shadowhunter_neo4j.py

#!/usr/bin/env python3
"""
ShadowHunter - Dark Web Credential Intelligence Platform
Module: Neo4j Graph Database Integration
Author: Fevra
Version: 0.1.0

This module provides graph database capabilities for storing and analyzing
threat intelligence relationships between domains, credentials, threat actors,
breaches, and attack infrastructure.
"""

import asyncio
import logging
from datetime import datetime, timedelta
from typing import List, Dict, Optional, Set, Tuple, Any
from dataclasses import dataclass, asdict
import json
import hashlib

# Neo4j driver
try:
    from neo4j import GraphDatabase, basic_auth
    from neo4j.exceptions import ServiceUnavailable, AuthError
    NEO4J_AVAILABLE = True
except ImportError:
    NEO4J_AVAILABLE = False
    logging.warning("Neo4j driver not installed. Install with: pip install neo4j")

logging.basicConfig(level=logging.INFO)
logger = logging.getLogger('ShadowHunter.Neo4j')


# ============================================================================
# GRAPH NODE MODELS
# ============================================================================

@dataclass
class GraphNode:
    """Base class for graph nodes"""
    node_id: str
    node_type: str
    properties: Dict[str, Any]
    created_at: str = ""
    
    def __post_init__(self):
        if not self.created_at:
            self.created_at = datetime.utcnow().isoformat()


@dataclass
class DomainNode(GraphNode):
    """Domain node"""
    def __init__(self, domain: str, organization: str = "Unknown"):
        super().__init__(
            node_id=f"domain:{domain}",
            node_type="Domain",
            properties={
                'domain': domain,
                'organization': organization
            }
        )


@dataclass
class CredentialNode(GraphNode):
    """Credential node"""
    def __init__(self, email: str, password_hash: Optional[str] = None):
        super().__init__(
            node_id=f"cred:{hashlib.sha256(email.encode()).hexdigest()[:16]}",
            node_type="Credential",
            properties={
                'email': email,
                'email_hash': hashlib.sha256(email.encode()).hexdigest(),
                'password_hash': password_hash
            }
        )


@dataclass
class ThreatActorNode(GraphNode):
    """Threat actor/seller node"""
    def __init__(self, username: str, platform: str, reputation: Optional[str] = None):
        super().__init__(
            node_id=f"actor:{platform}:{username}",
            node_type="ThreatActor",
            properties={
                'username': username,
                'platform': platform,
                'reputation': reputation
            }
        )


@dataclass
class BreachNode(GraphNode):
    """Data breach node"""
    def __init__(self, breach_name: str, record_count: int, breach_date: Optional[str] = None):
        super().__init__(
            node_id=f"breach:{hashlib.md5(breach_name.encode()).hexdigest()[:16]}",
            node_type="Breach",
            properties={
                'breach_name': breach_name,
                'record_count': record_count,
                'breach_date': breach_date
            }
        )


@dataclass
class StealerLogNode(GraphNode):
    """Stealer malware log node"""
    def __init__(self, log_id: str, stealer_type: str, credentials_count: int, price: Optional[float] = None):
        super().__init__(
            node_id=f"log:{log_id}",
            node_type="StealerLog",
            properties={
                'log_id': log_id,
                'stealer_type': stealer_type,
                'credentials_count': credentials_count,
                'price': price
            }
        )


@dataclass
class RansomwareGroupNode(GraphNode):
    """Ransomware group node"""
    def __init__(self, group_name: str, leak_site_url: Optional[str] = None):
        super().__init__(
            node_id=f"ransom:{group_name.lower().replace(' ', '_')}",
            node_type="RansomwareGroup",
            properties={
                'group_name': group_name,
                'leak_site_url': leak_site_url
            }
        )


@dataclass
class IABListingNode(GraphNode):
    """Initial Access Broker listing node"""
    def __init__(self, listing_id: str, access_type: str, price: float):
        super().__init__(
            node_id=f"iab:{listing_id}",
            node_type="IABListing",
            properties={
                'listing_id': listing_id,
                'access_type': access_type,
                'price': price
            }
        )


@dataclass
class TelegramChannelNode(GraphNode):
    """Telegram channel node"""
    def __init__(self, username: str, category: str, member_count: int = 0):
        super().__init__(
            node_id=f"telegram:{username}",
            node_type="TelegramChannel",
            properties={
                'username': username,
                'category': category,
                'member_count': member_count
            }
        )


# ============================================================================
# GRAPH RELATIONSHIP MODELS
# ============================================================================

@dataclass
class GraphRelationship:
    """Graph relationship"""
    from_node_id: str
    to_node_id: str
    relationship_type: str
    properties: Dict[str, Any]
    created_at: str = ""
    
    def __post_init__(self):
        if not self.created_at:
            self.created_at = datetime.utcnow().isoformat()


# ============================================================================
# NEO4J DATABASE MANAGER
# ============================================================================

class Neo4jManager:
    """Neo4j database manager"""
    
    def __init__(self, uri: str = "bolt://localhost:7687", 
                 username: str = "neo4j", 
                 password: str = "password"):
        """
        Initialize Neo4j connection
        
        Args:
            uri: Neo4j connection URI
            username: Database username
            password: Database password
        """
        if not NEO4J_AVAILABLE:
            raise ImportError("Neo4j driver not installed. Run: pip install neo4j")
        
        self.uri = uri
        self.username = username
        self.password = password
        self.driver = None
        
        logger.info(f"Neo4j manager initialized for {uri}")
    
    def connect(self) -> bool:
        """Connect to Neo4j database"""
        try:
            self.driver = GraphDatabase.driver(
                self.uri,
                auth=basic_auth(self.username, self.password)
            )
            
