# MSTICPy Threat Intel Lookup
This notebook describes the use of the Threat Intelligence lookup class in msticpy.
The class allows lookup of individual or multiple IoCs from one or more TI providers.

TILookup is also extensible - you can subclass TIProvider to implement your own custom lookups. You can also subclass the HTTPProvider or KqlProvider classes, which provide support for querying a REST endpoint or Log Analytics table respectively.

You must have msticpy installed to run this notebook:
```
%pip install --upgrade msticpy
```

To use the MS Sentinel Threat Intel provider you will also need the "sentinel" components:
```
%pip install --upgrade msticpy[sentinel]
```

# Contents

- Introduction/Quickstart
  - Features
  - Pivot TI Functions
  - TILookup
  - Multi value lookup
  - Browse results
- Configuring providers
- TILookup class

In [1]:
import msticpy as mp
mp.init_notebook();


# Introduction/Quickstart

## Features

- Supports simultaneous lookup of IoCs against multiple providers.
- Providers include:
  - **VirusTotal**
  - **AlienVault OTX**
  - **RiskIQ**
  - **IBM XForce**
  - **MS Sentinel TI**
  - **GreyNoise**
- Other pseudo-TI providers are also included:
  - TOR exit nodes
  - Open Page Rank
- Supports common IoC Types
  - IP address
  - URL
  - Domain name
  - File hash
  - Some providers also support file name/path lookups
- Requests to individual providers are run asynchronous so there is usually little or no
  performance penalty in querying multiple providers.
- TI Results browser



## Usage 

You can do TI Lookups either from the `TILookup` class or from Entity TI pivot functions.

The latter are more convenient for most cases but one limitation is
that pivot functions only work with IoC/Observable type corresponding to
the entity type (e.g. `Url.ti.lookup_url()` cannot be used to look up IpAddresses.)

For bulk lookup of a mixture of IoC types you should use
the TILookup class `lookup_iocs` method.

> Note: the following operations require TI Provider
> configuration in your msticpyconfig.yaml. Please see the following
> section "Configuring providers".

### Pivot TI Functions

In [32]:
tabulate.tabulate

<function tabulate.tabulate(tabular_data, headers=(), tablefmt='simple', floatfmt='g', numalign='default', stralign='default', missingval='', showindex='default', disable_numparse=False, colalign=None)>

In [35]:
import tabulate
print(tabulate.tabulate(
    IpAddress.tilookup_ip("162.244.80.235"),
    headers="keys",
    showindex=False,
    tablefmt="rst"
))

Observables processed: 100%|██████████| 3/3 [00:00<00:00, 600.44obs/s]

Ioc             IocType    SanitizedValue    QuerySubtype    Provider    Result    Severity     Details                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 




In [39]:
print(tabulate.tabulate(results_df,
    headers="keys",
    showindex=False,
    tablefmt="rst"
))

Ioc             IocType    QuerySubtype    Provider    Result    Severity     Details                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

### TILookup

In [38]:
ti_lookup = mp.TILookup()
# need to pass result to `result_to_df`
# to get results as a DataFrame
results_df = mp.TILookup.result_to_df(  
    ti_lookup.lookup_ioc("162.244.80.235")
)
results_df.head(3)

Using Open PageRank. See https://www.domcop.com/openpagerank/what-is-openpagerank


Unnamed: 0,Ioc,IocType,QuerySubtype,Provider,Result,Severity,Details,RawResult,Reference,Status
OTX,162.244.80.235,ipv4,,OTX,True,high,"{'pulse_count': 45, 'names': ['Conti Ransomware | CISA', 'Conti Ransomware | CISA', 'IOCs for Co...","{'whois': 'http://whois.domaintools.com/162.244.80.235', 'reputation': 0, 'indicator': '162.244....",https://otx.alienvault.com/api/v1/indicators/IPv4/162.244.80.235/general,0
OPR,162.244.80.235,ipv4,,OPR,False,information,IoC type ipv4 not supported.,,,1
RiskIQ,162.244.80.235,ipv4,,RiskIQ,True,high,"{'summary': {'resolutions': 12, 'certificates': 12, 'malware_hashes': 2, 'projects': 0, 'article...","{'summary': {'resolutions': 12, 'certificates': 12, 'malware_hashes': 2, 'projects': 0, 'article...",https://community.riskiq.com,0


### Multiple value lookup

Note the syntax for pivot functions is unchanged but for
TILookup you need to use a different method `lookup_iocs`.

In [20]:
ips = ['162.244.80.235', '185.141.63.120', '82.118.21.1', '85.93.88.165']
results_df = IpAddress.tilookup_ip(ips)
results_df.head(3)

Observables processed: 100%|██████████| 12/12 [00:09<00:00,  1.30obs/s]


Unnamed: 0,Ioc,IocType,SanitizedValue,QuerySubtype,Provider,Result,Severity,Details,RawResult,Reference,Status
0,162.244.80.235,ipv4,162.244.80.235,,RiskIQ,True,high,"{'summary': {'resolutions': 12, 'certificates': 12, 'malware_hashes': 2, 'projects': 0, 'article...","{'summary': {'resolutions': 12, 'certificates': 12, 'malware_hashes': 2, 'projects': 0, 'article...",https://community.riskiq.com,0
1,185.141.63.120,ipv4,185.141.63.120,,RiskIQ,True,high,"{'summary': {'resolutions': 2, 'certificates': 6, 'malware_hashes': 1, 'projects': 0, 'articles'...","{'summary': {'resolutions': 2, 'certificates': 6, 'malware_hashes': 1, 'projects': 0, 'articles'...",https://community.riskiq.com,0
2,82.118.21.1,ipv4,82.118.21.1,,RiskIQ,True,high,"{'summary': {'resolutions': 13, 'certificates': 20, 'malware_hashes': 0, 'projects': 0, 'article...","{'summary': {'resolutions': 13, 'certificates': 20, 'malware_hashes': 0, 'projects': 0, 'article...",https://community.riskiq.com,0


In [None]:
results_df = ti_lookup.lookup_iocs(ips)
results_df.head(3)

Observables processed: 100%|██████████| 24/24 [00:05<00:00,  4.17obs/s]


Unnamed: 0,Ioc,IocType,SanitizedValue,QuerySubtype,Provider,Result,Severity,Details,RawResult,Reference,Status
0,162.244.80.235,ipv4,162.244.80.235,,OTX,True,high,"{'pulse_count': 45, 'names': ['Conti Ransomware | CISA', 'Conti Ransomware | CISA', 'IOCs for Co...","{'whois': 'http://whois.domaintools.com/162.244.80.235', 'reputation': 0, 'indicator': '162.244....",https://otx.alienvault.com/api/v1/indicators/IPv4/162.244.80.235/general,0
1,185.141.63.120,ipv4,185.141.63.120,,OTX,True,high,"{'pulse_count': 35, 'names': ['Conti Ransomware | CISA', 'Conti Ransomware | CISA', 'IOCs for Co...","{'whois': 'http://whois.domaintools.com/185.141.63.120', 'reputation': 0, 'indicator': '185.141....",https://otx.alienvault.com/api/v1/indicators/IPv4/185.141.63.120/general,0
2,82.118.21.1,ipv4,82.118.21.1,,OTX,True,high,"{'pulse_count': 36, 'names': ['Conti Ransomware | CISA', 'Conti Ransomware | CISA', 'IOCs for Co...","{'whois': 'http://whois.domaintools.com/82.118.21.1', 'reputation': 0, 'indicator': '82.118.21.1...",https://otx.alienvault.com/api/v1/indicators/IPv4/82.118.21.1/general,0


### Browse results

In [None]:
mp.TILookup.browse(results_df)

VBox(children=(Text(value="162.244.80.235                           type: ipv4        (sev: high)  providers: …

