IP Whois Enrichment

MSTICPy supports enriching IP address information with data from open source Whois services. Lookups are possible against IPs and ASNs (Autonomous System Number).

IP Lookups

Whois lookups can be performed against a single IP address or as a bulk lookup against a list or DataFrame column.

WhoIs Lookup of single IP Address

The ip_whois function looks up an single IP Address and returns a results as a Python dictionary.

>>> from msticpy.context.ip_utils import ip_whois
>>> ip_whois("65.55.44.109")
('MICROSOFT-CORP-MSN-AS-BLOCK, US',
{'asn': '8075',
'query': '65.55.44.109',
'asn_cidr': '65.52.0.0/14',
'asn_country_code': 'US',
'asn_registry': 'arin',
'asn_date': '2001-02-14',
'asn_description': 'MICROSOFT-CORP-MSN-AS-BLOCK, US',
'nets': [{'cidr': '65.52.0.0/14',
    'handle': 'NET-65-52-0-0-1',
    'name': 'MICROSOFT-1BLK',
    'startAddress': '65.52.0.0',
    'endAddress': '65.55.255.255',
    'created': None,
...

You can also lookup a single IP Address using the IpAddress.whois function. This returns results as a pandas DataFrame.

>>> IpAddress.whois(["123.1.2.3", "124.5.6.7"])

WhoIs Lookup of multiple IP Addresses

If a list of IP addresses (or a pandas series) is passed to ip_whois then the data is returned as a DataFrame.

This same feature can be accessed using the mp pandas accessor or via the IpAddress.whois pivot function.

Using the mp pandas accessor:

>>> df.mp.whois(ip_column="IPAddress")

Using the whois pivot function:

>>> IpAddress.whois(["123.1.2.3", "124.5.6.7"])
>>> IpAddress.whois(data=df, column="IP")

ASN Lookups

ASN Lookup by IP

It is also possible to lookup details of the ASN that an IP address belongs to. This is done with the get_asn_from_ip function.

>>> from msticpy.context.ip_utils import get_asn_from_ip
>>> get_asn_from_ip("65.55.44.109")
{'AS': '8075',
'IP': '65.55.44.109',
'BGP Prefix': '65.52.0.0/14',
'CC': 'US',
'Registry': 'arin',
'Allocated': '2001-02-14',
'AS Name': 'MICROSOFT-CORP-MSN-AS-BLOCK, US'}

The same function is also accessible via the IpAddress.whois_asn pivot function:

>>> IpAddress.whois_asn("65.55.44.109")

This function can accepts a single IP, an iterable of IPs or a DataFrame ( in the latter case specify the dataframe via the data parameter and the IP column via the column parameter).

ASN Lookup by Number or Name

You can get details of a specific to look up against an ASN. get_asn_details can be used to get details based on an ASN, along with details of the IP ranges belonging to that ASN.

>>> from msticpy.context.ip_utils import get_asn_details
>>> get_asn_details("AS3598")
{'Autonomous Number': 'AS3598',
'AS Name': 'MICROSOFT',
'Description': 'MICROSOFT',
'Contact': 'radb@microsoft.com',
'Last Updated': 'mkasten@microsoft.com 20180125',
'ranges': ['167.220.204.0/22',
'157.57.0.0/16',
'157.58.0.0/16',
'157.58.31.0/24',
'157.58.192.0/19',
'157.59.0.0/16',
...

It is also possible to search ASNs based on the AS Name. For example, you can search for “Microsoft” to see a list of all ASNs that are associated with Microsoft with get_asns_from_name.

>>> get_asn_from_name("Microsoft")
{'AS3598': 'MICROSOFT-CORP-AS, US',
'AS5761': 'MICROSOFT-CORP-MSN-AS-SATURN, US',
'AS6182': 'MICROSOFT-CORP-MSN-AS-4, US',
'AS6291': 'MICROSOFT-CORP-MSN-AS, US',
'AS6584': 'MICROSOFT-GP-AS, US',
...