            # Test connection
            with self.driver.session() as session:
                result = session.run("RETURN 1 as test")
                result.single()
            
            logger.info("✓ Connected to Neo4j database")
            return True
            
        except AuthError:
            logger.error("Authentication failed - check username/password")
            return False
        except ServiceUnavailable:
            logger.error("Neo4j service unavailable - is it running?")
            return False
        except Exception as e:
            logger.error(f"Failed to connect to Neo4j: {e}")
            return False
    
    def close(self):
        """Close database connection"""
        if self.driver:
            self.driver.close()
            logger.info("Neo4j connection closed")
    
    def create_indexes(self):
        """Create database indexes for performance"""
        with self.driver.session() as session:
            # Create indexes for common lookups
            indexes = [
                "CREATE INDEX domain_name IF NOT EXISTS FOR (d:Domain) ON (d.domain)",
                "CREATE INDEX credential_email IF NOT EXISTS FOR (c:Credential) ON (c.email)",
                "CREATE INDEX actor_username IF NOT EXISTS FOR (t:ThreatActor) ON (t.username)",
                "CREATE INDEX breach_name IF NOT EXISTS FOR (b:Breach) ON (b.breach_name)",
                "CREATE INDEX stealer_log_id IF NOT EXISTS FOR (s:StealerLog) ON (s.log_id)",
                "CREATE INDEX ransomware_group IF NOT EXISTS FOR (r:RansomwareGroup) ON (r.group_name)",
            ]
            
            for index in indexes:
                try:
                    session.run(index)
                except Exception as e:
                    logger.debug(f"Index creation: {e}")
            
            logger.info("✓ Database indexes created")
    
    def clear_database(self):
        """Clear all data (use with caution!)"""
        with self.driver.session() as session:
            session.run("MATCH (n) DETACH DELETE n")
            logger.warning("⚠️ Database cleared")
    
    # ========================================================================
    # NODE CREATION
    # ========================================================================
    
    def create_node(self, node: GraphNode) -> bool:
        """Create or update a node"""
        with self.driver.session() as session:
            try:
                query = f"""
                MERGE (n:{node.node_type} {{node_id: $node_id}})
                SET n += $properties
                SET n.created_at = COALESCE(n.created_at, $created_at)
                SET n.updated_at = $updated_at
                RETURN n
                """
                
                result = session.run(
                    query,
                    node_id=node.node_id,
                    properties=node.properties,
                    created_at=node.created_at,
                    updated_at=datetime.utcnow().isoformat()
                )
                
                result.single()
                return True
                
            except Exception as e:
                logger.error(f"Error creating node: {e}")
                return False
    
    def create_relationship(self, rel: GraphRelationship) -> bool:
        """Create a relationship between nodes"""
        with self.driver.session() as session:
            try:
                query = f"""
                MATCH (a {{node_id: $from_id}})
                MATCH (b {{node_id: $to_id}})
                MERGE (a)-[r:{rel.relationship_type}]->(b)
                SET r += $properties
                SET r.created_at = COALESCE(r.created_at, $created_at)
                SET r.updated_at = $updated_at
                RETURN r
                """
                
                result = session.run(
                    query,
                    from_id=rel.from_node_id,
                    to_id=rel.to_node_id,
                    properties=rel.properties,
                    created_at=rel.created_at,
                    updated_at=datetime.utcnow().isoformat()
                )
                
                result.single()
                return True
                
            except Exception as e:
                logger.error(f"Error creating relationship: {e}")
                return False
    
    # ========================================================================
    # QUERY FUNCTIONS
    # ========================================================================
    
    def find_domain_threats(self, domain: str) -> List[Dict]:
        """Find all threats related to a domain"""
        with self.driver.session() as session:
            query = """
            MATCH (d:Domain {domain: $domain})-[r]-(threat)
            RETURN d, type(r) as relationship, threat
            LIMIT 100
            """
            
            result = session.run(query, domain=domain)
            return [record.data() for record in result]
    
    def find_threat_actor_activity(self, username: str, platform: str) -> Dict:
        """Get threat actor's activity summary"""
        with self.driver.session() as session:
            query = """
            MATCH (t:ThreatActor {username: $username, platform: $platform})-[r]->(n)
            RETURN t, type(r) as activity_type, count(n) as count
            """
            
            result = session.run(query, username=username, platform=platform)
            
            activity = {}
            for record in result:
                activity[record['activity_type']] = record['count']
            
            return activity
    
    def find_credential_exposure(self, email: str) -> List[Dict]:
        """Find where a credential has been exposed"""
        with self.driver.session() as session:
            query = """
            MATCH (c:Credential {email: $email})-[r:LEAKED_IN]->(source)
            RETURN source, r.timestamp as timestamp
            ORDER BY r.timestamp DESC
            """
            
            result = session.run(query, email=email)
            return [record.data() for record in result]
    
    def find_related_breaches(self, domain: str) -> List[Dict]:
        """Find breaches affecting a domain"""
        with self.driver.session() as session:
            query = """
            MATCH (d:Domain {domain: $domain})<-[:TARGETS]-(b:Breach)
            RETURN b.breach_name as breach,
                   b.record_count as records,
                   b.breach_date as date
            ORDER BY b.record_count DESC
            """
            
            result = session.run(query, domain=domain)
            return [record.data() for record in result]
    
    def find_ransomware_victims(self, group_name: str) -> List[str]:
        """Find victims of a ransomware group"""
        with self.driver.session() as session:
            query = """
            MATCH (r:RansomwareGroup {group_name: $group_name})-[:VICTIMIZED]->(d:Domain)
            RETURN d.domain as victim, d.organization as organization
            """
            
            result = session.run(query, group_name=group_name)
            return [record.data() for record in result]
    
    def get_database_statistics(self) -> Dict:
        """Get database statistics"""
        with self.driver.session() as session:
            stats = {}
            
            # Count nodes by type
            node_types = ['Domain', 'Credential', 'ThreatActor', 'Breach', 
                         'StealerLog', 'RansomwareGroup', 'IABListing', 'TelegramChannel']
            
            for node_type in node_types:
                result = session.run(f"MATCH (n:{node_type}) RETURN count(n) as count")
                stats[node_type] = result.single()['count']
            
            # Count relationships
            result = session.run("MATCH ()-[r]->() RETURN count(r) as count")
            stats['total_relationships'] = result.single()['count']
            
            return stats
    
    # ========================================================================
    # ADVANCED ANALYSIS QUERIES
    # ========================================================================
    
    def find_attack_chains(self, max_depth: int = 5) -> List[Dict]:
        """Find potential attack chains"""
        with self.driver.session() as session:
            query = f"""
            MATCH path = (start)-[*1..{max_depth}]->(end)
            WHERE start:Credential OR start:IABListing
            AND end:Domain
            RETURN path, length(path) as chain_length
            ORDER BY chain_length DESC
            LIMIT 20
            """
            
            result = session.run(query)
            return [record.data() for record in result]
    
    def find_most_active_threat_actors(self, limit: int = 10) -> List[Dict]:
        """Find most active threat actors"""
        with self.driver.session() as session:
            query = """
            MATCH (t:ThreatActor)-[r]->()
            RETURN t.username as username,
                   t.platform as platform,
                   count(r) as activity_count,
                   collect(DISTINCT type(r)) as activity_types
            ORDER BY activity_count DESC
            LIMIT $limit
            """
            
            result = session.run(query, limit=limit)
            return [record.data() for record in result]
    
    def find_high_value_targets(self, limit: int = 10) -> List[Dict]:
        """Find domains with most threats"""
        with self.driver.session() as session:
            query = """
            MATCH (d:Domain)<-[r]-()
            WITH d, count(r) as threat_count, collect(DISTINCT type(r)) as threat_types
            RETURN d.domain as domain,
                   d.organization as organization,
                   threat_count,
                   threat_types
            ORDER BY threat_count DESC
            LIMIT $limit
            """
            
            result = session.run(query, limit=limit)
            return [record.data() for record in result]
    
    def find_stealer_log_patterns(self) -> Dict:
        """Analyze stealer log patterns"""
        with self.driver.session() as session:
            query = """
            MATCH (s:StealerLog)
            RETURN s.stealer_type as type,
                   count(s) as count,
                   avg(s.credentials_count) as avg_credentials,
                   avg(s.price) as avg_price
            ORDER BY count DESC
            """
            
            result = session.run(query)
            return {record['type']: record.data() for record in result}
    
    def find_credential_reuse(self, min_occurrences: int = 2) -> List[Dict]:
        """Find credentials appearing in multiple sources"""
        with self.driver.session() as session:
            query = """
            MATCH (c:Credential)-[:LEAKED_IN]->(source)
            WITH c, count(DISTINCT source) as source_count, collect(source) as sources
            WHERE source_count >= $min_count
            RETURN c.email as email,
                   source_count,
                   [s in sources | labels(s)[0]] as source_types
            ORDER BY source_count DESC
            LIMIT 50
            """
            
            result = session.run(query, min_count=min_occurrences)
            return [record.data() for record in result]


# ============================================================================
# THREAT INTELLIGENCE GRAPH BUILDER
# ============================================================================

class ThreatIntelligenceGraph:
    """Build and query threat intelligence graph"""
    
    def __init__(self, neo4j_manager: Neo4jManager):
        self.db = neo4j_manager
        logger.info("ThreatIntelligenceGraph initialized")
    
    # ========================================================================
    # DATA INGESTION
    # ========================================================================
    
    def ingest_credential_leak(self, email: str, source: str, source_type: str,
                                password: Optional[str] = None, domain: Optional[str] = None):
        """Ingest a credential leak"""
        # Create credential node
        password_hash = hashlib.sha256(password.encode()).hexdigest() if password else None
        cred_node = CredentialNode(email, password_hash)
        self.db.create_node(cred_node)
        
        # Create domain node if provided
        if domain:
            domain_node = DomainNode(domain)
            self.db.create_node(domain_node)
            
            # Link credential to domain
            rel = GraphRelationship(
                from_node_id=cred_node.node_id,
                to_node_id=domain_node.node_id,
                relationship_type="BELONGS_TO",
                properties={}
            )
            self.db.create_relationship(rel)
        
        # Create source node based on type
        if source_type == 'breach':
            source_node = BreachNode(source, record_count=1)
        elif source_type == 'stealer_log':
            source_node = StealerLogNode(source, 'unknown', 1)
        else:
            # Generic source
            source_node = GraphNode(
                node_id=f"source:{source}",
                node_type="DataSource",
                properties={'name': source, 'type': source_type}
            )
        
        self.db.create_node(source_node)
        
        # Link credential to source
        rel = GraphRelationship(
            from_node_id=cred_node.node_id,
            to_node_id=source_node.node_id,
            relationship_type="LEAKED_IN",
            properties={'timestamp': datetime.utcnow().isoformat()}
        )
        self.db.create_relationship(rel)
        
        logger.info(f"✓ Ingested credential leak: {email}")
    
    def ingest_stealer_log(self, log_data: Dict):
        """Ingest a stealer log listing"""
        # Create stealer log node
        log_node = StealerLogNode(
            log_id=log_data['log_id'],
            stealer_type=log_data['stealer_type'],
            credentials_count=log_data['credentials_count'],
            price=log_data.get('price')
        )
        self.db.create_node(log_node)
        
        # Create seller/threat actor node
        if log_data.get('seller'):
            actor_node = ThreatActorNode(
                username=log_data['seller'],
                platform=log_data.get('channel', 'telegram')
            )
            self.db.create_node(actor_node)
            
            # Link actor to log
            rel = GraphRelationship(
                from_node_id=actor_node.node_id,
                to_node_id=log_node.node_id,
                relationship_type="SELLS",
                properties={'price': log_data.get('price', 0)}
            )
            self.db.create_relationship(rel)
        
        # Create Telegram channel node
        if log_data.get('channel'):
            channel_node = TelegramChannelNode(
                username=log_data['channel'],
                category='stealer_logs'
            )
            self.db.create_node(channel_node)
            
            # Link log to channel
            rel = GraphRelationship(
                from_node_id=log_node.node_id,
                to_node_id=channel_node.node_id,
                relationship_type="POSTED_IN",
                properties={'message_id': log_data.get('message_id')}
            )
            self.db.create_relationship(rel)
        
        logger.info(f"✓ Ingested stealer log: {log_data['log_id']}")
    
    def ingest_iab_listing(self, iab_data: Dict):
        """Ingest an IAB listing"""
        # Create IAB listing node
        listing_id = hashlib.md5(f"{iab_data['target_company']}{iab_data['price']}".encode()).hexdigest()[:16]
        iab_node = IABListingNode(
            listing_id=listing_id,
            access_type=iab_data['access_type'],
            price=iab_data['price']
        )
        self.db.create_node(iab_node)
        
        # Create target domain node
        domain = iab_data['target_company'].lower().replace(' ', '') + '.com'  # Simplified
        domain_node = DomainNode(domain, iab_data['target_company'])
        self.db.create_node(domain_node)
        
        # Link IAB listing to target
        rel = GraphRelationship(
            from_node_id=iab_node.node_id,
            to_node_id=domain_node.node_id,
            relationship_type="OFFERS_ACCESS_TO",
            properties={
                'access_type': iab_data['access_type'],
                'price': iab_data['price']
            }
        )
        self.db.create_relationship(rel)
        
        # Create seller node
        if iab_data.get('seller'):
            actor_node = ThreatActorNode(
                username=iab_data['seller'],
                platform=iab_data.get('channel', 'telegram'),
                reputation=iab_data.get('seller_reputation')
            )
            self.db.create_node(actor_node)
            
            # Link seller to listing
            rel = GraphRelationship(
                from_node_id=actor_node.node_id,
                to_node_id=iab_node.node_id,
                relationship_type="SELLS",
                properties={'price': iab_data['price']}
            )
            self.db.create_relationship(rel)
        
        logger.info(f"✓ Ingested IAB listing for: {iab_data['target_company']}")
    
    def ingest_ransomware_victim(self, group_name: str, victim_domain: str, 
                                   victim_org: str, ransom_amount: Optional[float] = None):
        """Ingest a ransomware victim"""
        # Create ransomware group node
        group_node = RansomwareGroupNode(group_name)
        self.db.create_node(group_node)
        
        # Create victim domain node
        domain_node = DomainNode(victim_domain, victim_org)
        self.db.create_node(domain_node)
        
        # Link group to victim
        rel = GraphRelationship(
            from_node_id=group_node.node_id,
            to_node_id=domain_node.node_id,
            relationship_type="VICTIMIZED",
            properties={
                'ransom_amount': ransom_amount,
                'discovered_date': datetime.utcnow().isoformat()
            }
        )
        self.db.create_relationship(rel)
        
        logger.info(f"✓ Ingested ransomware victim: {victim_org}")
    
    def ingest_breach(self, breach_name: str, target_domain: str, 
                      record_count: int, data_types: List[str]):
        """Ingest a data breach"""
        # Create breach node
        breach_node = BreachNode(breach_name, record_count)
        self.db.create_node(breach_node)
        
        # Create target domain node
        domain_node = DomainNode(target_domain)
        self.db.create_node(domain_node)
        
        # Link breach to target
        rel = GraphRelationship(
            from_node_id=breach_node.node_id,
            to_node_id=domain_node.node_id,
            relationship_type="TARGETS",
            properties={
                'data_types': data_types,
                'record_count': record_count
            }
        )
        self.db.create_relationship(rel)
        
        logger.info(f"✓ Ingested breach: {breach_name}")
    
    # ========================================================================
    # ANALYSIS FUNCTIONS
    # ========================================================================
    
    def analyze_domain_risk(self, domain: str) -> Dict:
        """Comprehensive domain risk analysis"""
        threats = self.db.find_domain_threats(domain)
        breaches = self.db.find_related_breaches(domain)
        
        risk_score = 0
        risk_factors = []
        
        # Calculate risk based on threats
        for threat in threats:
            rel_type = threat.get('relationship')
            if rel_type == 'VICTIMIZED':
                risk_score += 50
                risk_factors.append('Ransomware victim')
            elif rel_type == 'TARGETS':
                risk_score += 30
                risk_factors.append('Breach target')
            elif rel_type == 'OFFERS_ACCESS_TO':
                risk_score += 40
                risk_factors.append('IAB listing')
        
        return {
            'domain': domain,
            'risk_score': min(risk_score, 100),
            'risk_level': 'CRITICAL' if risk_score >= 70 else 'HIGH' if risk_score >= 40 else 'MEDIUM',
            'threat_count': len(threats),
            'breach_count': len(breaches),
            'risk_factors': risk_factors
        }
    
    def generate_threat_report(self, domain: str) -> Dict:
        """Generate comprehensive threat report"""
        return {
            'domain': domain,
            'risk_analysis': self.analyze_domain_risk(domain),
            'threats': self.db.find_domain_threats(domain),
            'breaches': self.db.find_related_breaches(domain),
            'generated_at': datetime.utcnow().isoformat()
        }