0,1
OTX,
pulse_count,45
names,"['Conti Ransomware | CISA', 'Conti Ransomware | CISA', 'IOCs for Conti', 'IoC Ransomware CONTI', 'MS-ISAC: Joint Cybersecurity Advisory: Conti Ransomware', 'Threat Profile: Conti Ransomware', 'Conti Ransomware | CISA', 'cisa conti etc', 'Conti Ransomware', 'Conti Ransomware | CISA', 'Conti Ransomware - CISA 20220309', 'Conti Ransomware - updated IOCs March 2022', 'Wiper IOCs', '90 Day IP List', 'Log4J Exploit', 'Log4j Scanning Hosts', 'SI - KraknOps', 'Threatview cobalt strike IOCs', 'Conti Ransomware Gang Playbook', 'Cobalt Strike Servers | 10/11/2021', 'Cobalt Strike Servers | 10/04/2021', 'Conti Ransomware IOCs', 'Cobalt Strike Servers | 09/27/2021', 'Cobalt Strike Servers | 09/20/2021', 'Conti Ransomware', 'Bleepingcomputer - Vulnerabilities_of_RansomewareGangs 12', 'Conti Ransomware | CISA Joint Cybersecurity Advisory', 'Conti Ransomware | CISA Joint Cybersecurity Advisory', 'Conti Ransomware', 'Bleepingcomputer - Vulnerabilities_of_RansomewareGangs 3', 'Cobalt Strike Servers | 09/13/2021', 'Test Pulse 1', '威胁情报：Conti勒索软件', 'Cobalt Strike Servers | 09/06/2021', 'Cobalt Strike Servers | 08/30/2021', 'ThreatFox 20210901', 'Ransomware_threat', 'Conti gang 10/08/2021', 'Cobalt Strike Servers | 08/02/2021', 'Conti Servers', 'Cobalt Strike C2 Server IPs', ""Angry Conti ransomware affiliate leaks gang's attack playbook"", 'BazarCall to Conti Ransomware via Trickbot and Cobalt Strike', 'Cobalt Strike Servers | 07/26/2021', 'Cobalt Strike Servers | 07/19/2021']"
tags,"[['Conti', 'TrickBot', 'IcedID'], ['conti', 'CVE-2021-34527', 'CVE-2020-1472', 'cobalt strike', 'trickbot', 'ransomware'], ['ip conti', 'poland', 'type', 'indicator', 'country', 'notes', 'france', 'cyprus'], [], ['conti', 'cobalt strike', 'trickbot', 'cisa', 'click', 'technique title', 'id use', 'alert', 'march', 'use multifactor', 'facebook', 'ransomware', 'february', 'enterprise', 'icedid', 'zloader', 'service'], ['conti', 'cobalt strike', 'mitre att', 'response', 'rapid response', 'sophos rapid', 'conti group', 'sophos', 'rclone', 'instrumentation', 'mega', 'icmp', 'next', 'back', 'public', 'github', 'yararules', 'jump', 'strong', 'sign', 'view', 'code issues', 'pull', 'wiki security', 'copy', 'contact', 'star', 'ransomware', 'ransom', 'unknown', 'sodinokibi', 'ryuk', 'sqlagent', 'mssql', 'service', 'mssqlfdlauncher', 'windows', 'sql2008 y', 'systembgc y', 'tps y', 'tpsama y', 'chacha', 'noise', 'ryuk ransomware', 'magic', 'rule id', 'ransomwarehau', 'containment', 'atp rules', 'rp dynamic', 'new startup', 'protection', 'avengine v2', 'avengine v3', 'Wizard Spider'], ['uscert', 'csirt', 'cert', 'cybersecurity', 'cyber security', 'computer security', 'u. s. computer emergency readiness', 'cyber risks', 'conti', 'technique title', 'id use', 'trickbot', 'remote desktop', 'protocol', 'cisa', 'kerberos', 'admin hash', 'ta0004', 'cobalt strike', 'icedid', 'zloader', 'service'], ['malicious fqdn', 'indicator', 'malicious ipv4', 'indicator ip', 'watchlist', 'discovery', 'cisa', 't1078', 'information', 'stix file', 'conti', 'trickbot', 'cobalt strike', 'shell', 'impact'], [], ['conti', 'trickbot', 'cobalt strike', 'discovery', 'files', 'uscert', 'csirt', 'cert', 'cybersecurity', 'cyber security', 'computer security', 'u. s. computer emergency readiness', 'cyber risks', 'technique title', 'id use', 'remote desktop', 'protocol', 'cisa', 'kerberos', 'admin hash', 'ta0004', 'icedid', 'zloader', 'service'], ['uscert', 'csirt', 'cert', 'cybersecurity', 'cyber security', 'computer security', 'u. s. computer emergency readiness', 'cyber risks', 'conti', 'technique title', 'id use', 'trickbot', 'remote desktop', 'protocol', 'cisa', 'kerberos', 'admin hash', 'ta0004', 'cobalt strike', 'icedid', 'zloader', 'service'], ['Ransomware'], [], [], [], ['Log4j Scanning Hosts'], [], ['feeds generated', 'hunter'], ['Cobalt Strike'], ['Cobalt Strike'], ['Cobalt Strike'], ['url http'], ['Cobalt Strike'], ['Cobalt Strike'], ['conti'], [], ['cobalt strike', 'conti', 'bazarloader', 'ryuk', 'c:\\windows\\system32\\net1', 'microsoft', 'threat feed', 'bazarloader dll', 'powershell', 'command', 'intro conti', 'coveware', 'raas', 'winscp', 'ransom', 'metasploit', 'empire', 'poshc2', 'powersploit', 'ryuk ransomware', 'trickbot', 'discovery', 'files', 'uscert', 'csirt', 'cert', 'cybersecurity', 'cyber security', 'computer security', 'u. s. computer emergency readiness', 'cyber risks', 'technique title', 'id use', 'remote desktop', 'protocol', 'cisa', 'kerberos', 'admin hash', 'ta0004', 'icedid', 'zloader', 'service'], ['cobalt strike', 'conti', 'bazarloader', 'ryuk', 'c:\\windows\\system32\\net1', 'microsoft', 'threat feed', 'bazarloader dll', 'powershell', 'command', 'intro conti', 'coveware', 'raas', 'winscp', 'ransom', 'metasploit', 'empire', 'poshc2', 'powersploit', 'ryuk ransomware', 'trickbot', 'discovery', 'files', 'uscert', 'csirt', 'cert', 'cybersecurity', 'cyber security', 'computer security', 'u. s. computer emergency readiness', 'cyber risks', 'technique title', 'id use', 'remote desktop', 'protocol', 'cisa', 'kerberos', 'admin hash', 'ta0004', 'icedid', 'zloader', 'service'], ['cobalt strike', 'conti', 'bazarloader', 'ryuk', 'c:\\windows\\system32\\net1', 'microsoft', 'threat feed', 'bazarloader dll', 'powershell', 'command', 'intro conti', 'coveware', 'raas', 'winscp', 'ransom', 'metasploit', 'empire', 'poshc2', 'powersploit', 'ryuk ransomware', 'trickbot', 'discovery', 'files', 'uscert', 'csirt', 'cert', 'cybersecurity', 'cyber security', 'computer security', 'u. s. computer emergency readiness', 'cyber risks', 'technique title', 'id use', 'remote desktop', 'protocol', 'cisa', 'kerberos', 'admin hash', 'ta0004', 'icedid', 'zloader', 'service'], [], ['Cobalt Strike'], [], ['http', 'Conti', '勒索软件', 'HotSpot'], ['Cobalt Strike'], ['Cobalt Strike'], ['virusdeck', 'cobaltstrike', 'cryptolaemus1', 'agentemis', 'beacon', 'nancrat', 'nanocore', 'hariomenkel', 'agentesla', 'agenttesla', 'raccoonstealer', 'asyncrat', 'racealer', 'icedid', 'njrat', 'bladabindi', 'avemaria', 'avemariarat', 'remcosrat', 'remcos', 'bazarbackdoor', 'bokbot', 'iceid', 'amadey', 'gafgyt', 'loki', 'strrat', 'mirai', 'snake', 'guloader', 'cloudeye', 'lokibot', 'oski stealer', 'breut', 'fynloski', 'darkcomet', 'stealer', 'bashlite', 'netwire', 'recam', 'netwire rc', 'bazaloader', 'bazarloader', 'dcrat', 'dofoil', 'sharik', 'smoke loader', 'isfb', 'bitrat', 'limerat', 'hawkeye', 'predator pain', 'keypass', 'djvu', 'stop', 'formbook', 'gozi isfb', 'orcusrat', 'gozi', 'ursnif', 'adwind', 'redline stealer', 'redlinestealer', 'cerberus', 'level3', 'alienspy', 'sockrat'], ['ipv4', 'indicator', 'description', 'cccy asnas44901', 'belcloud ltd', 'filehashsha256', 'filehashsha1', 'filehashmd5', 'sha256', 'alexhost srl', 'ccus asnas8100', 'dynu', 'ccbd asnas51447', 'rootlayer web', 'ccus asnas46562', 'performive', 'ccru asnas50867', 'sha1', 'cve202126855', 'ccru asnas44094', 'webhost llc', 'cve202131207', 'cve202134473', 'cve202134523', 'digitaloceanasn', 'ccus asnas14061', 'ccde asnas14061'], ['hsmi146943904'], ['Cobalt Strike'], [], [], [], ['trickbot', 'cobalt strike', 'conti', 'bazarcall', 'phishing', 'adfind', 'bloodhound'], ['Cobalt Strike'], ['Cobalt Strike']]"
references,"[['https://www.cisa.gov/uscert/ncas/alerts/aa21-265a'], ['https://us-cert.cisa.gov/ncas/alerts/aa21-265a'], ['IOCs for 03.10.2022 DTINS - Conti Malware.csv'], [], [], ['https://kc.mcafee.com/corporate/index?page=content&id=KB93317', 'https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/', 'https://github.com/advanced-threat-research/Yara-Rules/blob/master/ransomware/Ransom_Conti.yar', 'https://news.sophos.com/en-us/2021/02/16/conti-ransomware-attack-day-by-day/', 'https://www.clearskysec.com/conti-ransomware/'], ['https://www.cisa.gov/uscert/sites/default/files/publications/AA21-265A.stix.xml', 'https://www.cisa.gov/uscert/ncas/alerts/aa21-265a', 'https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/'], [], [], ['https://www.cisa.gov/uscert/ncas/alerts/aa21-265a'], ['https://www.cisa.gov/uscert/sites/default/files/publications/AA21-265A.stix.xml', 'https://www.cisa.gov/uscert/ncas/alerts/aa21-265a'], ['https://www.cisa.gov/uscert/ncas/alerts/aa21-265a', 'https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one'], [], [], [], ['Log4j Scanning Hosts.pdf'], ['https://www.seamlessintelligence.com.au/'], ['https://threatview.io/Downloads/High-Confidence-CobaltstrikeC2_IP_feed.txt'], ['https://michaelkoczwara.medium.com/conti-ransomware-group-cobalt-strike-c2-analysis-rdp-persistence-cc535d35eaba', 'https://threatpost.com/affiliate-leaks-conti-ransomware-playbook/168442/'], [], [], [], [], [], ['Conti Ransomware'], [], ['https://us-cert.cisa.gov/ncas/alerts/aa21-265a', 'https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours'], ['https://us-cert.cisa.gov/ncas/alerts/aa21-265a', 'https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours'], ['https://us-cert.cisa.gov/ncas/alerts/aa21-265a', 'https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours'], [], [], [], ['https://www.mcafee.com/enterprise/en-us/lp/insights-preview.html#threat-profile--conti-ransomware'], [], [], ['https://threatfox.abuse.ch/export/json/recent/'], ['https://otx.alienvault.com/otxapi/pulses/610c40338f6f88a2b9e8722f/export/?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6IkV4YVRocmVhdCIsInZhbHVlIjpbIjYxMGM0MDMzOGY2Zjg4YTJiOWU4NzIyZiIsImNzdiJdLCJleHAiOjE2MzA2MDUyNDl9.BcecRa3p23140iunnGc-33dQtuRTMckT3VXkTPhYxvE&format=csv', 'https://otx.alienvault.com/otxapi/pulses/6124f4d1ba14c8307ef5597a/export/?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6IkV4YVRocmVhdCIsInZhbHVlIjpbIjYxMjRmNGQxYmExNGM4MzA3ZWY1NTk3YSIsImNzdiJdLCJleHAiOjE2MzA2MDUyODl9.xZODbH4dHiaRF4r8ZioLN5LoILDPHchK-teNzCja3vM&format=csv', 'https://otx.alienvault.com/otxapi/pulses/612c7289af94dc195d29eaec/export/?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6IkV4YVRocmVhdCIsInZhbHVlIjpbIjYxMmM3Mjg5YWY5NGRjMTk1ZDI5ZWFlYyIsImNzdiJdLCJleHAiOjE2MzA2MDU0MTZ9.yNaSI3G7SYeKPa84fGXCHF3kIfunEU6208cnMiSIpqM&format=csv', 'https://otx.alienvault.com/otxapi/pulses/61112a84495fa1df546e5615/export/?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6IkV4YVRocmVhdCIsInZhbHVlIjpbIjYxMTEyYTg0NDk1ZmExZGY1NDZlNTYxNSIsImNzdiJdLCJleHAiOjE2MzA2MDU0MzJ9.6iu6CuVy7_y791JJoyhM9RNQXEt9UBukYFPgetZUuvs&format=csv', 'https://otx.alienvault.com/otxapi/pulses/612790dfbfcdb1840ffe0592/export/?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6IkV4YVRocmVhdCIsInZhbHVlIjpbIjYxMjc5MGRmYmZjZGIxODQwZmZlMDU5MiIsImNzdiJdLCJleHAiOjE2MzA2MDU1MzR9.nM00oUgeX45u3IWXgfD8SmH0oogYxDGWiMYzf9Nfm5M&format=csv', 'https://otx.alienvault.com/otxapi/pulses/61264a8423ac3934d07fe312/export/?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6IkV4YVRocmVhdCIsInZhbHVlIjpbIjYxMjY0YTg0MjNhYzM5MzRkMDdmZTMxMiIsImNzdiJdLCJleHAiOjE2MzA2MDU1NDV9.eW5bD_7HnmItFfTknn6bTGeTmBEidnnhPEpVlBf4u4w&format=csv', 'https://otx.alienvault.com/otxapi/pulses/5e721cc15341dd94f1c7fbed/export/?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6IkV4YVRocmVhdCIsInZhbHVlIjpbIjVlNzIxY2MxNTM0MWRkOTRmMWM3ZmJlZCIsImNzdiJdLCJleHAiOjE2MzA2MDU1NTZ9.Oc05Y240KzAFEBQHJ2arb6VwkZ4k63cOCCnivnP3n9g&format=csv', 'https://otx.alienvault.com/otxapi/pulses/6124a7fe9cb38f5ee05ddc91/export/?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6IkV4YVRocmVhdCIsInZhbHVlIjpbIjYxMjRhN2ZlOWNiMzhmNWVlMDVkZGM5MSIsImNzdiJdLCJleHAiOjE2MzA2MDU1Njl9.jeiwaWYNACTiGDMcb5vqTMxskoJ-GuHulXVPDn9lgPQ&format=csv', 'https://otx.alienvault.com/otxapi/pulses/61238ef51268c3af5521e92a/export/?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6IkV4YVRocmVhdCIsInZhbHVlIjpbIjYxMjM4ZWY1MTI2OGMzYWY1NTIxZTkyYSIsImNzdiJdLCJleHAiOjE2MzA2MDU1ODB9.q6xkXYGBz0sDZloXe93Fs9mFuQGPNfv_w1Xzf3NYiLI&format=csv'], [], [], [], [], ['https://twitter.com/pancak3lullz/status/1423324601346629635', 'https://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/'], ['https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/'], [], []]"

