Added new TI Provider - IPQualityScore (#733)

* Added new TI Provider - IPQualityScore * Added provider to the documentation * Ensuring Python 3.8 compatibility --------- Co-authored-by: Ian Hellen <[email protected]>
microsoft · Nov 13, 2023 · 74eeb2e · 74eeb2e
1 parent ba8963f
commit 74eeb2e
Show file tree

Hide file tree

Showing 7 changed files with 138 additions and 0 deletions.
diff --git a/docs/source/data_acquisition/TIProviders.rst b/docs/source/data_acquisition/TIProviders.rst
@@ -37,6 +37,7 @@ Features
 
    -  TOR exit nodes
    -  Open Page Rank
+   -  IP Quality Score
 
 -  Supports common IoC Types
 

diff --git a/msticpy/context/tiproviders/__init__.py b/msticpy/context/tiproviders/__init__.py
@@ -26,4 +26,5 @@
     "RiskIQ": ("riskiq", "RiskIQ"),
     "Pulsedive": ("pulsedive", "Pulsedive"),
     "AbuseIPDB": ("abuseipdb", "AbuseIPDB"),
+    "IPQualityScore": ("ip_quality_score", "IPQualityScore"),
 }
diff --git a/msticpy/context/tiproviders/ip_quality_score.py b/msticpy/context/tiproviders/ip_quality_score.py
@@ -0,0 +1,88 @@
+# -------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+# --------------------------------------------------------------------------
+"""
+IPQualityScore Provider.
+
+This provider offers contextual lookup services and fraud scoring for IP addresses.
+https://www.ipqualityscore.com/
+"""
+from typing import Any, Dict, Tuple
+
+from ..._version import VERSION
+from ..http_provider import APILookupParams
+from .ti_http_provider import HttpTIProvider
+from .ti_provider_base import ResultSeverity
+
+__version__ = VERSION
+__author__ = "Pete Bryan"
+
+
+class IPQualityScore(HttpTIProvider):
+    """IP Quality Score Lookup."""
+
+    _BASE_URL = "https://www.ipqualityscore.com/api/json"
+
+    _QUERIES = {
+        # Supported API Types
+        "ipv4": APILookupParams(
+            path="/ip/{AuthKey}/{observable}",
+        )
+    }
+
+    _REQUIRED_PARAMS = ["AuthKey"]
+
+    def parse_results(self, response: Dict) -> Tuple[bool, ResultSeverity, Any]:
+        """
+        Return the details of the response.
+
+        Parameters
+        ----------
+        response : Dict
+            The returned data response
+
+        Returns
+        -------
+        Tuple[bool, ResultSeverity, Any]
+            bool = positive or negative hit
+            ResultSeverity = enumeration of severity
+            Object with match details
+
+        """
+        if self._failed_response(response) or not isinstance(
+            response["RawResult"], dict
+        ):
+            return False, ResultSeverity.information, "Not found."
+        result = True
+        result_dict = {}
+        result_dict.update(
+            {
+                "FraudScore": response["RawResult"].get("fraud_score"),
+                "ISP": response["RawResult"].get("ISP"),
+                "ASN": response["RawResult"].get("ASN"),
+                "Country": response["RawResult"].get("country_code"),
+                "Region": response["RawResult"].get("city"),
+                "City": response["RawResult"].get("region"),
+                "Organization": response["RawResult"].get("organization"),
+                "Latitude": response["RawResult"].get("latitude"),
+                "Longitude": response["RawResult"].get("longitude"),
+                "IsMobile": response["RawResult"].get("mobile"),
+                "IsProxy": response["RawResult"].get("proxy"),
+                "IsTor": response["RawResult"].get("active_tor"),
+                "IsVPN": response["RawResult"].get("active_vpn"),
+                "IsBot": response["RawResult"].get("bot_status"),
+                "AbuseStatus": response["RawResult"].get("recent_abuse"),
+            }
+        )
+
+        severity = ResultSeverity.information
+        if (
+            response["RawResult"]["fraud_score"] > 50
+            and response["RawResult"]["fraud_score"] < 80
+        ):
+            severity = ResultSeverity.warning
+        elif response["RawResult"]["fraud_score"] >= 80:
+            severity = ResultSeverity.high
+        return result, severity, result_dict
diff --git a/msticpy/resources/mpconfig_defaults.yaml b/msticpy/resources/mpconfig_defaults.yaml
@@ -118,6 +118,11 @@ TIProviders:
       AuthKey: *cred_key
     Primary: bool(default=False)
     Provider: "Pulsedive"
+  IPQualityScore:
+    Args:
+      AuthKey: *cred_key
+    Primary: bool(default=False)
+    Provider: "IPQualityScore"
 OtherProviders:
   GeoIPLite:
     Args:

diff --git a/tests/context/test_tiproviders.py b/tests/context/test_tiproviders.py
@@ -175,6 +175,7 @@ class TiTestCase:
     TiTestCase("IntSights"),
     TiTestCase("CrowdSec"),
     TiTestCase("AbuseIPDB", exp_responses=20),
+    TiTestCase("IPQualityScore", exp_responses=20),
 ]
 
 
@@ -246,6 +247,7 @@ def verify_result(result, ti_lookup):
                 "IntSights",
                 "CrowdSec",
                 "AbuseIPDB",
+                "IPQualityScore",
             ],
         )
         check.is_not_none(lu_result["Ioc"])
@@ -709,6 +711,37 @@ def _get_riskiq_classification():
             "message": "Success",
         },
     },
+    "https://www.ipqualityscore.com": {
+        "ioc_param": "ipv4",
+        "response": {
+            "success": True,
+            "message": "Success",
+            "fraud_score": 100,
+            "country_code": "US",
+            "region": "New York",
+            "city": "Long Island City",
+            "ISP": "Data Room",
+            "ASN": 19624,
+            "organization": "Data Room",
+            "is_crawler": False,
+            "timezone": "America/New_York",
+            "mobile": False,
+            "host": "162.244.80.235",
+            "proxy": True,
+            "vpn": True,
+            "tor": False,
+            "active_vpn": False,
+            "active_tor": False,
+            "recent_abuse": True,
+            "bot_status": True,
+            "connection_type": "Premium required.",
+            "abuse_velocity": "Premium required.",
+            "zip_code": "N/A",
+            "latitude": 40.75,
+            "longitude": -73.93,
+            "request_id": "I4lkaunzTE",
+        },
+    },
     "https://www.virustotal.com/": {
         "ioc_param": "params",
         "response": {

diff --git a/tests/msticpyconfig-test.yaml b/tests/msticpyconfig-test.yaml
@@ -100,6 +100,11 @@ TIProviders:
       AuthKey: "[PLACEHOLDER]"
     Primary: True
     Provider: AbuseIPDB
+  IPQualityScore:
+    Args:
+      AuthKey: "[PLACEHOLDER]"
+    Primary: True
+    Provider: IPQualityScore
 ContextProviders:
   ServiceNow:
     Primary: True

diff --git a/tests/testdata/msticpyconfig.yaml b/tests/testdata/msticpyconfig.yaml
@@ -77,6 +77,11 @@ TIProviders:
       AuthKey: "[PLACEHOLDER]"
     Primary: True
     Provider: AbuseIPDB
+  IPQualityScore:
+    Args:
+      AuthKey: "[PLACEHOLDER]"
+    Primary: True
+    Provider: IPQualityScore
 OtherProviders:
   GeoIPLite:
     Args: