IPInfo Action
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.2 |
| Compatible with ThreatQ Versions | >= 5.6.0 |
| ThreatQ TQO License Required | Yes |
| Support Tier | ThreatQ Supported |
Introduction
The IPInfo action submits a collection of supported indicators of compromise (IOC) to the IPInfo API in the form of individual HTTP Requests. IPInfo returns a response for each object containing any information it has about the IOC.
The integration can perform the following action:
- IPInfo - Enriches IP Addresses with Location information such as Region, Coordinates, Country, and City
The action is compatible with IP Address indicator types and returns enriched IP Addresses.
This action is intended for use with ThreatQ TDR Orchestrator (TQO). An active TQO license is required for this feature.
Prerequisites
The action requires the following:
- An IPInfo API Key.
- An active ThreatQ TRD Orchestrator (TDR) license.
- A data collection containing at IP Address indicator types.
Installation
This action can be installed in the My Integration section of your ThreatQ instance. See the Installing an Action topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Actions option from the Category dropdown (optional).
- Click on the action entry to open its details page.
- Enter the following parameters under the Configuration tab:
The configurations set on this page will be used as the default settings when inserting this action into a new workflow. Updating the configurations on this page will not update any instances of this action that have already been deployed to a workflow. In that scenario, you must update the action’s configurations within the workflow itself.
Parameter Description IPInfo API Key Your API Key for authentication with the IPInfo API Objects Per Run The Maximum number of objects to submit per workflow run. The max value for this parameter is 50,000. IPInfo Context Filter Select the attributes for ingestion. Options include: - Location Coordinates (default)
- City (default)
- Country (default)
- Region (default)
- Review any additional settings, make any changes if needed, and click on Save.
Actions
The integration provides the following action:
| Function | Description | Object Type | Object Subtype |
|---|---|---|---|
| IPInfo | Submits a ThreatQ data collection and queries the IPInfo API for context. | Indicator | IP Address |
IPInfo
The IPInfo function submits a ThreatQ data collection and queries the IPInfo API for context. The vendor will returned enriched data of the collection submitted.
GET https://ipinfo.io/111.121.216.118?token={user-token}
Sample Response:
{
"ip": "111.121.216.118",
"city": "Guiyang",
"region": "Guizhou",
"country": "CN",
"loc": "26.5833,106.7167",
"org": "AS4134 CHINANET-BACKBONE",
"timezone": "Asia/Shanghai"
}ThreatQuotient provides the following default mapping for this function:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
.region |
Indicator.Attribute | Region | N/A | Guizhou | If enabled |
.city |
Indicator.Attribute | City | N/A | Guiyang | If enabled |
.country |
Indicator.Attribute | Country | N/A | CN | If enabled |
.loc |
Indicator.Attribute | Location Coordinates | N/A | 26.5833,106.7167 | If enabled |
Enriched Data
Object counts and action runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and action runtime may vary based on system resources and load.
| Metric | Result |
|---|---|
| Run Time | 2 Minutes |
| Indicators | 100 |
| Indicator Attributes | 400 |
Use Case Example
- A Threat Analyst identifies a collection of IP Addresses they would like to enrich.
- The Threat Analyst adds the IPInfo Action to a Workflow
- The Threat Analyst configures the action with the desired parameters, and enables the Workflow
- The Workflow executes all Actions in the graph, including IPInfo
- The action returns the documented Attributes from the provider, and the Workflow ingests this data into the ThreatQ platform.
Known Issues / Limitations
- The IPInfo Free plan is limited to 50k lookups per month. Refer to your IPInfo account details for rate limit information.
Change Log
- Version 1.0.2
- Initial release to the ThreatQ Marketplace.
PDF Guides
| Document | ThreatQ Version |
|---|---|
| IPInfo Action Guide v1.0.2 | 5.6 or Greater |