0,1
RiskIQ,
summary,
resolutions,12
certificates,12
malware_hashes,2
projects,0
articles,1
total,34
netblock,162.244.80.0/24
os,Windows

0,1
VirusTotal,
verbose_msg,IP address in dataset
response_code,1
positives,35
detected_urls,"['http://162.244.80.235/', 'http://softnewspaper.com/', 'https://softnewspaper.com/']"
detected_downloaded_samples,[]
detected_communicating_samples,[]


## Configuring providers

All providers require configuration before TILookup will load
the drivers for the provider.

Most providers need you to register an account and obtain an API key.

For the MS Sentinel TI provider, the configuration is the workspace and tenant ID of the workspace
containing your TI data table.

You can edit your `msticpyconfig.yaml` in an editor or use the MSTICPy config editor.

We'll use the configuration editor here and then show an example of what the final
msticpyconfig.yaml would look like.

#### Procedure
1. Sign up for and obtain an API key (in cases like XForce, you also need a user identifier).
2. In the MPConfigEdit "TI Providers" tab, select a provider from the **Add prov**
   selection list and click the **Add** button.
3. Select storage type of "Text" and paste the API/Auth key (and in some cases API ID)
   into the text box.
4. Click on **Update**
5. Repeat for any other providers that you want to add.
6. Verify that the **Conf File** path to your msticpyconfig.yaml is correct.
7. Click **Save Settings**

In [27]:
config = mp.MpConfigEdit()
config.set_tab("TI Providers")
config

Label(value='Loading. Please wait.')

VBox(children=(Tab(children=(VBox(children=(Label(value='Microsoft Sentinel workspace settings'), HBox(childre…

After saving the file you should see something like the
following in your msticpyconfig.yaml.

The providers should reflect what you picked in the config
editor. The UUIDS for the keys in the example are
fictitious - the format of the keys may differ from what is shown

```yaml
TIProviders:
  OTX:
    Args:
      AuthKey: 9e4c7cbf-6b34-47b5-a1a0-535dbec6e790
    Primary: True
    Provider: "OTX"
  VirusTotal:
    Args:
      AuthKey: 13e5e78a-e59d-4a71-95d1-b3ba87422925
    Primary: True
    Provider: "VirusTotal"
  XForce:
    Args:
      ApiID: 269fe6f8-c41c-4255-a90d-bc5025b0305a
      AuthKey: 5bec9a70-24c3-4a0b-9bba-cc87907d039c
    Primary: True
    Provider: "XForce"
  GreyNoise:
    Args:
      AuthKey: d9dde9d4-b848-4cef-b0ee-40d2b23ba088
    Primary: True
    Provider: "GreyNoise"
  AzureSentinel:
    Args:
      WorkspaceID: c7d6a1ad-357b-48b2-8ee1-a2dcbfa2842b
      TenantID: 228d7b5f-4920-4f8e-872f-52072b92b651
    Primary: True
    Provider: "AzSTI"
```

You need to tell `TILookup` to refresh its configuration.

After reloading the provider settings, you should see a list
of providers loaded.

In [None]:
ti_lookup.reload_providers()
ti_lookup.provider_status

Settings reloaded. Use reload_providers to update settings for loaded providers.
Using Open PageRank. See https://www.domcop.com/openpagerank/what-is-openpagerank


['OTX - AlientVault OTX Lookup. (primary)',
 'VirusTotal - VirusTotal Lookup. (primary)',
 'XForce - IBM XForce Lookup. (primary)',
 'GreyNoise - GreyNoise Lookup. (primary)',
 'AzSTI - Azure Sentinel TI provider class. (primary)',
 'OPR - Open PageRank Lookup. (secondary)']

# TILookup class

The TILookup class is the main interface to the TI Functions.

Pivot functions also call the `lookup_iocs` method of this class.

Brief help is shown below. You can read more details about the
attributes and functions in the
[TILookup documentation](https://msticpy.readthedocs.io/api/msticpy.context.tilookup.html)

To use TILookup, you need to create an instance of the class.
Avoid creating lots of instances of this class:
- Each instance caches recent results to avoid unnecessary network requests
  (instances do not share this cache)
- The enabled state of providers is not share across instances.

In [None]:
# TILookup class
display(Markdown("### Constructor\n"))
print(TILookup.__init__.__doc__)
display(Markdown("### Attributes\n"))
for name in [att for att in dir(TILookup) if not att.startswith("_")]:
    print(f"    {name}")

### Constructor



        Initialize TILookup instance.

        Parameters
        ----------
        primary_providers : Optional[List[TIProvider]], optional
            Primary TI Providers, by default None
        secondary_providers : Optional[List[TIProvider]], optional
            Secondary TI Providers, by default None
        providers: Optional[List[str]], optional
            List of provider names to load, by default all available
            providers are loaded. To see the list of available providers
            call `TILookup.list_available_providers()`.
            Note: if primary_provides or secondary_providers is specified
            This will override the providers list.

        


### Attributes


    add_provider
    available_providers
    browse
    browse_results
    configured_providers
    disable_provider
    enable_provider
    list_available_providers
    loaded_providers
    lookup_ioc
    lookup_iocs
    lookup_iocs_sync
    provider_status
    provider_usage
    reload_provider_settings
    reload_providers
    result_to_df
    set_provider_state


You can change which providers are loaded from the constructor.
However, this is usually not needed.

You can change the providers used in each lookup call by
supplying a list of provider names in the `providers`
parameter. You can also use the `enable_provider` and
`disable_provider` methods to make individual providers
active and inactive.

Using either the constructor parameters or the enable/disable
methods only affects the current instance of `TILookup`. 
If you create a new instance, the changes to providers
in previously-created instances have no effect on the state
of the new instance.

## Listing Available Providers
The **msticpy** TI Provider library can lookup IoCs in multiple providers.

"Available Providers" means providers that have a MSTICPy provider
class, not that they are either configured or loaded.

The list below shows the currently implemented set of providers.