# ============================================================================
# DEMO AND TESTING FUNCTIONS
# ============================================================================

def print_setup_instructions():
    """Print Neo4j setup instructions"""
    print("\n" + "="*80)
    print("🔧 NEO4J SETUP INSTRUCTIONS")
    print("="*80)
    print("\n1. Install Neo4j:")
    print("   macOS:   brew install neo4j")
    print("   Linux:   apt-get install neo4j")
    print("   Windows: Download from https://neo4j.com/download/")
    print("   Docker:  docker run -p 7474:7474 -p 7687:7687 neo4j:latest")
    
    print("\n2. Start Neo4j:")
    print("   macOS:   brew services start neo4j")
    print("   Linux:   sudo systemctl start neo4j")
    print("   Docker:  (container starts automatically)")
    
    print("\n3. Access Neo4j Browser:")
    print("   URL: http://localhost:7474")
    print("   Default username: neo4j")
    print("   Default password: neo4j (change on first login)")
    
    print("\n4. Install Python driver:")
    print("   pip install neo4j")
    
    print("\n5. Verify connection:")
    print("   Run this script with option 2")
    
    print("\n" + "="*80)


def demo_connection_test():
    """Demo: Test Neo4j connection"""
    print("\n🔌 Testing Neo4j Connection")
    print("="*80)
    
    db = Neo4jManager(
        uri="bolt://localhost:7687",
        username="neo4j",
        password="password"  # Change to your password
    )
    
    if db.connect():
        print("✓ Connection successful!")
        
        # Get statistics
        stats = db.get_database_statistics()
        print("\n📊 Database Statistics:")
        for key, value in stats.items():
            print(f"  {key}: {value}")
        
        db.close()
    else:
        print("❌ Connection failed")
        print("\nTroubleshooting:")
        print("1. Is Neo4j running? Check with: lsof -i :7687")
        print("2. Is the password correct?")
        print("3. Try accessing http://localhost:7474 in browser")


def demo_data_ingestion():
    """Demo: Ingest sample threat intelligence data"""
    print("\n📥 Data Ingestion Demo")
    print("="*80)
    
    # Connect to database
    db = Neo4jManager(password="password")  # Change password
    if not db.connect():
        print("❌ Cannot connect to Neo4j")
        return
    
    # Create indexes
    db.create_indexes()
    
    # Initialize graph builder
    graph = ThreatIntelligenceGraph(db)
    
    print("\n1. Ingesting credential leaks...")
    graph.ingest_credential_leak(
        email="admin@acmecorp.com",
        source="Pastebin_2025_01",
        source_type="breach",
        password="Password123",
        domain="acmecorp.com"
    )
    graph.ingest_credential_leak(
        email="ceo@techcompany.com",
        source="Telegram_Stealer_Logs",
        source_type="stealer_log",
        domain="techcompany.com"
    )
    
    print("2. Ingesting stealer logs...")
    graph.ingest_stealer_log({
        'log_id': 'lumma_20250101_001',
        'stealer_type': 'lumma',
        'credentials_count': 250,
        'price': 75.0,
        'seller': 'seller_pro',
        'channel': 'stealer_premium',
        'message_id': 12345
    })
    
    print("3. Ingesting IAB listings...")
    graph.ingest_iab_listing({
        'target_company': 'Acme Corporation',
        'access_type': 'Domain Admin',
        'price': 85000.0,
        'seller': 'access_broker_elite',
        'channel': 'iab_market'
    })
    
    print("4. Ingesting ransomware victims...")
    graph.ingest_ransomware_victim(
        group_name="LockBit 4.0",
        victim_domain="victimcorp.com",
        victim_org="Victim Corporation",
        ransom_amount=2500000.0
    )
    
    print("5. Ingesting data breaches...")
    graph.ingest_breach(
        breach_name="TechCompany Breach 2025",
        target_domain="techcompany.com",
        record_count=2500000,
        data_types=['emails', 'passwords', 'phone_numbers']
    )
    
    print("\n✓ Data ingestion complete!")
    
    # Get updated statistics
    stats = db.get_database_statistics()
    print("\n📊 Updated Database Statistics:")
    for key, value in stats.items():
        print(f"  {key}: {value}")
    
    db.close()


def demo_threat_analysis():
    """Demo: Analyze threats for a domain"""
    print("\n🔍 Threat Analysis Demo")
    print("="*80)
    
    # Connect to database
    db = Neo4jManager(password="password")
    if not db.connect():
        print("❌ Cannot connect to Neo4j")
        return
    
    graph = ThreatIntelligenceGraph(db)
    
    # Analyze domains
    test_domains = ['acmecorp.com', 'techcompany.com', 'victimcorp.com']
    
    for domain in test_domains:
        print(f"\n{'='*80}")
        print(f"🎯 Analyzing: {domain}")
        print('='*80)
        
        risk_analysis = graph.analyze_domain_risk(domain)
        
        print(f"\n📊 Risk Assessment:")
        print(f"  Risk Score: {risk_analysis['risk_score']}/100")
        print(f"  Risk Level: {risk_analysis['risk_level']}")
        print(f"  Threat Count: {risk_analysis['threat_count']}")
        print(f"  Breach Count: {risk_analysis['breach_count']}")
        
        if risk_analysis['risk_factors']:
            print(f"\n⚠️  Risk Factors:")
            for factor in risk_analysis['risk_factors']:
                print(f"    - {factor}")
        
        # Get detailed threats
        threats = db.find_domain_threats(domain)
        if threats:
            print(f"\n🔴 Active Threats:")
            for i, threat in enumerate(threats[:5], 1):
                print(f"    {i}. {threat.get('relationship', 'Unknown')}")
    
    db.close()


def demo_advanced_queries():
    """Demo: Advanced threat intelligence queries"""
    print("\n🔬 Advanced Threat Intelligence Queries")
    print("="*80)
    
