IP Whois Enrichment
MSTICPy supports enriching IP address information with data from open source Whois services. Lookups are possible against IPs and ASNs (Autonomous System Number).
IP Lookups
Whois lookups can be performed against a single IP address or as a bulk lookup against a list or DataFrame column.
WhoIs Lookup of single IP Address
The ip_whois
function looks up an single IP Address and returns a results
as a Python dictionary.
>>> from msticpy.context.ip_utils import ip_whois
>>> ip_whois("65.55.44.109")
('MICROSOFT-CORP-MSN-AS-BLOCK, US',
{'asn': '8075',
'query': '65.55.44.109',
'asn_cidr': '65.52.0.0/14',
'asn_country_code': 'US',
'asn_registry': 'arin',
'asn_date': '2001-02-14',
'asn_description': 'MICROSOFT-CORP-MSN-AS-BLOCK, US',
'nets': [{'cidr': '65.52.0.0/14',
'handle': 'NET-65-52-0-0-1',
'name': 'MICROSOFT-1BLK',
'startAddress': '65.52.0.0',
'endAddress': '65.55.255.255',
'created': None,
...
You can also lookup a single IP Address using the IpAddress.whois
function. This
returns results as a pandas DataFrame.
>>> IpAddress.whois(["123.1.2.3", "124.5.6.7"])
WhoIs Lookup of multiple IP Addresses
If a list of IP addresses (or a pandas series) is passed to ip_whois
then the data is returned as a DataFrame.
This same feature can be accessed using the mp
pandas accessor or via the
IpAddress.whois
pivot function.
Using the mp
pandas accessor:
>>> df.mp.whois(ip_column="IPAddress")
Using the whois pivot function:
>>> IpAddress.whois(["123.1.2.3", "124.5.6.7"])
>>> IpAddress.whois(data=df, column="IP")
ASN Lookups
ASN Lookup by IP
It is also possible to lookup details of the ASN that an IP address belongs to.
This is done with the get_asn_from_ip
function.
>>> from msticpy.context.ip_utils import get_asn_from_ip
>>> get_asn_from_ip("65.55.44.109")
{'AS': '8075',
'IP': '65.55.44.109',
'BGP Prefix': '65.52.0.0/14',
'CC': 'US',
'Registry': 'arin',
'Allocated': '2001-02-14',
'AS Name': 'MICROSOFT-CORP-MSN-AS-BLOCK, US'}
The same function is also accessible via the IpAddress.whois_asn
pivot function:
>>> IpAddress.whois_asn("65.55.44.109")
This function can accepts a single IP, an iterable of IPs or a DataFrame (
in the latter case specify the dataframe via the data
parameter and the
IP column via the column
parameter).
ASN Lookup by Number or Name
You can get details of a specific to look up against an ASN.
get_asn_details
can
be used to get details based on an ASN, along with details of the IP ranges
belonging to that ASN.
>>> from msticpy.context.ip_utils import get_asn_details
>>> get_asn_details("AS3598")
{'Autonomous Number': 'AS3598',
'AS Name': 'MICROSOFT',
'Description': 'MICROSOFT',
'Contact': 'radb@microsoft.com',
'Last Updated': 'mkasten@microsoft.com 20180125',
'ranges': ['167.220.204.0/22',
'157.57.0.0/16',
'157.58.0.0/16',
'157.58.31.0/24',
'157.58.192.0/19',
'157.59.0.0/16',
...
It is also possible to search ASNs based on the AS Name. For example, you can search for “Microsoft”
to see a list of all ASNs that are associated with Microsoft with
get_asns_from_name
.
>>> get_asn_from_name("Microsoft")
{'AS3598': 'MICROSOFT-CORP-AS, US',
'AS5761': 'MICROSOFT-CORP-MSN-AS-SATURN, US',
'AS6182': 'MICROSOFT-CORP-MSN-AS-4, US',
'AS6291': 'MICROSOFT-CORP-MSN-AS, US',
'AS6584': 'MICROSOFT-GP-AS, US',
...