OpenSec Atlas

uddr_client: An Open Source Library/SDK for Threat Intelligence | OpenSec Atlas

Threat Intelligence

Library/SDK

uddr_client

A Python SDK that provides programmatic access to UltraDDR's threat intelligence and DNS over HTTPS services for OSINT and threat hunting.

View on GitHub

About This Tool

A Python SDK for UltraDDR

Primary Use Case

This tool is designed for security analysts and threat hunters who need to interact with UltraDDR's threat intelligence platform via Python. It enables querying threat reports, DNS data, and performing DNS over HTTPS lookups to support OSINT investigations and DNS security analysis.

Key Features

Python SDK for accessing UltraDDR API endpoints
Supports threat intelligence functions like reports, aggregates, and decision baselines
DNS over HTTPS (DoH) client for direct DNS queries with support for multiple record types
IoC parsing for domains, URLs, defanged URLs, emails, and IP addresses
Response parsing in JSON, XML, and CSV formats
Ability to specify API key and organization context via environment or parameters
Methods to retrieve detailed DNS response sections and block status
Integration with environment files for secure API key management

Insights & Recommendations

Users should securely manage their API keys, preferably using environment files as supported by the SDK setup method. The SDK supports multiple organizations per API key, so specifying the organization context is important when applicable. The DoH client includes IoC parsing to handle various indicator formats, enhancing usability in threat hunting workflows.

Installation

Install the package using pip: pip install uddr_client

Usage

import uddr_client uddr_client.connect.setup()

Set up the API key in an environment file for ease of use.

c = uddr_client.connect('api_key=<your API key>')

Connect to the UltraDDR API by passing the API key directly.

client = uddr_client.connect() doh_client = client.doh() doh_client.setup()

Initialize the DNS over HTTPS client and set it up.

c = uddr_client.connect() api_client = c.api() resp = api_client.reports() print(resp)

Instantiate the API client and retrieve threat intelligence reports.

lookup = doh.lookup('google.com') print(lookup)

Perform a DNS over HTTPS lookup for 'google.com' and print the full JSON response.

lookup.A, lookup.AAAA, lookup.CNAME, lookup.NS, lookup.MX, lookup.TXT, lookup.SOA, lookup.SRV, lookup.CAA, lookup.DS, lookup.DNSKEY

Access various DNS record types from the DoH lookup response.

help(c.api().logs)

Use Python's help function to get detailed documentation on the 'logs' API method.

Response.xml(), Response.csv()

Parse API responses into XML or CSV formats instead of the default JSON.

doh.status(), doh.block_info(), doh.answer(), doh.authority()

Retrieve detailed information about the DoH query status, block status, and DNS response sections.

Smart Usage Notes

Integrate uddr_client with SIEM platforms to automate threat intelligence enrichment and alerting.Use the DoH client for stealthy DNS queries during threat hunting to avoid DNS-based detection.Leverage IoC parsing capabilities to automate triage of suspicious domains, URLs, and IPs in phishing investigations.Combine with endpoint detection tools to correlate DNS anomalies with host behaviors for faster incident response.Incorporate uddr_client in purple team exercises to simulate adversary reconnaissance and test detection capabilities.