    # Connect to database
    db = Neo4jManager(password="password")
    if not db.connect():
        print("❌ Cannot connect to Neo4j")
        return
    
    print("\n1. Most Active Threat Actors:")
    print("-" * 40)
    actors = db.find_most_active_threat_actors(limit=5)
    for i, actor in enumerate(actors, 1):
        print(f"  {i}. @{actor['username']} ({actor['platform']})")
        print(f"     Activity Count: {actor['activity_count']}")
        print(f"     Activity Types: {', '.join(actor['activity_types'])}")
        print()
    
    print("\n2. High-Value Targets:")
    print("-" * 40)
    targets = db.find_high_value_targets(limit=5)
    for i, target in enumerate(targets, 1):
        print(f"  {i}. {target['domain']} ({target['organization']})")
        print(f"     Threat Count: {target['threat_count']}")
        print(f"     Threat Types: {', '.join(target['threat_types'])}")
        print()
    
    print("\n3. Stealer Log Patterns:")
    print("-" * 40)
    patterns = db.find_stealer_log_patterns()
    for stealer_type, data in patterns.items():
        print(f"  {stealer_type.upper()}:")
        print(f"    Count: {data['count']}")
        print(f"    Avg Credentials: {data['avg_credentials']:.0f}")
        print(f"    Avg Price: ${data['avg_price']:.2f}")
        print()
    
    print("\n4. Credential Reuse Analysis:")
    print("-" * 40)
    reuse = db.find_credential_reuse(min_occurrences=2)
    if reuse:
        print(f"  Found {len(reuse)} credentials in multiple sources:")
        for i, cred in enumerate(reuse[:5], 1):
            print(f"  {i}. {cred['email']}")
            print(f"     Appearances: {cred['source_count']}")
            print(f"     Source Types: {', '.join(cred['source_types'])}")
            print()
    else:
        print("  No credential reuse detected (ingest more data)")
    
    db.close()


def demo_visualization_queries():
    """Demo: Queries for graph visualization"""
    print("\n📊 Graph Visualization Queries")
    print("="*80)
    print("\nCopy these Cypher queries into Neo4j Browser (http://localhost:7474)")
    print("="*80)
    
    queries = {
        "1. Complete Threat Landscape": """
MATCH (n)
RETURN n
LIMIT 100
        """,
        
        "2. Domain-Centric View": """
MATCH (d:Domain)<-[r]-(threat)
RETURN d, r, threat
        """,
        
        "3. Threat Actor Networks": """
MATCH (t:ThreatActor)-[r]->(target)
RETURN t, r, target
        """,
        
        "4. Ransomware Attack Chains": """
MATCH path = (r:RansomwareGroup)-[:VICTIMIZED]->(d:Domain)
RETURN path
        """,
        
        "5. Credential Leak Paths": """
MATCH path = (c:Credential)-[:LEAKED_IN]->(source)-[:POSTED_IN]->(channel)
RETURN path
        """,
        
        "6. IAB Marketplace Network": """
MATCH (seller:ThreatActor)-[:SELLS]->(iab:IABListing)-[:OFFERS_ACCESS_TO]->(target:Domain)
RETURN seller, iab, target
        """,
        
        "7. High-Risk Domains (with 3+ threats)": """
MATCH (d:Domain)
WHERE size((d)<-[]-()) >= 3
MATCH (d)<-[r]-(threat)
RETURN d, r, threat
        """,
        
        "8. Stealer Log Ecosystem": """
MATCH (actor:ThreatActor)-[:SELLS]->(log:StealerLog)-[:POSTED_IN]->(channel:TelegramChannel)
RETURN actor, log, channel
        """
    }
    
    for title, query in queries.items():
        print(f"\n{title}:")
        print("-" * 60)
        print(query)
    
    print("\n" + "="*80)
    print("💡 TIP: Click on nodes in Neo4j Browser to explore relationships")
    print("="*80)


def demo_full_integration():
    """Demo: Full integration with all ShadowHunter modules"""
    print("\n🔗 Full ShadowHunter Integration Demo")
    print("="*80)
    
    # Connect to database
    db = Neo4jManager(password="password")
    if not db.connect():
        print("❌ Cannot connect to Neo4j")
        return
    
    graph = ThreatIntelligenceGraph(db)
    
    print("\n📡 Scenario: Multi-Source Threat Detection")
    print("-" * 60)
    
    print("\n1️⃣  TELEGRAM MODULE: Detects stealer log")
    print("   Channel: @stealer_premium")
    print("   Content: Lumma log with admin@targetcorp.com")
    
    # Ingest from Telegram
    graph.ingest_stealer_log({
        'log_id': 'lumma_emergency_001',
        'stealer_type': 'lumma',
        'credentials_count': 340,
        'price': 150.0,
        'seller': 'elite_stealer_seller',
        'channel': 'stealer_premium',
        'message_id': 99999
    })
    graph.ingest_credential_leak(
        email="admin@targetcorp.com",
        source="lumma_emergency_001",
        source_type="stealer_log",
        domain="targetcorp.com"
    )
    print("   ✓ Data ingested to Neo4j")
    
    print("\n2️⃣  TOR MODULE: Finds IAB listing")
    print("   Marketplace: XSS.is")
    print("   Content: Domain admin access to targetcorp.com - $50k")
    
    # Ingest from Tor
    graph.ingest_iab_listing({
        'target_company': 'Target Corporation',
        'access_type': 'Domain Admin',
        'price': 50000.0,
        'seller': 'access_broker_verified',
        'channel': 'xss_marketplace'
    })
    print("   ✓ Data ingested to Neo4j")
    
    print("\n3️⃣  TOR MODULE: Discovers ransomware leak site")
    print("   Group: LockBit 4.0")
    print("   Victim: Target Corporation posted 2 days ago")
    
    # Ingest ransomware
    graph.ingest_ransomware_victim(
        group_name="LockBit 4.0",
        victim_domain="targetcorp.com",
        victim_org="Target Corporation",
        ransom_amount=5000000.0
    )
    print("   ✓ Data ingested to Neo4j")
    
    print("\n4️⃣  NEO4J CORRELATION: Analyzing threat landscape")
    print("   Querying graph for targetcorp.com...")
    