In [28]:
TILookup.list_available_providers()

OTX
AzSTI
GreyNoise
XForce
IntSights
OPR
Tor
VirusTotal
RiskIQ


## Provider Query Types

Many providers have sub-classes of information for a given
IoC Type. The default data returned for an IoC type is
usually a summary of it's threat status but many providers
have supplementary data sets that can be accessed using the
`ioc_query_type` parameter to `lookup_ioc`, `lookup_iocs` and the
TI pivot functions.

You can view the list of supported query types for each provider with the `show_query_types=True` parameter

In [None]:
TILookup.list_available_providers(show_query_types=True)

OTX
AlientVault OTX Lookup. Supported query types:
	ioc_type=dns
	ioc_type=dns, ioc_query_type=geo
	ioc_type=dns, ioc_query_type=passivedns
	ioc_type=file_hash
	ioc_type=hostname
	ioc_type=ipv4
	ioc_type=ipv4, ioc_query_type=geo
	ioc_type=ipv4, ioc_query_type=passivedns
	ioc_type=ipv6
	ioc_type=ipv6, ioc_query_type=geo
	ioc_type=ipv6, ioc_query_type=passivedns
	ioc_type=md5_hash
	ioc_type=sha1_hash
	ioc_type=sha256_hash
	ioc_type=url
AzSTI
Microsoft Sentinel TI provider class. Supported query types:
	ioc_type=dns
	ioc_type=file_hash
	ioc_type=hostname
	ioc_type=ipv4
	ioc_type=ipv6
	ioc_type=linux_path
	ioc_type=md5_hash
	ioc_type=sha1_hash
	ioc_type=sha256_hash
	ioc_type=url
	ioc_type=windows_path
GreyNoise
GreyNoise Lookup. Supported query types:
	ioc_type=ipv4
	ioc_type=ipv4, ioc_query_type=full
	ioc_type=ipv4, ioc_query_type=quick
XForce
IBM XForce Lookup. Supported query types:
	ioc_type=dns
	ioc_type=dns, ioc_query_type=malware
	ioc_type=dns, ioc_query_type=passivedns
	ioc_type=dn

In [None]:
File.ti

## Loading TIProviders

Calling TILookup with no parameters will load all of the available providers
that have a configuration entry in `msticpyconfig.yaml`.

In [None]:
# load all configured providers
ti_lookup = TILookup()
ti_lookup.provider_status

# Restricting which providers get loaded
#ti_lookup = TILookup(providers=["VirusTotal", "XForce"])

Attempting to sign-in with environment variable credentials...
Using Open PageRank. See https://www.domcop.com/openpagerank/what-is-openpagerank
Please wait. Loading Kqlmagic extension...


['OTX - AlientVault OTX Lookup. (primary)',
 'VirusTotal - VirusTotal Lookup. (primary)',
 'XForce - IBM XForce Lookup. (primary)',
 'GreyNoise - GreyNoise Lookup. (primary)',
 'AzSTI - Azure Sentinel TI provider class. (primary)',
 'OPR - Open PageRank Lookup. (secondary)']

## Looking up IoCs

### lookup_ioc
To lookup a single IoC.
```
ti_lookup.lookup_ioc(
    observable: str = None,
    ioc_type: str = None,
    ioc_query_type: str = None,
    providers: List[str] = None,
    prov_scope: str = 'primary',
    **kwargs,
) -> Tuple[bool, List[Tuple[str, msticpy.sectools.tiproviders.ti_provider_base.LookupResult]]]

Lookup single IoC in active providers.

Parameters
----------
observable : str
    IoC observable
    (`ioc` is also an alias for observable)
ioc_type : str, optional
    One of IoCExtract.IoCType, by default None
    If none, the IoC type will be inferred
ioc_query_type: str, optional
    The ioc query type (e.g. rep, info, malware)
providers: List[str]
    Explicit list of providers to use
prov_scope : str, optional
    Use primary, secondary or all providers, by default "primary"
kwargs :
    Additional arguments passed to the underlying provider(s)

Returns
-------
Tuple[bool, List[Tuple[str, LookupResult]]]
    The result returned as a tuple(bool, list):
    bool indicates whether a TI record was found in any provider
    list has an entry for each provider result
```

In [29]:
# Uncomment this and run to see the document string
ti_lookup.lookup_ioc?

[1;31mSignature:[0m
[0mti_lookup[0m[1;33m.[0m[0mlookup_ioc[0m[1;33m([0m[1;33m
[0m    [0mobservable[0m[1;33m:[0m [0mstr[0m [1;33m=[0m [1;32mNone[0m[1;33m,[0m[1;33m
[0m    [0mioc_type[0m[1;33m:[0m [0mstr[0m [1;33m=[0m [1;32mNone[0m[1;33m,[0m[1;33m
[0m    [0mioc_query_type[0m[1;33m:[0m [0mstr[0m [1;33m=[0m [1;32mNone[0m[1;33m,[0m[1;33m
[0m    [0mproviders[0m[1;33m:[0m [0mList[0m[1;33m[[0m[0mstr[0m[1;33m][0m [1;33m=[0m [1;32mNone[0m[1;33m,[0m[1;33m
[0m    [0mdefault_providers[0m[1;33m:[0m [0mOptional[0m[1;33m[[0m[0mList[0m[1;33m[[0m[0mstr[0m[1;33m][0m[1;33m][0m [1;33m=[0m [1;32mNone[0m[1;33m,[0m[1;33m
[0m    [0mprov_scope[0m[1;33m:[0m [0mstr[0m [1;33m=[0m [1;34m'primary'[0m[1;33m,[0m[1;33m
[0m    [1;33m**[0m[0mkwargs[0m[1;33m,[0m[1;33m
[0m[1;33m)[0m [1;33m->[0m [0mTuple[0m[1;33m[[0m[0mbool[0m[1;33m,[0m [0mList[0m[1;33m[[0m[0mTuple[0m[1;33m[[0m[0mstr

### Lookup an IoC from a single provider

`lookup_ioc` returns a raw Python output of tuples and dicts.
The examples below us `TILookup.result_to_df` to convert
to a more readable DataFrame output.

In [7]:
result = ti_lookup.lookup_ioc(observable="52.183.120.194", providers=["AzSTI", "XForce"])
ti_lookup.result_to_df(result)

Unnamed: 0,Ioc,IocType,QuerySubtype,Provider,Result,Severity,Details,RawResult,Reference,Status
XForce,52.183.120.194,ipv4,,XForce,True,warning,"{'score': 1, 'cats': {}, 'categoryDescriptions': {}, 'reason': 'Regional Internet Registry', 're...","{'ip': '52.183.120.194', 'history': [{'created': '2012-03-22T07:26:00.000Z', 'reason': 'Regional...",https://api.xforce.ibmcloud.com/ipr/52.183.120.194,0
AzSTI,52.183.120.194,ipv4,,AzSTI,False,information,Not found.,,,0


In [8]:
result = ti_lookup.lookup_ioc(observable="52.183.120.194")
ti_lookup.result_to_df(result).T

Unnamed: 0,OTX,VirusTotal,XForce,GreyNoise,AzSTI
Ioc,52.183.120.194,52.183.120.194,52.183.120.194,52.183.120.194,52.183.120.194
IocType,ipv4,ipv4,ipv4,ipv4,ipv4
QuerySubtype,,,,,
Provider,OTX,VirusTotal,XForce,GreyNoise,AzSTI
Result,True,True,True,False,False
Severity,information,information,warning,information,information
Details,"{'pulse_count': 0, 'sections_available': ['general', 'geo', 'reputation', 'url_list', 'passive_d...","{'verbose_msg': 'IP address in dataset', 'response_code': 1, 'detected_urls': [], 'positives': 0...","{'score': 1, 'cats': {}, 'categoryDescriptions': {}, 'reason': 'Regional Internet Registry', 're...",Not found.,Not found.
RawResult,"{'whois': 'http://whois.domaintools.com/52.183.120.194', 'reputation': 0, 'indicator': '52.183.1...","{'undetected_urls': [['http://52.183.120.194/', 'a81857a8287017ddadd3cf776a1538e136b5bff261db758...","{'ip': '52.183.120.194', 'history': [{'created': '2012-03-22T07:26:00.000Z', 'reason': 'Regional...",<Response [404]>,
Reference,https://otx.alienvault.com/api/v1/indicators/IPv4/52.183.120.194/general,https://www.virustotal.com/vtapi/v2/ip-address/report,https://api.xforce.ibmcloud.com/ipr/52.183.120.194,https://api.GreyNoise.io/v3/community/52.183.120.194,
Status,0,0,0,404,0


An example of the raw `lookup_ioc` output format.

