integration-Ipinfo.yml

commonfields:
  id: ipinfo
  version: -1
name: ipinfo
system: true
display: ipinfo
category: Data Enrichment & Threat Intelligence
image: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADIAAAAyCAYAAAAeP4ixAAAFf0lEQVR42u1Za2wUVRRe7CLCluIDEsHt7jy22PpAUPERrK3FSAzSqGmCP9BEGxMNqPgIUQwB/6HS1p3HLgZUGoOhu3vvne3y1DSpwWioMSptAg0VqGhrrC+oFtBq/aYU2A47j12atiRzkpOZzdx7zvnOPY9773pccskll1xyabyRoFAfr9C5vMyeElW2HlwrqGwFH04sECJs+iUBQozQGwWFrQOY3Xj+CBCnwf3gHkGme8UIk/Dt3nELgN+QKubfSTYAyH+iQgdsWWWfAVD5uAIBw1aKKu1zAsDICEElKJO8sQeBHLA21p6xMimE4dQxXAm2BkByBGBktmNMQEx/9c0KGPDviAEB8yp9cVRBzKiJXx6KNH4dsjeuG0B3wttJvHc4APMHr8QLR7NPPGYTJj3gZegd+eeqmkK8SOz7eZm2hCRiMZfUjGaV2mEB5HdBIbeazb2mofmq4Icf77cA0wlHTR4RQ+G9ibxMQjwaFy9r5ZySLIbwKwZXIxybCW8ft6hAr9vJL9z6yXwA6Td1hkwXDq28F3aIQSlWKqjafeASNNUptgAwKB/hsBpx3S4qxsbGOgGwEsLnWKxGF8pogRNnQU+ThTOqOZXegt50UC8oBjt+CKqkrlBNXGcW90UY9I1NvV8hymSRRW58kUXplk31qGxVUKHzbfLwJ9hTNlyoTAJAf8xB43pckEmVxZjPHRcM7LnM9WhrER1zHPSePthUeiYfIvQyeCBz8qq0C3zkvKfocvA9FsKPceG4z1lo0d3mQNjzHPIkPWTBR0zGI/zIVA8mVWQA8Cs+PoqcmIIm5QXQUqD/DhznZRZIj1sj8+H4Sw7yQ/f23+ahRZaIKnkD+nrh8Ud4hfnw9IIXIH/bMqzMswBC3zN8OB2UUgsz5JAIIXtFJTkNE78139XSn1HtSiwqol5Q9lmsai/CahZ0bA8prPICO2qTflFm3YaNZ7MH5W2YUEFmLeae1DYOrc4amy16N4BXQkGeof/cAW62if2dCDuBi7ImU2eo8QhApuvrhHB2busQUukAV0dTFkDeRihuBhdifL+DMwdksxi4Hu+GVTRN9Icg/wWA+dTMjkD95nUhSUvX06V7qcWg/JAYZd6MQKIpgjF9+pYbz5g+fiSZU1i7X9Z88PYh/D4qhBN5GUu3nEwYcuQwgLBNGcrsaxfmCNGryMmhqvIyF6ElhqZ58aySZdDzYJodqzJExSI9j9PnYfPa6MHkCpMaHYegJeAyvNfqINK+/YJcmQJAH4wUCOg5wG/YOimkkFZDhMSgpxLv5cjfMJ6njHP9G8lSJDubCMO+zN57tAbJPAvP3pEBwh4GmKdzmNvhj8Z8Z8OmMoez9ltDW43VFx9SjHlAnJR4QpBJdnNlUn2+CkT2TODVRnRa4lTx0YAav3JQudI4SbBaUXvuCYYTfg/obtqUd/OWXU2C5MwOIaLtC7zb6DVUgtQNqBZ/OVReNayuR7XbEGKnsgYR0Qb4aOrJdFl30uZ5XDjhRNY/2K/dZdInksttvSDT9zPfpiSeyxaEuH7bFpOD2ysOcmqtzfUOjVuEVBsnawUWe6iYw5AYKK79qLW6aG5GWZwyuJFNmeSEznu4uoTXEsj1KimAwa0ZhBwP1jfdZH0wIwWoPF85yLETvMSsZAEMuRpj2w3neYTi9g7/pl0zPE6IU5O83lnTFJ/kpfgDjo7JcoJDJes2AxHCPXChShY7PHLPhqzvz84tkhq6p8UPlmR5wUCKIeQABPyGvFic1VxZP7OwP40gisAzVW1lljc2swWV7sf8wyFp27xcr33yES7X5ji3DMpPGMA8k4usQJRMhjzf2N3Qq9rtWJm2M+drVuW5lAkglg7+yaOwCR6XXHLJJZdcGqf0P6DbX+u9JytbAAAAAElFTkSuQmCC
description: Use the ipinfo.io API to get data about an IP address
defaultEnabled: true
configuration:
- display: Use system proxy settings
  name: proxy
  defaultvalue: "false"
  type: 8
  required: false
- display: API Token (optional)
  name: token
  defaultvalue: ""
  type: 4
  required: false
script:
  script: |-
    var sendRequest = function(url, json) {
        var res = http(
                url,
                {
                    Method: 'GET',
                },
                false,
                params.proxy
            );
        if (res.StatusCode < 200 || res.StatusCode >= 300) {
