ipinfo.io to add

[adulau]

No description provided.

[chrisr3d]

I looked at the API responses and noticed there are some fields we cannot really parse.

Here are fields we could integrate, when it makes sense, with additions to MISP object templates or contextual data:

• the abuse field
  -> provide information about the point of contact to report an abuse on the given IP address
• the privacy field
  -> give information on the methods used to mask a user's true IP address

The full response for the highest paid plan looks like the following:

{
    "ip": "8.8.8.8",
    "hostname": "dns.google",
    "city": "Mountain View",
    "region": "California",
    "country": "US",
    "loc": "37.4056,-122.0775",
    "postal": "94043",
    "timezone": "America/Los_Angeles",
    "asn": {
        "asn": "AS15169",
        "name": "Google LLC",
        "domain": "google.com",
        "route": "8.8.8.0/24",
        "type": "business"
    },
    "company": {
        "name": "Google LLC",
        "domain": "google.com",
        "type": "business"
    },
    "privacy": {
        "vpn": false,
        "proxy": false,
        "tor": false,
        "relay": false,
        "hosting": false,
        "service": ""
    },
    "abuse": {
        "address": "US, CA, Mountain View, 1600 Amphitheatre Parkway, 94043",
        "country": "US",
        "email": "network-abuse@google.com",
        "name": "Abuse",
        "network": "8.8.8.0/24",
        "phone": "+1-650-253-0000"
    },
    "domains": {
        "ip": "8.8.8.8",
        "total": 10524,
        "domains": [
            "41.cn",
            "mcqs.az",
            "etempurl.com",
            "ftempurl.com",
            "proxyie.cn"
        ]
    }
}

There are also additional API endpoints that could be used to extend even further the enrichment information on the given initial IP address, like:

• the Whois API
• the Hosted Domains API

Ultimately, there are 2 additional API endpoints that could be interesting (?):

• the IP ranges API
• the ASN API

Besides domain-ip, asn and geolocation objects which we can already extract from the standard API response in a pretty straight forward way, let me know what you think of the additional points mentioned above, and if you see something else we could add that I did not mention above, or if there is already things we can use with existing templates or contextual data that I missed here

[adulau]

Oh cool! the domains key is interesting it seems like a weak passive dns.

[adulau]

So we could create a new abuse object template (we could review it with @rommelfs). Maybe we could also add the company information? with ftm-company https://www.misp-project.org/objects.html#_ftm_company ? The privacy one is also interesting. Should we go for a new object template or a taxonomy?