In [9]:
import pprint
pp = pprint.PrettyPrinter(indent=2)

result, details = ti_lookup.lookup_ioc(observable="38.75.137.9", providers=["OTX"])

# the details is a list (since there could be multiple responses for an IoC)
for provider, detail in details:
    print(provider)
    detail.summary
# Un-comment to view raw response
#     print("\nRaw Results")
#     pp.pprint(detail.raw_result)


OTX
ioc: 38.75.137.9 ( ipv4 )
result: True
{   'names': [   'Underminer.EK - Exploit Kit IOC Feed',
                 '<script '
                 'src="https://otx.alienvault.com/pulse/5d4d8ccdbe24622d01f9ce9f.js"></script>',
                 'Underminer.EK - Exploit Kit IOC Feed',
                 'Underminer EK'],
    'pulse_count': 4,
    'references': [   [],
                      [],
                      [],
                      [   'https://blog.malwarebytes.com/threat-analysis/2019/07/exploit-kits-summer-2019-review/']],
    'tags': [['Underminer.EK'], ['Underminer.EK'], ['Underminer.EK'], []]}
reference:  https://otx.alienvault.com/api/v1/indicators/IPv4/38.75.137.9/general


#### Or convert result to a DataFrame and let pandas do the display work...

In [10]:
result = ti_lookup.lookup_ioc(observable="38.75.137.9", providers=["OTX"])
ti_lookup.result_to_df(result).T

Unnamed: 0,OTX
Ioc,38.75.137.9
IocType,ipv4
QuerySubtype,
Provider,OTX
Result,True
Severity,high
Details,"{'pulse_count': 4, 'names': ['Underminer.EK - Exploit Kit IOC Feed', '<script src=""https://otx.a..."
RawResult,"{'whois': 'http://whois.domaintools.com/38.75.137.9', 'reputation': 0, 'indicator': '38.75.137.9..."
Reference,https://otx.alienvault.com/api/v1/indicators/IPv4/38.75.137.9/general
Status,0


In [11]:
# Extract a single field (RawResult) from the dataframe (.iloc[0] is to select the row)
ti_lookup.result_to_df(result)["RawResult"].iloc[0]

{'whois': 'http://whois.domaintools.com/38.75.137.9',
 'reputation': 0,
 'indicator': '38.75.137.9',
 'type': 'IPv4',
 'type_title': 'IPv4',
 'base_indicator': {'id': 2127020821,
  'indicator': '38.75.137.9',
  'type': 'IPv4',
  'title': '',
  'description': '',
  'content': '',
  'access_type': 'public',
  'access_reason': ''},
 'pulse_info': {'count': 4,
  'pulses': [{'id': '5d4d8ccdbe24622d01f9ce9f',
    'name': 'Underminer.EK - Exploit Kit IOC Feed',
    'description': 'IPs and hostnames for the Exploit Kit known as Underminer.EK.',
    'modified': '2021-04-14T19:27:12.332000',
    'created': '2019-08-09T15:10:05.503000',
    'tags': ['Underminer.EK'],
    'references': [],
    'public': 1,
    'adversary': '',
    'targeted_countries': [],
    'malware_families': [],
    'attack_ids': [],
    'industries': [],
    'TLP': 'white',
    'cloned_from': None,
    'export_count': 770,
    'upvotes_count': 0,
    'downvotes_count': 0,
    'votes_count': 0,
    'locked': False,
    'pulse

## Lookup using all primary providers

TILookup can support primary and secondary providers.

Primary providers are always used in lookups unless overridden using
the lookup_iocs (or pivot function) `providers` parameter.

Secondary providers have valid configuration and are loaded
but not included in look requests unless you specify
the `prov_scope` parameter with a value of "secondary" or "all".


In [12]:
result = ti_lookup.lookup_ioc(observable="188.127.231.124")
ti_lookup.result_to_df(result)

Unnamed: 0,Ioc,IocType,QuerySubtype,Provider,Result,Severity,Details,RawResult,Reference,Status
OTX,188.127.231.124,ipv4,,OTX,True,high,"{'pulse_count': 7, 'names': ['IOC 06/12/2019', '27/11/2019 IOCs', 'Ransomware IP Blocklist', 'Lo...","{'whois': 'http://whois.domaintools.com/188.127.231.124', 'reputation': 0, 'indicator': '188.127...",https://otx.alienvault.com/api/v1/indicators/IPv4/188.127.231.124/general,0
VirusTotal,188.127.231.124,ipv4,,VirusTotal,True,information,"{'verbose_msg': 'IP address in dataset', 'response_code': 1, 'detected_urls': ['http://188.127.2...","{'asn': 56694, 'undetected_urls': [['https://radiosfera.net/subject/5391/mikroshema-la4280', '90...",https://www.virustotal.com/vtapi/v2/ip-address/report,0
XForce,188.127.231.124,ipv4,,XForce,True,warning,"{'score': 1, 'cats': {}, 'categoryDescriptions': {}, 'reason': 'Regional Internet Registry', 're...","{'ip': '188.127.231.124', 'history': [{'created': '2012-03-22T07:26:00.000Z', 'reason': 'Regiona...",https://api.xforce.ibmcloud.com/ipr/188.127.231.124,0
GreyNoise,188.127.231.124,ipv4,,GreyNoise,False,information,Not found.,<Response [404]>,https://api.GreyNoise.io/v3/community/188.127.231.124,404
AzSTI,188.127.231.124,ipv4,,AzSTI,False,information,Not found.,,,0


## Provider Usage
This shows the supported IoC Types.

In some cases an IoC type will also support special types of sub-query such as geo-ip and passive-dns

In [13]:
display(ti_lookup.provider_status)
ti_lookup.loaded_providers["OTX"].usage()

['OTX - AlientVault OTX Lookup. (primary)',
 'VirusTotal - VirusTotal Lookup. (primary)',
 'XForce - IBM XForce Lookup. (primary)',
 'GreyNoise - GreyNoise Lookup. (primary)',
 'AzSTI - Azure Sentinel TI provider class. (primary)',
 'OPR - Open PageRank Lookup. (secondary)']

Azure Sentinel TI provider class. Supported query types:
	ioc_type=dns
	ioc_type=file_hash
	ioc_type=hostname
	ioc_type=ipv4
	ioc_type=ipv6
	ioc_type=linux_path
	ioc_type=md5_hash
	ioc_type=sha1_hash
	ioc_type=sha256_hash
	ioc_type=url
	ioc_type=windows_path


In [14]:
ti_lookup.provider_usage()

Primary providers
-----------------

Provider class: OTX
AlientVault OTX Lookup. Supported query types:
	ioc_type=dns
	ioc_type=dns, ioc_query_type=geo
	ioc_type=dns, ioc_query_type=passivedns
	ioc_type=file_hash
	ioc_type=hostname
	ioc_type=ipv4
	ioc_type=ipv4, ioc_query_type=geo
	ioc_type=ipv4, ioc_query_type=passivedns
	ioc_type=ipv6
	ioc_type=ipv6, ioc_query_type=geo
	ioc_type=ipv6, ioc_query_type=passivedns
	ioc_type=md5_hash
	ioc_type=sha1_hash
	ioc_type=sha256_hash
	ioc_type=url

Provider class: VirusTotal
VirusTotal Lookup. Supported query types:
	ioc_type=dns
	ioc_type=file_hash
	ioc_type=ipv4
	ioc_type=md5_hash
	ioc_type=sha1_hash
	ioc_type=sha256_hash
	ioc_type=url

Provider class: XForce
IBM XForce Lookup. Supported query types:
	ioc_type=dns
	ioc_type=dns, ioc_query_type=malware
	ioc_type=dns, ioc_query_type=passivedns
	ioc_type=dns, ioc_query_type=whois
	ioc_type=file_hash
	ioc_type=hostname, ioc_query_type=whois
	ioc_type=ipv4
	ioc_type=ipv4, ioc_query_type=malware
	ioc_

### Use to do a passive DNS lookup

In [15]:
result = ti_lookup.lookup_ioc(observable="38.75.137.9", ico_type="ipv4", ioc_query_type="passivedns", providers=["XForce"])
print(result)
print("\nProvider result:")
result[1][0][1].raw_result

(True, [('XForce', LookupResult(ioc='38.75.137.9', ioc_type='ipv4', safe_ioc='38.75.137.9', query_subtype='passivedns', provider='XForce', result=True, severity='information', details={'records': 1}, raw_result={'Passive': {'query': '0x00000000000000000000ffff264b8909', 'records': []}, 'RDNS': ['9-137-75-38.clients.gthost.com'], 'total_rows': 1}, reference='https://api.xforce.ibmcloud.com/resolve/38.75.137.9', status=0))])

Provider result:


{'Passive': {'query': '0x00000000000000000000ffff264b8909', 'records': []},
 'RDNS': ['9-137-75-38.clients.gthost.com'],
 'total_rows': 1}

### Use to do a GeoIP lookup

In [16]:
result = ti_lookup.lookup_ioc(observable="38.75.137.9", ico_type="ipv4", ioc_query_type="geo", providers=["OTX"])
print(result)
print("\nProvider result:")
result[1][0][1].raw_result

(True, [('OTX', LookupResult(ioc='38.75.137.9', ioc_type='ipv4', safe_ioc='38.75.137.9', query_subtype='geo', provider='OTX', result=True, severity='information', details={}, raw_result={'asn': 'AS63023 AS-GLOBALTELEHOST', 'city_data': True, 'city': 'Los Angeles', 'region': 'CA', 'continent_code': 'NA', 'country_code3': 'USA', 'country_code2': 'US', 'subdivision': 'CA', 'latitude': 34.0544, 'postal_code': '90009', 'longitude': -118.244, 'accuracy_radius': 1000, 'country_code': 'US', 'country_name': 'United States of America', 'dma_code': 803, 'charset': 0, 'area_code': 0, 'flag_url': '/assets/images/flags/us.png', 'flag_title': 'United States of America'}, reference='https://otx.alienvault.com/api/v1/indicators/IPv4/38.75.137.9/geo', status=0))])

Provider result:


{'asn': 'AS63023 AS-GLOBALTELEHOST',
 'city_data': True,
 'city': 'Los Angeles',
 'region': 'CA',
 'continent_code': 'NA',
 'country_code3': 'USA',
 'country_code2': 'US',
 'subdivision': 'CA',
 'latitude': 34.0544,
 'postal_code': '90009',
 'longitude': -118.244,
 'accuracy_radius': 1000,
 'country_code': 'US',
 'country_name': 'United States of America',
 'dma_code': 803,
 'charset': 0,
 'area_code': 0,
 'flag_url': '/assets/images/flags/us.png',
 'flag_title': 'United States of America'}

## Inferring IoC Type vs. Specifying explicity
If you do a lookup without specifying a type, TILookup will try to infer the type by matching regexes. There are patterns for all supported types but there are some caveats:

- The match is not 100% foolproof - e.g. some URLs and hash types may be misidentified.
- The inference adds an overhead to each lookup.