            throw 'Failed to query ipinfo, request status code: ' + res.StatusCode + ' and Body: ' + res.Body + '.';
        }
        return json && res.Body ? JSON.parse(res.Body) : res.Body;
    }

    var base = 'http://ipinfo.io/';
    var token = params.token ? '?token=' + params.token : '';
    var jsonSuffix = '/json' + token;
    switch (command) {
        case 'test-module':
            if (sendRequest(base+'8.8.8.8'+jsonSuffix, true)) {
                return 'ok';
            }
            return 'not cool';
        case 'ip':
            var o = sendRequest(base + args.ip + jsonSuffix, true);
            var ec = {IP: {Address: o.ip, Hostname: o.hostname, ASN: o.org, Geo: {
                Location: o.loc, Country: o.country, Description: o.city + ', ' + o.region + ', ' + o.postal + ', ' + o.country}}};
            ec.DBotScore = {Indicator: args.ip, Type: 'ip', Vendor: 'ipinfo', Score: 0};
            var reply = [{Type: entryTypes.note, Contents: o, ContentsFormat: formats.json, HumanReadable: objToMd(o), EntryContext: ec}];
            if (o.loc) {
                var parts = o.loc.split(',');
                reply.push({Type: entryTypes.map, Contents: {lat: parseFloat(parts[0]), lng: parseFloat(parts[1])}, ContentsFormat: formats.json});
            }
            return reply;
        case 'ipinfo_field':
            return sendRequest(base + args.ip + '/' + args.field + token, false);
    }
  type: javascript
  commands:
  - name: ip
    arguments:
    - name: ip
      required: true
      default: true
      description: IP address to query. E.g. !ip 1.1.1.1
    outputs:
    - contextPath: IP.Address
      description: The IP address
    - contextPath: IP.Hostname
      description: The IP hostname
    - contextPath: IP.ASN
      description: The IP ASN
    - contextPath: IP.Geo.Location
      description: The IP geographic location in coordinates
    - contextPath: IP.Geo.Country
      description: The IP country
    - contextPath: IP.Geo.Description
      description: The IP location as <City, Region, Postal Code, Country>
    description: Check IP reputation (when information is available, returns a JSON
      with details).  Uses all configured Threat Intelligence feeds
  - name: ipinfo_field
    arguments:
    - name: ip
      required: true
      default: true
      description: IP address to query. E.g. !ip 1.1.1.1
    - name: field
      required: true
      auto: PREDEFINED
      predefined:
      - geo
      - loc
      - city
      - region
      - country
      - org
      - hostname
      - phone
      description: Name of the field to retrieve. Can be org, city, geo, etc.
    description: Retrieve value for a specific field from the IP address information
  runonce: false