msticpy.context.tiproviders.riskiq module

RiskIQ Threat Intelligence Provider.

Input can be a single IoC observable or a pandas DataFrame containing multiple observables. Processing may require a an API key and processing performance may be limited to a specific number of requests per minute for the account type that you have.

class msticpy.context.tiproviders.riskiq.RiskIQ(**kwargs)

Bases: TIProvider, TIPivotProvider

RiskIQ Threat Intelligence Lookup.

Instantiate RiskIQ class.

property ioc_query_defs: Dict[str, Any]

Return current dictionary of IoC query/request definitions.

Returns

IoC query/request definitions keyed by IoCType

Return type

Dict[str, Any]

classmethod is_known_type(ioc_type: str) bool

Return True if this a known IoC Type.

Parameters

ioc_type (str) – IoCType string to test

Returns

True if known type.

Return type

bool

is_supported_type(ioc_type: Union[str, IoCType]) bool

Return True if the passed type is supported.

Parameters

ioc_type (Union[str, IoCType]) – IoC type name or instance

Returns

True if supported.

Return type

bool

lookup_ioc(ioc: str, ioc_type: Optional[str] = None, query_type: Optional[str] = None, **kwargs) LookupResult

Lookup a single IoC observable.

Parameters

  • ioc (str) – IoC Observable value

  • ioc_type (str, optional) – IoC Type, by default None (type will be inferred)

  • query_type (str, optional) – Specify the data subtype to be queried, by default None. If not specified the default record type for the IoC type will be returned.

Returns

The returned results.

Return type

LookupResult

lookup_iocs(data: Union[DataFrame, Dict[str, str], Iterable[str]], obs_col: Optional[str] = None, ioc_type_col: Optional[str] = None, query_type: Optional[str] = None, **kwargs) DataFrame

Lookup collection of IoC observables.

Parameters

  • data (Union[pd.DataFrame, Dict[str, str], Iterable[str]]) – Data input in one of three formats: 1. Pandas dataframe (you must supply the column name in obs_col parameter) 2. Dict of observable, IoCType 3. Iterable of observables - IoCTypes will be inferred

  • obs_col (str, optional) – DataFrame column to use for observables, by default None

  • ioc_type_col (str, optional) – DataFrame column to use for IoCTypes, by default None

  • query_type (str, optional) – Specify the data subtype to be queried, by default None. If not specified the default record type for the IoC type will be returned.

Returns

DataFrame of results.

Return type

pd.DataFrame

async lookup_iocs_async(data: Union[DataFrame, Dict[str, str], Iterable[str]], obs_col: Optional[str] = None, ioc_type_col: Optional[str] = None, query_type: Optional[str] = None, **kwargs) DataFrame

Lookup collection of IoC observables.

Parameters

  • data (Union[pd.DataFrame, Dict[str, str], Iterable[str]]) – Data input in one of three formats: 1. Pandas dataframe (you must supply the column name in obs_col parameter) 2. Dict of observable, IoCType 3. Iterable of observables - IoCTypes will be inferred

  • obs_col (str, optional) – DataFrame column to use for observables, by default None

  • ioc_type_col (str, optional) – DataFrame column to use for IoCTypes, by default None

  • query_type (str, optional) – Specify the data subtype to be queried, by default None. If not specified the default record type for the IoC type will be returned.

Returns

DataFrame of results.

Return type

pd.DataFrame

property name: str

Return the name of the provider.

parse_results(response: LookupResult) Tuple[bool, ResultSeverity, Any]

Return the details of the response.

Parameters

response (LookupResult) – The returned data response

Returns

bool = positive or negative hit ResultSeverity = enumeration of severity Object with match details

Return type

Tuple[bool, ResultSeverity, Any]

pivot_value(prop, host, **kwargs)

Perform a pivot on a single value.

register_pivots(pivot_reg: PivotRegistration, pivot: Pivot)

Register pivot functions for the TI Provider.

Parameters

  • pivot_reg (PivotRegistration) – Pivot registration settings.

  • pivot (Pivot) – Pivot library instance

static resolve_ioc_type(observable: str) str

Return IoCType determined by IoCExtract.

Parameters

observable (str) – IoC observable string

Returns

IoC Type (or unknown if type could not be determined)

Return type

str

property supported_types: List[str]

Return list of supported IoC types for this provider.

Returns

List of supported type names

Return type

List[str]

classmethod usage()

Print usage of provider.

exception msticpy.context.tiproviders.riskiq.RiskIQAPIUserError(api_exception: passivetotal.analyzer.AnalyzerAPIError)

Bases: RiskIQUserError

RiskIQ API provider exception.

Create RiskIQ API exception.

Parameters

api_exception (ptanalyzer.AnalyzerAPIError) – Underlying API exception.

DEF_HELP_URI = ('msticpy documentation', 'https://msticpy.readthedocs.org')
args
property help_uri: Union[Tuple[str, str], str]

Get the default help URI.

classmethod no_display_exceptions()

Context manager to block exception display to IPython/stdout.

with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception msticpy.context.tiproviders.riskiq.RiskIQUserError(*args, help_uri: Optional[Union[Tuple[str, str], str]] = None, **kwargs)

Bases: MsticpyUserError

Generic RiskIQ provider exception.

Create RiskIQ provider exception.

Parameters

help_uri (Union[Tuple[str, str], str, None], optional) – Override the default help URI.

DEF_HELP_URI = ('msticpy documentation', 'https://msticpy.readthedocs.org')
args
property help_uri: Union[Tuple[str, str], str]

Get the default help URI.

classmethod no_display_exceptions()

Context manager to block exception display to IPython/stdout.

with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.