If you know the type that you want to look up, it is always better to explicitly include it.
- For single IoC lookup, use the `ioc_type` parameter.
- For multiple IoC lookups (see below), supply either:
  - a DataFrame with a column that specifies the type for each entry
  - a dictionary of the form `{ioc_observable: ioc_type}`

## Looking up Multiple IoCs

### lookup_iocs
```
Signature:
ti_lookup.lookup_iocs(
    data: Union[pandas.core.frame.DataFrame, Mapping[str, str], Iterable[str]],
    obs_col: str = None,
    ioc_type_col: str = None,
    ioc_query_type: str = None,
    providers: List[str] = None,
    prov_scope: str = 'primary',
    **kwargs,
) -> pandas.core.frame.DataFrame

Lookup a collection of IoCs.

Parameters
----------
data : Union[pd.DataFrame, Mapping[str, str], Iterable[str]]
    Data input in one of three formats:
    1. Pandas dataframe (you must supply the column name in
    `obs_col` parameter)
    2. Mapping (e.g. a dict) of [observable, IoCType]
    3. Iterable of observables - IoCTypes will be inferred
obs_col : str, optional
    DataFrame column to use for observables, by default None
ioc_type_col : str, optional
    DataFrame column to use for IoCTypes, by default None
ioc_query_type: str, optional
    The ioc query type (e.g. rep, info, malware)
providers: List[str]
    Explicit list of providers to use
prov_scope : str, optional
    Use primary, secondary or all providers, by default "primary"
kwargs :
    Additional arguments passed to the underlying provider(s)

Returns
-------
pd.DataFrame
    DataFrame of results
```

In [19]:
# Uncomment this and run to see the document string
# ti_lookup.lookup_iocs?

### Multiple IP Lookup from single provider

In [27]:

ioc_ips = [
    "51.75.29.61",
    "190.2.144.45"
    "52.183.120.194",
    "146.56.231.70",
    "1.2.3.4",
    "109.236.89.61",
    "1.2.3.5",
]

ti_lookup.lookup_iocs(data=ioc_ips, providers="AzSTI")

Unnamed: 0,Ioc,IocType,QuerySubtype,Reference,Result,Status,Severity,Details,RawResult,Provider
0,1.2.3.4,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-03-22T18:24:18.972814Z) | w...,False,0.0,0.0,Not found.,,AzSTI
1,51.75.29.61,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-03-22T18:24:18.972814Z) | w...,False,0.0,0.0,Not found.,,AzSTI
2,1.2.3.5,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-03-22T18:24:18.972814Z) | w...,False,0.0,0.0,Not found.,,AzSTI
3,109.236.89.61,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-03-22T18:24:18.972814Z) | w...,True,0.0,2.0,"{'Action': 'alert', 'ThreatType': 'Botnet', 'ThreatSeverity': nan, 'Active': True, 'Description'...","{'IndicatorId': '2E9C9B5884CE9D1AAECA21C5EB772C30C3C84093C452AA038868AD4EEF50E83E', 'TimeGenerat...",AzSTI
4,109.236.89.61,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-03-22T18:24:18.972814Z) | w...,True,0.0,2.0,"{'Action': 'alert', 'ThreatType': 'Botnet', 'ThreatSeverity': nan, 'Active': True, 'Description'...","{'IndicatorId': 'AA38B8D61F8587B779AABF6C4F2DBD226C7704600A5CBBB7779A7D0E7AFA05C4', 'TimeGenerat...",AzSTI
5,109.236.89.61,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-03-22T18:24:18.972814Z) | w...,True,0.0,2.0,"{'Action': 'alert', 'ThreatType': 'Botnet', 'ThreatSeverity': nan, 'Active': True, 'Description'...","{'IndicatorId': 'E9DD356FF6855D16952067E4A35F0AAA1A8FF4E955E20B249131BD0EF7115A1E', 'TimeGenerat...",AzSTI
6,109.236.89.61,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-03-22T18:24:18.972814Z) | w...,True,0.0,2.0,"{'Action': 'alert', 'ThreatType': 'Botnet', 'ThreatSeverity': nan, 'Active': True, 'Description'...","{'IndicatorId': '0612D0A787F9B2EA5FC1206C3727B3ADAD45D8AEDE2D90ADEC1C3B1590A609E0', 'TimeGenerat...",AzSTI
7,109.236.89.61,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-03-22T18:24:18.972814Z) | w...,True,0.0,2.0,"{'Action': 'alert', 'ThreatType': 'Botnet', 'ThreatSeverity': nan, 'Active': True, 'Description'...","{'IndicatorId': '4DDD4BC9AD3844756B4DF7FAB23E9E9B917124D0A257BB405EF5715DEAA3D61B', 'TimeGenerat...",AzSTI
8,109.236.89.61,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-03-22T18:24:18.972814Z) | w...,True,0.0,2.0,"{'Action': 'alert', 'ThreatType': 'Botnet', 'ThreatSeverity': nan, 'Active': True, 'Description'...","{'IndicatorId': 'CAFF80F6C8FD64CDA73AE68E382C6A7B6C94CA257C897324E6DB78D8C2106588', 'TimeGenerat...",AzSTI
9,109.236.89.61,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-03-22T18:24:18.972814Z) | w...,True,0.0,2.0,"{'Action': 'alert', 'ThreatType': 'Botnet', 'ThreatSeverity': nan, 'Active': True, 'Description'...","{'IndicatorId': 'C72FAFC4A20054F73B343418F5EBE887610D257FFD51439392CC0376AB3B7173', 'TimeGenerat...",AzSTI


### Multiple IoCs using all providers
Output sorted by IoC

Note that these URLs were picked randomly from the TI databases of the three providers used. In most cases the IoC is found by only that provider, which 

In [19]:
ioc_urls = [
    "http://cheapshirts.us/zVnMrG.php",
    "http://chinasymbolic.com/i9jnrc",
    "https://hotel-bristol.lu/dlry/MAnJIPnY/",
    "http://businesstobuy.net",
    "http://append.pl/srh9xsz",
    "http://104.248.196.145/apache2",
    "http://ajaraheritage.ge/g7cberv",
    "http://cic-integration.com/hjy93JNBasdas",
    "https://google.com",  # benign
    "https://microsoft.com",  # benign
    "https://python.org",  # benign
]
results = ti_lookup.lookup_iocs(data=ioc_urls)
results.sort_values("Ioc")

Unnamed: 0,Ioc,IocType,SafeIoc,QuerySubtype,Provider,Result,Severity,Details,RawResult,Reference,Status
9,http://104.248.196.145/apache2,url,,,AzSTI,False,0,Not found.,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-03-22T18:22:19.058146Z) | w...,0
5,http://104.248.196.145/apache2,url,http://104.248.196.145/apache2,,VirusTotal,False,information,No Content,<Response [204]>,https://www.virustotal.com/vtapi/v2/url/report,204
5,http://104.248.196.145/apache2,url,http://104.248.196.145/apache2,,XForce,False,information,Not found.,<Response [404]>,https://api.xforce.ibmcloud.com/url/http://104.248.196.145/apache2,404
5,http://104.248.196.145/apache2,url,http%3A%2F%2F104.248.196.145%2Fapache2,,OTX,True,information,"{'pulse_count': 0, 'sections_available': ['general', 'url_list', 'http_scans', 'screenshot']}","{'sections': ['general', 'url_list', 'http_scans', 'screenshot'], 'indicator': 'http://104.248.1...",https://otx.alienvault.com/api/v1/indicators/url/http%3A%2F%2F104.248.196.145%2Fapache2/general,0
6,http://ajaraheritage.ge/g7cberv,url,http://ajaraheritage.ge/g7cberv,,VirusTotal,False,information,No Content,<Response [204]>,https://www.virustotal.com/vtapi/v2/url/report,204
6,http://ajaraheritage.ge/g7cberv,url,http://ajaraheritage.ge/g7cberv,,XForce,True,information,"{'score': 0, 'cats': None, 'categoryDescriptions': None, 'reason': None, 'reasonDescription': 0,...","{'result': {'url': 'ajaraheritage.ge', 'cats': {}, 'score': None, 'categoryDescriptions': {}}, '...",https://api.xforce.ibmcloud.com/url/http://ajaraheritage.ge/g7cberv,0
8,http://ajaraheritage.ge/g7cberv,url,,,AzSTI,False,0,Not found.,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-03-22T18:22:19.058146Z) | w...,0
6,http://ajaraheritage.ge/g7cberv,url,http%3A%2F%2Fajaraheritage.ge%2Fg7cberv,,OTX,True,high,"{'pulse_count': 2, 'names': ['Locky Ransomware Distribution Sites URL blocklist (LY_DS_URLBL)', ...","{'sections': ['general', 'url_list', 'http_scans', 'screenshot'], 'indicator': 'http://ajaraheri...",https://otx.alienvault.com/api/v1/indicators/url/http%3A%2F%2Fajaraheritage.ge%2Fg7cberv/general,0
4,http://append.pl/srh9xsz,url,http%3A%2F%2Fappend.pl%2Fsrh9xsz,,OTX,True,warning,"{'pulse_count': 1, 'names': ['Locky Ransomware Distribution Sites URL blocklist (LY_DS_URLBL)'],...","{'sections': ['general', 'url_list', 'http_scans', 'screenshot'], 'indicator': 'http://append.pl...",https://otx.alienvault.com/api/v1/indicators/url/http%3A%2F%2Fappend.pl%2Fsrh9xsz/general,0
4,http://append.pl/srh9xsz,url,http://append.pl/srh9xsz,,XForce,True,information,"{'score': 0, 'cats': None, 'categoryDescriptions': None, 'reason': None, 'reasonDescription': 0,...","{'result': {'url': 'append.pl', 'cats': {'Software / Hardware': True}, 'score': 1, 'categoryDesc...",https://api.xforce.ibmcloud.com/url/http://append.pl/srh9xsz,0


### Multiple Mixed IoC Types

In [20]:
ioc_mixed = [
    "http://104.248.196.145/apache2",
    "http://ajaraheritage.ge/g7cberv",
    "http://cic-integration.com/hjy93JNBasdas",
    "51.75.29.61",
    "33.44.55.66",
    "52.183.120.194",
    "f8a7135496fd6168df5f0ea21c745db89ecea9accc29c5cf281cdf3145865092",
    "cc2db822f652ca67038ba7cca8a8bde3",
    "ajaraheritage.ge",
]
results = ti_lookup.lookup_iocs(data=ioc_mixed)
results

