06-29T00:00:00,1,scanning_host


- _id: Unique identifier of the IOC
- created: Date IOC was added to the pulse
- description: Describe the Indicator Of Compromise
- indicator: The IOC
- indicator_type: Type of indicator

The following Indicator Types are supported (also defined in IndicatorTypes.py):

In [9]:
indicator_types = [
			{
			    "name": "IPv4", 
			    "description": "An IPv4 address indicating the online location of a server or other computer."
			}, 
			{
			    "name": "IPv6", 
			    "description": "An IPv6 address indicating the online location of a server or other computer."
			}, 
			{
			    "name": "domain", 
			    "description": "A domain name for a website or server. Domains encompass a series of hostnames."
			}, 
			{
			    "name": "hostname", 
			    "description": "The hostname for a server located within a domain."
			}, 
			{
			     
			    "name": "email", 
			    "description": "An email associated with suspicious activity."
			}, 
			{
			    "name": "URL", 
			    "description": " Uniform Resource Location (URL) summarizing the online location of a file or resource."
			}, 
			{
			     
			    "name": "URI", 
			    "description": "Uniform Resource Indicator (URI) describing the explicit path to a file hosted online."
			}, 
			{
			    "name": "FileHash-MD5", 
			    "description": "A MD5-format hash that summarizes the architecture and content of a file."
			}, 
			{
			    "name": "FileHash-SHA1", 
			    "description": "A SHA-format hash that summarizes the architecture and content of a file."
			}, 
			{
			    "name": "FileHash-SHA256", 
			    "description": "A SHA-256-format hash that summarizes the architecture and content of a file."
			}, 
			{
			     
			    "name": "FileHash-PEHASH", 
			    "description": "A PEPHASH-format hash that summarizes the architecture and content of a file."
			}, 
			{
			     
			    "name": "FileHash-IMPHASH", 
			    "description": "An IMPHASH-format hash that summarizes the architecture and content of a file."
			}, 
			{
			    "name": "CIDR", 
			    "description": "Classless Inter-Domain Routing (CIDR) address, which describes both a server's IP address and the network architecture (routing path) surrounding that server."
			}, 
			{
			     
			    "name": "FilePath", 
			    "description": "A unique location in a file system."
			}, 
			{
			     
			    "name": "Mutex", 
			    "description": "The name of a mutex resource describing the execution architecture of a file."
			}, 
			{
			    "name": "CVE", 
			    "description": "Common Vulnerability and Exposure (CVE) entry describing a software vulnerability that can be exploited to engage in malicious activity."
			}]

In [10]:
json_normalize(indicator_types)

  json_normalize(indicator_types)


Unnamed: 0,name,description
0,IPv4,An IPv4 address indicating the online location...
1,IPv6,An IPv6 address indicating the online location...
2,domain,A domain name for a website or server. Domains...
3,hostname,The hostname for a server located within a dom...
4,email,An email associated with suspicious activity.
5,URL,Uniform Resource Location (URL) summarizing t...
6,URI,Uniform Resource Indicator (URI) describing th...
7,FileHash-MD5,A MD5-format hash that summarizes the architec...
8,FileHash-SHA1,A SHA-format hash that summarizes the architec...
9,FileHash-SHA256,A SHA-256-format hash that summarizes the arch...


In [11]:
mtime = (datetime.now() - timedelta(days=1)).isoformat()

In [12]:
mtime

'2024-03-31T02:03:15.307354'

## Events

Besides receiving the pulse information, there is another function that can retrieve different events that are ocurring in the OTX system and affect your account.

In [13]:
events = otx.getevents_since(mtime)

In [14]:
json_normalize(events)

  json_normalize(events)


- id: object id of this event.  Unique reference identifier
- action : "[subscribe | unsubscribe | delete]", Currently supports subscribe / unsubscribe events for users and pulses and delete events for pulses
- object_type : "[pulse | user]", // Currently supports events for pulse and user objects
- object_id : "[pulse id | author id]", // Unique id can be used to lookup pulses and users (e.g. to remove them from  system, they would remove all pulses by author_id or an individual pulse by pulse "id".
"created" : <timestamp of event>

When developing an application, you must decide how you want to handle different types of events. For instance, if one OTX user unsubscribes from another user, do you want to delete the IOCs the second user contributed from your application? How do you plan to reconcile the data on the server versus the data in your application?
The same question comes up when users delete a pulse.

## Using Search and get Pulse by ID

The OTX API allows you to search for pulses and users by keyword.  This allows you to obtain pulses that you're not (yet) subscribed to.