    # Analyze combined threat
    risk = graph.analyze_domain_risk("targetcorp.com")
    
    print("\n" + "="*80)
    print("🚨 CRITICAL ALERT: ACTIVE BREACH DETECTED")
    print("="*80)
    print(f"Target: targetcorp.com (Target Corporation)")
    print(f"Risk Score: {risk['risk_score']}/100")
    print(f"Risk Level: {risk['risk_level']}")
    print(f"\n⚠️  Correlated Threats:")
    for factor in risk['risk_factors']:
        print(f"    ✗ {factor}")
    
    print("\n📊 Attack Timeline:")
    print("    1. Credential leak (stealer log) - RECENT")
    print("    2. IAB listing (network access for sale) - ACTIVE")
    print("    3. Ransomware leak site appearance - CONFIRMED")
    
    print("\n🎯 Recommended Actions:")
    print("    1. IMMEDIATE: Rotate all credentials for targetcorp.com")
    print("    2. URGENT: Investigate potential network breach")
    print("    3. HIGH: Contact Target Corporation to warn of active threat")
    print("    4. MEDIUM: Monitor for data exfiltration")
    print("    5. ONGOING: Continue monitoring all sources")
    
    print("\n" + "="*80)
    
    # Show graph relationships
    threats = db.find_domain_threats("targetcorp.com")
    print(f"\n🔗 Graph Relationships Found: {len(threats)}")
    for threat in threats:
        print(f"    - {threat.get('relationship', 'Unknown')}")
    
    db.close()
    
    print("\n💡 View the complete graph in Neo4j Browser:")
    print("   MATCH (d:Domain {domain: 'targetcorp.com'})-[r]-(n)")
    print("   RETURN d, r, n")


def demo_export_report():
    """Demo: Export threat intelligence report"""
    print("\n📄 Threat Intelligence Report Export")
    print("="*80)
    
    # Connect to database
    db = Neo4jManager(password="password")
    if not db.connect():
        print("❌ Cannot connect to Neo4j")
        return
    
    graph = ThreatIntelligenceGraph(db)
    
    # Generate report for a domain
    domain = "targetcorp.com"
    report = graph.generate_threat_report(domain)
    
    # Save to JSON
    filename = f"threat_report_{domain}_{datetime.now().strftime('%Y%m%d_%H%M%S')}.json"
    with open(filename, 'w') as f:
        json.dump(report, f, indent=2, default=str)
    
    print(f"✓ Report exported to: {filename}")
    
    # Display summary
    print(f"\n📊 Report Summary for {domain}:")
    print(f"  Risk Score: {report['risk_analysis']['risk_score']}/100")
    print(f"  Risk Level: {report['risk_analysis']['risk_level']}")
    print(f"  Total Threats: {report['risk_analysis']['threat_count']}")
    print(f"  Total Breaches: {report['risk_analysis']['breach_count']}")
    
    db.close()


def demo_batch_import():
    """Demo: Batch import from other ShadowHunter modules"""
    print("\n📦 Batch Import from ShadowHunter Modules")
    print("="*80)
    
    # Connect to database
    db = Neo4jManager(password="password")
    if not db.connect():
        print("❌ Cannot connect to Neo4j")
        return
    
    graph = ThreatIntelligenceGraph(db)
    
    print("\n1. Importing Telegram findings...")
    # Simulated Telegram data
    telegram_findings = {
        'stealer_logs': [
            {
                'log_id': f'log_{i:03d}',
                'stealer_type': ['lumma', 'risepro', 'raccoon'][i % 3],
                'credentials_count': 100 + (i * 50),
                'price': 10 + (i * 5),
                'seller': f'seller_{i % 5}',
                'channel': 'stealer_market',
                'message_id': 1000 + i
            }
            for i in range(10)
        ]
    }
    
    for log in telegram_findings['stealer_logs']:
        graph.ingest_stealer_log(log)
    
    print(f"   ✓ Imported {len(telegram_findings['stealer_logs'])} stealer logs")
    
    print("\n2. Importing Tor findings...")
    # Simulated Tor data
    tor_findings = {
        'ransomware_victims': [
            {
                'group': 'LockBit 4.0',
                'domain': f'company{i}.com',
                'org': f'Company {i}',
                'ransom': 1000000 + (i * 500000)
            }
            for i in range(5)
        ]
    }
    
    for victim in tor_findings['ransomware_victims']:
        graph.ingest_ransomware_victim(
            group_name=victim['group'],
            victim_domain=victim['domain'],
            victim_org=victim['org'],
            ransom_amount=victim['ransom']
        )
    
    print(f"   ✓ Imported {len(tor_findings['ransomware_victims'])} ransomware victims")
    
    print("\n3. Importing credential monitor findings...")
    # Simulated credential data
    credential_findings = [
        {
            'email': f'user{i}@company{i % 3}.com',
            'source': f'pastebin_{i}',
            'domain': f'company{i % 3}.com'
        }
        for i in range(20)
    ]
    
    for cred in credential_findings:
        graph.ingest_credential_leak(
            email=cred['email'],
            source=cred['source'],
            source_type='breach',
            domain=cred['domain']
        )
    
    print(f"   ✓ Imported {len(credential_findings)} credentials")
    