Unnamed: 0,Ioc,IocType,SafeIoc,QuerySubtype,Provider,Result,Severity,Details,RawResult,Reference,Status
0,http://104.248.196.145/apache2,url,http%3A%2F%2F104.248.196.145%2Fapache2,,OTX,True,information,"{'pulse_count': 0, 'sections_available': ['general', 'url_list', 'http_scans', 'screenshot']}","{'sections': ['general', 'url_list', 'http_scans', 'screenshot'], 'indicator': 'http://104.248.1...",https://otx.alienvault.com/api/v1/indicators/url/http%3A%2F%2F104.248.196.145%2Fapache2/general,0
1,http://ajaraheritage.ge/g7cberv,url,http%3A%2F%2Fajaraheritage.ge%2Fg7cberv,,OTX,True,high,"{'pulse_count': 2, 'names': ['Locky Ransomware Distribution Sites URL blocklist (LY_DS_URLBL)', ...","{'sections': ['general', 'url_list', 'http_scans', 'screenshot'], 'indicator': 'http://ajaraheri...",https://otx.alienvault.com/api/v1/indicators/url/http%3A%2F%2Fajaraheritage.ge%2Fg7cberv/general,0
2,http://cic-integration.com/hjy93JNBasdas,url,http%3A%2F%2Fcic-integration.com%2Fhjy93JNBasdas,,OTX,True,warning,"{'pulse_count': 1, 'names': ['Locky Ransomware Distribution Sites URL blocklist (LY_DS_URLBL)'],...","{'sections': ['general', 'url_list', 'http_scans', 'screenshot'], 'indicator': 'http://cic-integ...",https://otx.alienvault.com/api/v1/indicators/url/http%3A%2F%2Fcic-integration.com%2Fhjy93JNBasda...,0
3,51.75.29.61,ipv4,51.75.29.61,,OTX,True,high,"{'pulse_count': 50, 'names': ['IOCs - 202135947 - ANIA Threat Feeds - IP Segment 0', 'IOCs - 202...","{'whois': 'http://whois.domaintools.com/51.75.29.61', 'reputation': 0, 'indicator': '51.75.29.61...",https://otx.alienvault.com/api/v1/indicators/IPv4/51.75.29.61/general,0
4,33.44.55.66,ipv4,33.44.55.66,,OTX,True,information,"{'pulse_count': 0, 'sections_available': ['general', 'geo', 'reputation', 'url_list', 'passive_d...","{'whois': 'http://whois.domaintools.com/33.44.55.66', 'reputation': 0, 'indicator': '33.44.55.66...",https://otx.alienvault.com/api/v1/indicators/IPv4/33.44.55.66/general,0
5,52.183.120.194,ipv4,52.183.120.194,,OTX,True,information,"{'pulse_count': 0, 'sections_available': ['general', 'geo', 'reputation', 'url_list', 'passive_d...","{'whois': 'http://whois.domaintools.com/52.183.120.194', 'reputation': 0, 'indicator': '52.183.1...",https://otx.alienvault.com/api/v1/indicators/IPv4/52.183.120.194/general,0
6,f8a7135496fd6168df5f0ea21c745db89ecea9accc29c5cf281cdf3145865092,sha256_hash,f8a7135496fd6168df5f0ea21c745db89ecea9accc29c5cf281cdf3145865092,,OTX,True,high,"{'pulse_count': 3, 'names': ['Emotet IOCs 2/4/2019', 'Emotet IOCs 2/1/2019', 'Emotet IOCs 1/31/2...","{'sections': ['general', 'analysis'], 'type': 'sha256', 'type_title': 'FileHash-SHA256', 'indica...",https://otx.alienvault.com/api/v1/indicators/file/f8a7135496fd6168df5f0ea21c745db89ecea9accc29c5...,0
7,cc2db822f652ca67038ba7cca8a8bde3,md5_hash,cc2db822f652ca67038ba7cca8a8bde3,,OTX,True,information,"{'pulse_count': 0, 'sections_available': ['general', 'analysis']}","{'sections': ['general', 'analysis'], 'type': 'md5', 'type_title': 'FileHash-MD5', 'indicator': ...",https://otx.alienvault.com/api/v1/indicators/file/cc2db822f652ca67038ba7cca8a8bde3/general,0
8,ajaraheritage.ge,dns,ajaraheritage.ge,,OTX,True,high,"{'pulse_count': 27, 'names': ['Veronica.muratori ', 'Veronica.muratori ', 'https://instagram.com...","{'sections': ['general', 'geo', 'url_list', 'passive_dns', 'malware', 'whois', 'http_scans'], 'w...",https://otx.alienvault.com/api/v1/indicators/domain/ajaraheritage.ge/general,0
0,http://104.248.196.145/apache2,url,http://104.248.196.145/apache2,,VirusTotal,False,information,No Content,<Response [204]>,https://www.virustotal.com/vtapi/v2/url/report,204


## Browsing TI Results
To make it easier to walk through the returned results there is a browser. 
This shows you results aggregated by the IoC value (e.g. an individual IP 
Address or URL) for all providers.

For each provider that returns a result for an IoC, the summarized details 
will be shown in a table below the browse list.
Click on `Raw results from provider...` to see all returned data.

> **Note**: the reference URL may not work if you have not authenticated
> to the service

The value of the selected IoC entry is available as `ti_selector.value`

You can match this back to the original results DataFrame as follows:
```
results[results["Ioc"] == ti_selector.value[0]]
```

In [21]:
from msticpy.nbtools.ti_browser import browse_results
ti_selector = browse_results(data=results, height="200px")
ti_selector

VBox(children=(Text(value='', description='Filter:', style=DescriptionStyle(description_width='initial')), Sel…

0,1
OTX,
pulse_count,50
names,"['IOCs - 202135947 - ANIA Threat Feeds - IP Segment 0', 'IOCs - 2020122102 - ANIA Threat Feeds - IP Segment 1', 'IOCs - 202096112 - ANIA Threat Feeds - IP Segment 0', 'IOCs - 20208141635 - ANIA Threat Feeds - IP Segment 0', 'Ty', 'IOCs - 20207302230 - ANIA Threat Feeds - IP Segment 0', 'IOCs - 20207131443 - ANIA Threat Feeds - IP Segment 1', 'STU_Honeypots_Bruteforce_Source_IP 2020/07/11', 'SSH - US Honeypot IoCs 2020-07-10', 'STU_Honeypots_Bruteforce_Source_IP 2020/07/10', '2020-07-02 Fail2ban b3478ecb-279e-4ad8-864b-2538ee286dda', 'STU_Honeypots_Bruteforce_Source_IP 2020/06/30', 'IOCs - 20206301939 - ANIA Threat Feeds - IP Segment 0', '2020-06-29 Fail2ban f726332c-9c60-4e5e-8ae2-c3ec592fbed7', '2020-06-25 Fail2ban a5ce7d8c-4741-4414-9caf-fc179a6fb81d', 'SSH - US Honeypot IoCs 2020-06-20', '2020-06-20 Fail2ban dce5352e-74ce-432e-8c57-d9819a9a6a79', '2020-06-19 Fail2ban f0882f07-135c-4510-9f4c-ccada08a12e5', 'SSH Bruteforce Hosts for 2020-06-19', '2020-06-17 Fail2ban 76fdb4c1-f709-4f45-8ecf-f5f9aa52ab55', '2020-06-12 Fail2ban 60886aec-1450-459b-b91b-5d5b204183ad', '2020-06-09 Fail2ban e197ce9a-dfcb-4ae4-a641-ae947a9f78cb', 'SSH - US Honeypot IoCs 2020-06-08', 'Baton Rouge Louisiana HoneyPot Tier 2 Indicators:February:2020', 'Baton Rouge Louisiana TPOT 19 Honeypot Events:2020-06-01 02:14:25.546768', 'IOCs - 20205311517 - ANIA Threat Feeds - IP Segment 0', 'IOCs - 20205301440 - ANIA Threat Feeds - Segment 0', '2020-05-25 Fail2ban e37d5902-91dd-4ede-8e87-14bb54fdac24', '2020-05-21 Fail2ban 9e9111dd-ddcb-441e-ae99-d5ee334c779d', '2020-05-17 Fail2ban cdf0b492-c29e-4389-92ae-4415dbf2c3a2', 'SSH Bruteforce hosts for 2020-05-22', '2020-05-12 Fail2ban 56d04fa8-75b9-43c4-9396-0312786fe541', '2020-05-11 Fail2ban fd0c74a2-1f1b-4996-abae-6989bf0811d0', '2020-05-09 Fail2ban e287bc93-747c-4a79-9fe3-7308a02b4c0a', 'SSH - US Honeypot IoCs 2020-05-06', 'SSH Bruteforce hosts for 2020-05-31', 'SSH Bruteforce hosts for 2020-05-11', 'SSH Bruteforce hosts for 2020-05-10', '2020-05-03 Fail2ban 6209860d-08c3-45e7-8e10-8331f86ffc3a', 'Baton Rouge Louisiana TPOT 19 Honeypot Events:2020-04-28', 'SSH honeypot logs for 4/26/2020', '2020-04-25 Fail2ban 6dc27fe2-df3f-4096-aee8-70b84449f012', '2020-04-22 Fail2ban 2ef4f696-85a2-4ae7-9fb9-82e7d8591bd0', 'SSH Bruteforce hosts for 2020-04-20', 'Baton Rouge Louisiana TPOT 19 Honeypot Events:Jan to March ,2020', 'SSH Bruteforce hosts for 2020-04-11', '2020-04-08 Fail2ban 47aa302c-a65d-4564-85e3-f4428c9c7b3e', 'IOCs - 2020461246', 'SSH - US Honeypot IoCs 2020-04-02', 'SSH honeypot logs for 3/30/2020']"
tags,"[[], [], [], [], [], [], [], ['Bruteforce', 'Honeypot'], ['honeypot', 'ssh', 'cowrie'], ['Bruteforce', 'Honeypot'], ['fail2ban'], ['Bruteforce', 'Honeypot'], [], ['fail2ban'], ['fail2ban'], ['honeypot', 'ssh', 'cowrie'], ['fail2ban'], ['fail2ban'], ['Bruteforce', 'SSH', 'honeypot'], ['fail2ban'], ['fail2ban'], ['fail2ban'], ['honeypot', 'ssh', 'cowrie'], ['tsec', 'tpot19', 'honeypot'], ['tsec', 'tpot19', 'honeypot'], [], [], ['fail2ban'], ['fail2ban'], ['fail2ban'], ['china', 'france', 'germany', 'singapore', 'korea', 'group', 'spain', 'canada', 'italy', 'brazil', 'mexico'], ['fail2ban'], ['fail2ban'], ['fail2ban'], ['honeypot', 'ssh', 'cowrie'], ['china', 'germany', 'france', 'singapore', 'group', 'india', 'canada', 'korea', 'brazil', 'mexico'], ['china', 'france', 'india', 'canada', 'italy', 'poland', 'group', 'singapore', 'germany', 'brazil', 'korea', 'mexico', 'japan', 'ssh bruteforce', 'israel', 'australia', 'bruteforce'], ['china', 'france', 'canada', 'korea', 'singapore', 'india', 'italy', 'germany', 'brazil', 'ssh bruteforce', 'group', 'poland', 'australia', 'switzerland', 'bruteforce', 'japan'], ['fail2ban'], ['tsec', 'tpot19', 'honeypot'], ['SSH', 'bruteforce', 'honeypot'], ['fail2ban'], ['fail2ban'], ['china', 'france', 'germany', 'singapore', 'brazil', 'india', 'group', 'italy', 'canada', 'korea', 'poland', 'mexico', 'japan', 'cambodia', 'australia', 'ssh bruteforce', 'israel', 'spain', 'switzerland'], ['tsec', 'tpot19', 'honeypot'], ['france', 'china', 'korea', 'india', 'japan', 'canada', 'singapore', 'poland', 'italy', 'group', 'cambodia', 'germany', 'brazil', 'mexico', 'kazakhstan', 'ssh bruteforce'], ['fail2ban'], [], ['honeypot', 'ssh', 'cowrie'], ['SSH', 'bruteforce', 'honeypot']]"
references,"[[], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], ['https://jamesbrine.com.au/bruteforce-ip-list-2020-06-19/', 'https://jamesbrine.com.au'], [], [], [], [], ['https://github.com/dtag-dev-sec/tpotce'], ['https://github.com/dtag-dev-sec/tpotce'], [], [], [], [], [], ['https://jamesbrine.com.au/bruteforce-ip-list-2020-05-22/', 'https://jamesbrine.com.au/'], [], [], [], [], ['https://jamesbrine.com.au/bruteforce-ip-list-2020-05-31/', 'https://jamesbrine.com.au/'], ['https://jamesbrine.com.au/bruteforce-ip-list-2020-05-11/', 'https://jamesbrine.com.au/'], ['https://jamesbrine.com.au/bruteforce-ip-list-2020-05-10/', 'https://jamesbrine.com.au/'], [], ['https://github.com/dtag-dev-sec/tpotce'], [], [], [], ['https://jamesbrine.com.au/bruteforce-ip-list-2020-04-20/', 'https://jamesbrine.com.au'], ['https://github.com/dtag-dev-sec/tpotce'], ['https://jamesbrine.com.au/bruteforce-ip-list-2020-04-11/', 'https://jamesbrine.com.au/'], [], [], [], []]"

