Query announces the IP-API Geolocation API Connector!
IPAPI is a free-to-use online API that contains several APIs, the most useful being the Geolocation API, which contains geolocation, ASN, ISP, BGP/RIR, reverse DNS, and hosting data information on nearly every public IPv4 and IPv6 address.
This information is normalized by Query into a distinct entry per-IP address to provide decision support to analysts using the Query Federated Search platform. Instead of needing to enrich every single record, you can easily filter and pivot from the data from IPAPI and always return a result no matter how many records match a specific (set) of IP Address(es).
All federated searches have their searches and results expressed in the terms of the Query Data Model (QDM), which is based on the Open Cybersecurity Schema Framework (OCSF). Each API source is normalized into a specific QDM/OCSF Event Class to standardize and normalize the data for increased situational awareness, ease of aggregation of filtering, and easy pivoting.
When searching for any IP Address in Query Federated Search, if there is a match in the IPAPI Geolocation API, then the result is brought back and collated without any configuration needed. This can be useful information for analysts making decisions about potentially malicious or otherwise anomalous IP addresses.
For instance, while searching or pivoting from IP results from network activity from Amazon VPC Flow Logs in Amazon Security Lake or from Authentication logs from the Google Workspace Reports API, you will receive matches by default from IPAPI if it is available. The Geolocation, ASN, and BGP/RIR metadata can be useful for determining impossible travel or potential maliciousness of an otherwise-unknown IP address in your log and event data.
For more information, refer to our documentation here.
