[Bug]: RiskIQ TI Provider does not seem functional anymore and docs for config and API access are out of date

[JPvRiel]

Describe the bug

RiskIQ was acquired by Microsoft. At some point api.passivetotal.org might have stopped working. When attempting to use a TI lookup with this provider, I get a TLS error for using that endpoint.

To Reproduce

Config

Azure:
  auth_methods:
  - cli
  - devicecode
  cloud: global
TIProviders:
  RiskIQ:
    Primary: true
    Provider: RiskIQ

Code

import numpy as np  # Silent undocumented dependency that causes warnings if not loaded
import msticpy as mp

mp.init_notebook()
ti = mp.TILookup()
ti.lookup_item(item='20.54.231.124', providers=['RiskIQ'])

Expected behavior

I expected to get at least a response that I'm not authorized to use the API and require credentials.

Screenshots and/or Traceback

2025-01-30 17:49:00,860: WARNING - Certificate did not match expected hostname: api.passivetotal.org. Certificate: {'subject': ((('countryName', 'US'),), (('stateOrProvinceName', 'WA'),), (('localityName', 'Redmond'),), (('organizationName', 'Microsoft Corporation'),), (('commonName', '*.azureedge.net'),)), 'issuer': ((('countryName', 'US'),), (('organizationName', 'Microsoft Corporation'),), (('commonName', 'Microsoft Azure RSA TLS Issuing CA 04'),)), 'version': 3, 'serialNumber': '330182F0C508084CF4688786E300000182F0C5', 'notBefore': 'Jan 18 14:39:25 2025 GMT', 'notAfter': 'Jul 17 14:39:25 2025 GMT', 'subjectAltName': (('DNS', '*.azureedge.net'), ('DNS', '*.media.microsoftstream.com'), ('DNS', '*.origin.mediaservices.windows.net'), ('DNS', '*.streaming.mediaservices.windows.net')), 'OCSP': ('http://oneocsp.microsoft.com/ocsp',), 'caIssuers': ('http://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2004%20-%20xsign.crt',), 'crlDistributionPoints': ('http://www.microsoft.com/pkiops/crl/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2004.crl',)} (connection#547)

Traceback

Observables processed: 0%
0/1 [00:00<?, ?obs/s]
2025-01-30 17:49:00,860: WARNING - Certificate did not match expected hostname: api.passivetotal.org. Certificate: {'subject': ((('countryName', 'US'),), (('stateOrProvinceName', 'WA'),), (('localityName', 'Redmond'),), (('organizationName', 'Microsoft Corporation'),), (('commonName', '*.azureedge.net'),)), 'issuer': ((('countryName', 'US'),), (('organizationName', 'Microsoft Corporation'),), (('commonName', 'Microsoft Azure RSA TLS Issuing CA 04'),)), 'version': 3, 'serialNumber': '330182F0C508084CF4688786E300000182F0C5', 'notBefore': 'Jan 18 14:39:25 2025 GMT', 'notAfter': 'Jul 17 14:39:25 2025 GMT', 'subjectAltName': (('DNS', '*.azureedge.net'), ('DNS', '*.media.microsoftstream.com'), ('DNS', '*.origin.mediaservices.windows.net'), ('DNS', '*.streaming.mediaservices.windows.net')), 'OCSP': ('http://oneocsp.microsoft.com/ocsp',), 'caIssuers': ('http://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2004%20-%20xsign.crt',), 'crlDistributionPoints': ('http://www.microsoft.com/pkiops/crl/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2004.crl',)} (connection#547)
---------------------------------------------------------------------------
CertificateError                          Traceback (most recent call last)
File ~/.venv/secnb/lib/python3.11/site-packages/urllib3/connectionpool.py:714, in HTTPConnectionPool.urlopen(self, method, url, body, headers, retries, redirect, assert_same_host, timeout, pool_timeout, release_conn, chunked, body_pos, **response_kw)
...
SSLError: HTTPSConnectionPool(host='api.passivetotal.org', port=443): Max retries exceeded with url: /v2/cards/summary?query=20.54.231.124 (Caused by SSLError(CertificateError("hostname 'api.passivetotal.org' doesn't match either of '*.azureedge.net', '*.media.microsoftstream.com', '*.origin.mediaservices.windows.net', '*.streaming.mediaservices.windows.net'")))

Environment (please complete the following information):

• Python Version: 3.11
• OS: Ubuntu
• Python environment: Python virtual env
• MSTICPy Version: 2.15.0

Additional context

It's somewhat unclear now how to go about and get credentials for Risk IQ API access to enable this provider.

See: https://learn.microsoft.com/en-us/connectors/riskiqpassivetotal/#how-to-get-credentials

Register for a test API key at RiskIQ Security Intelligence Services or contact your account representative (support@riskiq.com) to identify your existing customer keys.

RiskIQ Security Intelligence Services link is broken. https://api.riskiq.net/api/concepts.html doesn't seem to be a valid site anymore.

These docs and any others I tried to find seem out of date and there's no up to date info on how to get authenticated to and make use of RiskIQ with msticpy.

[ianhelle]

Hi @JPvRiel
Another interesting issue. We built started building this provider before MS acquisition (it happened a couple of weeks later). We've known that it had a limited lifetime for a while but haven't had resources to implement a provider for MDTI.
You can use the MSGraph data provider for this but this isn't integrated into the msticpy TI providers at all.

So the overall headline is:

• RiskIQ is seemingly dead and I don't think there is anything we can do to continue to support it
• We (i.e. msticpy/community) should try to implement a provider that uses the MDTI graph endpoint. Seems that this shouldn't be too difficult but I'm not sure when I can get around to it. I will take a look at doing this though.

[ianhelle]

Looks like RiskIQ is never coming back. I'm talking to the Defender for TI team to see if I can access to a test instance to implement a provider for this