0,1
GreyNoise,
Classification,malicious
Name,unknown
Last Seen,2020-07-13
Message,Success
Noise,True
RIOT,False


## Specifying Time Ranges
Some providers (currently only AzSTI) support time ranges so that you can specify specific periods to search for.

If a provider does not support time ranges, the parameters will be ignored

In [31]:
from datetime import datetime
search_origin = datetime.now()
q_times = nbwidgets.QueryTime(units="hour", auto_display=True, origin_time=search_origin, max_after=24, max_before=24)

VBox(children=(HTML(value='<h4>Set query time boundaries</h4>'), HBox(children=(DatePicker(value=datetime.date…

In [32]:
# Using this data range returned no results
ti_lookup.lookup_iocs(data=ioc_ips, providers="AzSTI", start=q_times.start, end=q_times.end).head()

Unnamed: 0,Ioc,IocType,QuerySubtype,Reference,Result,Status,Severity,Details,RawResult,Provider
0,1.2.3.4,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-04-21T05:24:53.933864Z) | w...,False,0.0,0.0,Not found.,,AzSTI
1,51.75.29.61,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-04-21T05:24:53.933864Z) | w...,False,0.0,0.0,Not found.,,AzSTI
2,1.2.3.5,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-04-21T05:24:53.933864Z) | w...,False,0.0,0.0,Not found.,,AzSTI
3,109.236.89.61,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-04-21T05:24:53.933864Z) | w...,True,0.0,2.0,"{'Action': 'alert', 'ThreatType': 'Botnet', 'ThreatSeverity': nan, 'Active': True, 'Description'...","{'IndicatorId': '2B3D1B719533D10EF42E0BA1948BDE099A83C38BAF53E8369CB9651A890A0CD2', 'TimeGenerat...",AzSTI
4,109.236.89.61,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-04-21T05:24:53.933864Z) | w...,True,0.0,2.0,"{'Action': 'alert', 'ThreatType': 'Botnet', 'ThreatSeverity': nan, 'Active': True, 'Description'...","{'IndicatorId': '30196A288FA811E8ACCCC84C434E3AD15F175B17BE2D4458DD3BC660073C1365', 'TimeGenerat...",AzSTI


In [34]:
from datetime import datetime
search_origin = datetime.now()
q_times = nbwidgets.QueryTime(units="day", auto_display=True, origin_time=search_origin, max_after=24, max_before=24)

VBox(children=(HTML(value='<h4>Set query time boundaries</h4>'), HBox(children=(DatePicker(value=datetime.date…

In [36]:
# Using a wider ranges produces results
ti_lookup.lookup_iocs(data=ioc_ips, providers="AzSTI", start=q_times.start, end=q_times.end)

Unnamed: 0,Ioc,IocType,QuerySubtype,Reference,Result,Status,Severity,Details,RawResult,Provider
0,1.2.3.4,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-04-12T11:25:07.689524Z) | w...,False,0.0,0.0,Not found.,,AzSTI
1,51.75.29.61,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-04-12T11:25:07.689524Z) | w...,False,0.0,0.0,Not found.,,AzSTI
2,1.2.3.5,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-04-12T11:25:07.689524Z) | w...,False,0.0,0.0,Not found.,,AzSTI
3,109.236.89.61,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-04-12T11:25:07.689524Z) | w...,True,0.0,2.0,"{'Action': 'alert', 'ThreatType': 'Botnet', 'ThreatSeverity': nan, 'Active': True, 'Description'...","{'IndicatorId': '2E9C9B5884CE9D1AAECA21C5EB772C30C3C84093C452AA038868AD4EEF50E83E', 'TimeGenerat...",AzSTI
4,109.236.89.61,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-04-12T11:25:07.689524Z) | w...,True,0.0,2.0,"{'Action': 'alert', 'ThreatType': 'Botnet', 'ThreatSeverity': nan, 'Active': True, 'Description'...","{'IndicatorId': 'AA38B8D61F8587B779AABF6C4F2DBD226C7704600A5CBBB7779A7D0E7AFA05C4', 'TimeGenerat...",AzSTI
5,109.236.89.61,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-04-12T11:25:07.689524Z) | w...,True,0.0,2.0,"{'Action': 'alert', 'ThreatType': 'Botnet', 'ThreatSeverity': nan, 'Active': True, 'Description'...","{'IndicatorId': 'E9DD356FF6855D16952067E4A35F0AAA1A8FF4E955E20B249131BD0EF7115A1E', 'TimeGenerat...",AzSTI
6,109.236.89.61,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-04-12T11:25:07.689524Z) | w...,True,0.0,2.0,"{'Action': 'alert', 'ThreatType': 'Botnet', 'ThreatSeverity': nan, 'Active': True, 'Description'...","{'IndicatorId': '0612D0A787F9B2EA5FC1206C3727B3ADAD45D8AEDE2D90ADEC1C3B1590A609E0', 'TimeGenerat...",AzSTI
7,109.236.89.61,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-04-12T11:25:07.689524Z) | w...,True,0.0,2.0,"{'Action': 'alert', 'ThreatType': 'Botnet', 'ThreatSeverity': nan, 'Active': True, 'Description'...","{'IndicatorId': '4DDD4BC9AD3844756B4DF7FAB23E9E9B917124D0A257BB405EF5715DEAA3D61B', 'TimeGenerat...",AzSTI
8,109.236.89.61,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-04-12T11:25:07.689524Z) | w...,True,0.0,2.0,"{'Action': 'alert', 'ThreatType': 'Botnet', 'ThreatSeverity': nan, 'Active': True, 'Description'...","{'IndicatorId': 'CAFF80F6C8FD64CDA73AE68E382C6A7B6C94CA257C897324E6DB78D8C2106588', 'TimeGenerat...",AzSTI
9,109.236.89.61,ipv4,,ThreatIntelligenceIndicator | where TimeGenerated >= datetime(2021-04-12T11:25:07.689524Z) | w...,True,0.0,2.0,"{'Action': 'alert', 'ThreatType': 'Botnet', 'ThreatSeverity': nan, 'Active': True, 'Description'...","{'IndicatorId': 'C72FAFC4A20054F73B343418F5EBE887610D257FFD51439392CC0376AB3B7173', 'TimeGenerat...",AzSTI