In [15]:
pulses = otx.search_pulses("Russian")

In [16]:
json_normalize(pulses["results"])

  json_normalize(pulses["results"])


Unnamed: 0,id,name,description,author_name,modified,created,tags,references,public,adversary,...,TLP,revision,groups,in_group,is_subscribing,author.username,author.id,author.avatar_url,author.is_subscribed,author.is_following
0,5528132f13432a2102724d34,Potential TV5 Monde intrusion indicators,TV5Monde was taken off air in April 2015. A gr...,AlienVault,2019-01-25T15:20:10.359000,2015-04-10T18:15:11.492000,[],[],1,Sofacy,...,green,11,[],False,,AlienVault,2,/otxapi/users/avatar_image/media/avatars/user_...,False,False
1,55346adeb45ff536ca3ffd2c,Operation RussianDoll,FireEye Labs recently detected a limited APT c...,AlienVault,2017-08-24T10:45:07.905000,2015-04-20T02:56:30.505000,[],[],1,Sofacy,...,green,3,[],False,,AlienVault,2,/otxapi/users/avatar_image/media/avatars/user_...,False,False
2,553583b5b45ff501cdc579aa,Operation Buhtrap,Operation Buhtrap - The trap for Russian accou...,tomdaq,2015-04-20T22:54:45.662000,2015-04-20T22:54:45.662000,[],[],1,,...,green,1,[],False,,tomdaq,49,https://otx.alienvault.com/assets/images/defau...,False,False
3,5541029cb45ff5029b148b7f,Operation Armageddon,"“Operation Armageddon,” active since at least ...",AlienVault,2017-03-12T01:33:45.089000,2015-04-29T16:11:08.251000,[],[],1,Gamaredon Group,...,green,7,[],False,,AlienVault,2,/otxapi/users/avatar_image/media/avatars/user_...,False,False
4,558d85f0b45ff55ccb25e6f4,Digital Attack on German Parliament,Servers of The Left in German Bundestag have b...,AlienVault,2017-07-24T12:00:41.708000,2015-06-26T17:03:44.800000,[],[],1,Sofacy,...,green,5,[],False,,AlienVault,2,/otxapi/users/avatar_image/media/avatars/user_...,False,False
5,55a7cbb7b45ff51f5c94e6a2,Microsoft Office Zero-Day CVE-2015-2424 Levera...,"Yesterday, Microsoft patched CVE-2015-2424, a ...",AlienVault,2019-10-24T16:03:41.314000,2015-07-16T15:20:23.492000,[],[],1,,...,green,1,[],False,,AlienVault,2,/otxapi/users/avatar_image/media/avatars/user_...,False,False
6,55dfc30067db8c7bb8cb9865,New Spear Phishing Campaign Pretends to be EFF,Google's security team recently identified a n...,AlienVault,2015-08-28T02:10:08.167000,2015-08-28T02:10:08.167000,[],[],1,,...,green,1,[],False,,AlienVault,2,/otxapi/users/avatar_image/media/avatars/user_...,False,False
7,55fae83567db8c6fb3518bcd,THE DUKES: 7 years of Russian cyberespionage,"The Dukes are a well-resourced, highly dedicat...",AlienVault,2017-03-06T17:17:18.888000,2015-09-17T16:20:05.303000,[],[],1,APT 29,...,green,2,[],False,,AlienVault,2,/otxapi/users/avatar_image/media/avatars/user_...,False,False
8,55faf3014637f26df8745a74,Targeted Attack Distributes PlugX in Russia,Proofpoint researchers recently observed a cam...,AlienVault,2015-09-17T17:06:09.914000,2015-09-17T17:06:09.914000,[],[],1,,...,green,1,[],False,,AlienVault,2,/otxapi/users/avatar_image/media/avatars/user_...,False,False
9,565301b84637f2388ab004ca,Phishing site running suspicious scripts,Found phishing sites using the same format of ...,muscothym,2015-11-23T12:16:53.725000,2015-11-23T12:08:24.397000,[],[],1,,...,green,10,[],False,,muscothym,6895,/otxapi/users/avatar_image/media/avatars/musco...,False,False


Let's say we're interested in viewing the full details (including indicators) from one of our search results.  For example maybe we're interested in the Enigma Ransomware:

In [17]:
pulse_id = pulses["results"][1]["id"]

In [18]:
pulse_details = otx.get_pulse_details(pulse_id)

In [19]:
json_normalize(pulse_details)

  json_normalize(pulse_details)


Unnamed: 0,id,name,description,author_name,modified,created,tags,references,public,adversary,...,indicators,revision,groups,in_group,is_subscribing,author.username,author.id,author.avatar_url,author.is_subscribed,author.is_following
0,55346adeb45ff536ca3ffd2c,Operation RussianDoll,FireEye Labs recently detected a limited APT c...,AlienVault,2017-08-24T10:45:07.905000,2015-04-20T02:56:30.505000,"[flash, apt28, windows, apt, shellcode, zeroda...",[],1,Sofacy,...,"[{'id': 4278, 'indicator': 'ssl-icloud.com', '...",3,[{'name': 'APT28/Sofacy/Fancy Bear Working Gro...,True,,AlienVault,2,/otxapi/users/avatar_image/media/avatars/user_...,False,False


## Indicator details

Let's investigate an indicator included in the Enigma Ransomware pulse.