    # Final statistics
    stats = db.get_database_statistics()
    print("\n📊 Database Statistics After Import:")
    for key, value in stats.items():
        print(f"  {key}: {value}")
    
    db.close()


def demo_real_time_monitoring():
    """Demo: Real-time monitoring scenario"""
    print("\n⏱️  Real-Time Monitoring Scenario")
    print("="*80)
    
    print("\n🔄 ShadowHunter Real-Time Intelligence Pipeline:")
    print("-" * 60)
    
    print("\n1. Telegram Monitor (Live)")
    print("   └─> Detects new message")
    print("       └─> Parses content")
    print("           └─> Sends to Neo4j ✓")
    
    print("\n2. Tor Scraper (Every 6 hours)")
    print("   └─> Scrapes leak sites")
    print("       └─> Finds new victims")
    print("           └─> Sends to Neo4j ✓")
    
    print("\n3. Neo4j Correlation Engine")
    print("   └─> Receives data from all sources")
    print("       └─> Builds relationship graph")
    print("           └─> Calculates risk scores")
    print("               └─> Generates alerts ✓")
    
    print("\n4. Alert Manager")
    print("   └─> CRITICAL: Monitored domain detected")
    print("       └─> Sends to: Slack, Email, SIEM")
    
    print("\n" + "="*80)
    print("💡 This enables 24/7 automated threat intelligence")
    print("="*80)


def print_cypher_cheatsheet():
    """Print useful Cypher queries"""
    print("\n📚 Neo4j Cypher Query Cheatsheet for ShadowHunter")
    print("="*80)
    
    cheatsheet = {
        "Basic Queries": [
            ("View all nodes", "MATCH (n) RETURN n LIMIT 25"),
            ("Count all nodes", "MATCH (n) RETURN count(n)"),
            ("View all relationships", "MATCH ()-[r]->() RETURN type(r), count(r)"),
            ("Delete everything", "MATCH (n) DETACH DELETE n")
        ],
        
        "Domain Intelligence": [
            ("Find domain threats", "MATCH (d:Domain {domain: 'acmecorp.com'})-[r]-(n) RETURN d, r, n"),
            ("High-risk domains", "MATCH (d:Domain) WHERE size((d)<-[]-()) > 3 RETURN d, size((d)<-[]-()) as threats ORDER BY threats DESC"),
            ("Domain credentials", "MATCH (d:Domain)<-[:BELONGS_TO]-(c:Credential) RETURN d.domain, count(c) as cred_count ORDER BY cred_count DESC")
        ],
        
        "Threat Actor Analysis": [
            ("Most active actors", "MATCH (t:ThreatActor)-[r]->() RETURN t.username, count(r) as activity ORDER BY activity DESC LIMIT 10"),
            ("Actor's listings", "MATCH (t:ThreatActor {username: 'seller_pro'})-[:SELLS]->(listing) RETURN listing"),
            ("Actor reputation", "MATCH (t:ThreatActor) WHERE t.reputation IS NOT NULL RETURN t.username, t.reputation")
        ],
        
        "Attack Paths": [
            ("Credential to domain paths", "MATCH path = (c:Credential)-[*1..3]-(d:Domain) RETURN path LIMIT 10"),
            ("IAB to victim paths", "MATCH path = (iab:IABListing)-[:OFFERS_ACCESS_TO]->(d:Domain)<-[:VICTIMIZED]-(r:RansomwareGroup) RETURN path"),
            ("Multi-hop threats", "MATCH path = (start)-[*2..4]-(end:Domain) RETURN path LIMIT 20")
        ],
        
        "Stealer Logs": [
            ("Most valuable logs", "MATCH (s:StealerLog) WHERE s.price IS NOT NULL RETURN s ORDER BY s.price DESC LIMIT 10"),
            ("Logs by stealer type", "MATCH (s:StealerLog) RETURN s.stealer_type, count(s) as count, avg(s.price) as avg_price ORDER BY count DESC"),
            ("High credential logs", "MATCH (s:StealerLog) WHERE s.credentials_count > 200 RETURN s")
        ],
        
        "Ransomware Intelligence": [
            ("Group victims", "MATCH (r:RansomwareGroup {group_name: 'LockBit 4.0'})-[:VICTIMIZED]->(d:Domain) RETURN d"),
            ("Most active groups", "MATCH (r:RansomwareGroup)-[:VICTIMIZED]->(d) RETURN r.group_name, count(d) as victims ORDER BY victims DESC"),
            ("Recent victims", "MATCH (r:RansomwareGroup)-[rel:VICTIMIZED]->(d:Domain) RETURN r.group_name, d.domain, rel.discovered_date ORDER BY rel.discovered_date DESC LIMIT 20")
        ]
    }
    
    for category, queries in cheatsheet.items():
        print(f"\n{category}:")
        print("-" * 60)
        for i, (description, query) in enumerate(queries, 1):
            print(f"\n{i}. {description}:")
            print(f"   {query}")
    
    print("\n" + "="*80)


if __name__ == "__main__":
    print("ShadowHunter - Neo4j Graph Database Integration Module")
    print("="*80)
    print("\nSelect demo mode:")
    print("1. Setup Instructions")
    print("2. Test Connection")
    print("3. Data Ingestion Demo")
    print("4. Threat Analysis Demo")
    print("5. Advanced Queries Demo")
    print("6. Visualization Queries")
    print("7. Full Integration Demo ⭐")
    print("8. Export Threat Report")
    print("9. Batch Import Demo")
    print("10. Real-Time Monitoring Scenario")
    print("11. Cypher Query Cheatsheet")
    
    choice = input("\nEnter choice (1-11): ").strip()
    
    if choice == "1":
        print_setup_instructions()
    elif choice == "2":
        demo_connection_test()
    elif choice == "3":
        demo_data_ingestion()
    elif choice == "4":
        demo_threat_analysis()
    elif choice == "5":
        demo_advanced_queries()
    elif choice == "6":
        demo_visualization_queries()
    elif choice == "7":
        demo_full_integration()
    elif choice == "8":
        demo_export_report()
    elif choice == "9":
        demo_batch_import()
    elif choice == "10":
        demo_real_time_monitoring()
    elif choice == "11":
        print_cypher_cheatsheet()
    else:
        print("Invalid choice. Showing setup instructions...")
        print_setup_instructions()