In [20]:
indicator = pulse_details["indicators"][4]["indicator"]

In [21]:
indicator_details = otx.get_indicator_details_full(IndicatorTypes.IPv4, indicator)

BadRequest: {'detail': 'Invalid IP (updatecenter.name)'}

Indicator details are divided into sections for convenience:

In [None]:
indicator_details.keys()

['malware', 'passive_dns', 'url_list', 'general', 'reputation', 'geo']

In [None]:
json_normalize(indicator_details["url_list"])

Unnamed: 0,actual_size,full_size,has_next,limit,page_num,paged,url_list
0,22,22,True,10,1,True,"[{u'domain': u'', u'url': u'http://82.194.84.1..."


In [None]:
json_normalize(indicator_details["passive_dns"].get('passive_dns'))

Unnamed: 0,address,asset_type,first,flag_title,flag_url,hostname,indicator_link,last
0,82.194.84.120,domain,2013-08-29 14:59:51,Spain,/static/img/flags/es.png,comitres.net,/indicator/domain/comitres.net,2014-07-24 01:04:39
1,82.194.84.120,domain,2013-10-09 18:09:10,Spain,/static/img/flags/es.png,apamac.net,/indicator/domain/apamac.net,2013-12-16 15:42:58
2,82.194.84.120,domain,2013-08-31 15:02:04,Spain,/static/img/flags/es.png,estudio-danza-camargo.com,/indicator/domain/estudio-danza-camargo.com,2013-08-31 15:02:04


Indicator details are not available for all supported indicator types.  IndicatorTypes.supported_api_types contains a list of the indicator types you can use with get_indicator_details_by_section and get_indicator_details_full. 

## Create pulse

You can create new pulses using the create_pulse function.  A name string is required.  Public boolean is also required but will be set True if not provided:

In [None]:
indicators = [{"indicator": "82.194.84.121", "description":"", "type": "IPv4"}, {"indicator": "82.194.84.122", "description":"", "type": "IPv4"}]

In [None]:
new_pulse = otx.create_pulse(name="IPy Notebook Test", indicators=indicators, public=False)

In [None]:
json_normalize(new_pulse)

Unnamed: 0,TLP,active,author_id,author_name,cloned_from,comments_count,created,description,downvotes,downvotes_count,...,subscribers,subscribers_count,tags,tags_count,unsubscribed_users,upvotes,upvotes_count,validators,validators_count,votes_count
0,green,True,14830,hilaryclintonsemailserver,,0,2016-05-20T16:25:59.670399,,[],0,...,[],0,[],0,[],[],0,[],0,0


In [None]:
import pandas as pd
import schedule
import time
import datetime

def get_pulse_indicator_info(pulse_id, api_key):
    otx = OTXv2(api_key)

 
    indicators = otx.get_pulse_indicators(pulse_id)

    
    indicator_types = []
    indicator_values = []
    descriptions = []

    
    for indicator in indicators:
        indicator_types.append(indicator["type"])
        indicator_values.append(indicator["indicator"])
        descriptions.append(indicator["description"])

    
    return indicator_types, indicator_values, descriptions

def save_to_csv():
    indicator_types, indicator_values, descriptions = get_pulse_indicator_info(pulse_id, api_key)
    
    #lists into a DataFrame
    data = {
        "Indicator Types": indicator_types,
        "Indicator Values": indicator_values,
        "Descriptions": descriptions
    }
    df = pd.DataFrame(data)

    df = df.drop_duplicates(subset=["Indicator Values"])
    
    #save to new file
    current_time = datetime.datetime.now().strftime('%Y-%m-%d_%H-%M-%S')
    filename = f'pulse_indicators_{current_time}.csv'
    
    df.to_csv(filename, index=False)
    
    print(f"Data saved to {filename}")


api_key = "56eeceea60fe1afb077026f0d228342a74707e64852ae7dd3cbee8439ff4d59c"
pulse_id = "6341d1aa0a02a3f6251ab540"

save_to_csv()

# To change time 
schedule.every(6).hours.do(save_to_csv)

while True:
    schedule.run_pending()
    time.sleep(1)

Data saved to pulse_indicators_2024-01-22_10-40-49.csv


The following fields can be passed into create_pulse:
- name(string, required) pulse name
- public(boolean, required) long form description of threat
- description(string) long form description of threat
- tlp(string, white/green/amber/red) Traffic Light Protocol level for threat sharing
- tags(list of strings) short keywords to associate with your pulse
- references(list of strings, preferably URLs) external references for this threat
- indicators(list of objects) IOCs to include in pulse