Query IP reputation

Fixes #12

README.md

@@ -25,6 +25,7 @@ The repository contains these playbooks
 | **Malware triage** | A playbook to provide an analyst sufficient information to do basic malware triage on one or more samples. Samples are **attached** to a MISP event (with file object relations). VirusTotal and MalwareBazaar are used to get the **detection rate**, **threat classification** and **sandbox** information. Hashlookup is used to check for **known hashes**. PEfile analysis is done for **imports** and **exports**. The results are stored in **MISP reports** and as MISP objects where relevant. Correlations with MISP events or data feeds are added to a summary. The sample is shared with a local instance of **MWDBcore**.| [MISP Playbook](misp-playbooks/pb_malware_triage.ipynb)<br><br>[MISP Playbook with output](misp-playbooks/pb_malware_triage-with_output.ipynb) | [2](https://github.com/MISP/misp-playbooks/issues/2)|
 | **Threat actor profiling** | Query MISP events associated with a specific threat actor. <br />Summarises the galaxies, clusters and tags from the MISP events, lists the vulnerabilities (CVE) and the actionable indicators.<br /> Optionally query the MITRE TAXII server to get a list of associated techniques and software.<br>Results are stored in the playbook and sent to Mattermost and TheHive.| [MISP Playbook](misp-playbooks/pb_threat_actor_profiling.ipynb)<br><br>[MISP Playbook with output](misp-playbooks/pb_threat_actor_profiling-with_output.ipynb) | [26](https://github.com/MISP/misp-playbooks/issues/26)|
 | **Query CVE information** | Query MISP events for the use of specific CVEs. List these events with their context (galaxies, focus on MITRE ATT&CK).<br>Query public sources (CVE search, vulners, XForceExchange, exploitdb) for additional CVE information.<br>Results are stored in the playbook, in a MISP event and sent to Mattermost and TheHive.| [MISP Playbook](misp-playbooks/pb_query_cve_information-with_output.ipynb)<br><br>[MISP Playbook with output](misp-playbooks/pb_query_cve_information.ipynb) |[25](https://github.com/MISP/misp-playbooks/issues/25)|
+| **Query IP reputation** |Query for the reputation of one or more IPs. It combines the reputation scores from **VirusTotal**, **Shodan**, **Greynoise** and **AbuseIPDB** into one **MISP report**. The playbook adds the known associated domains, the abuse contacts and the geo information from **MMDB**. All information is added to a MISP event, summarised and send to Mattermost and TheHive.|[MISP Playbook](misp-playbooks/pb_query_ip_reputation.ipynb)<br><br>[MISP Playbook with output](misp-playbooks/pb_query_ip_reputation-with_output.ipynb)|[12](https://github.com/MISP/misp-playbooks/issues/12) |
 | **Query domain reputation** |Query enabled OSINT feeds and MISP events for matches with one or more domain name(s).<br>Query URLscan for historical scans related to these domains and extract screenshots.<br>Use MISP modules to look up the DNS resolutions and query VirusTotal, Shodan and URLhaus for information related to the domains.<br>Results are stored in the playbook, in a MISP event and sent to Mattermost and TheHive.|[MISP Playbook](misp-playbooks/pb_query_domain_reputation.ipynb)<br><br>[MISP Playbook with output](misp-playbooks/pb_query_domain_reputation-with_output.ipynb)|[13](https://github.com/MISP/misp-playbooks/issues/13) |
 | **Create a custom MISP warninglist** |Create a custom MISP warninglist with a set of entries provided by the analyst as input. A check is done if the warninglist already exists. If the warninglist exists then the entries are added to the existing warninglist. When the warninglist is created the MISP events are queried for matches ('retro-search').<br>Query Shodan and VirusTotal for matches with entries in the warninglist. The result of the creation of the warninglist as well as the matches is summarised aand sent to Mattermost and added as an alert in TheHive. |[MISP Playbook](misp-playbooks/pb_create_custom_MISP_warninglist.ipynb)<br><br>[MISP Playbook with output](misp-playbooks/pb_create_custom_MISP_warninglist-with_output.ipynb)|[7](https://github.com/MISP/misp-playbooks/issues/7)|
 | **Retroscan with a MISP warninglist** |This playbook does a **retroscan** to check for attributes matching the values in a warninglist. You can then disable the to_ids flag or add a tag or comment. This playbook is often used for **threat intelligence curation** when you add a new warninglist to MISP.<br />The results are summarised, sent to Mattermost and added as an alert in TheHive.|[MISP Playbook](misp-playbooks/pb_retroscan_with_MISP_warninglist.ipynb)<br><br>[MISP Playbook with output](misp-playbooks/pb_retroscan_with_MISP_warninglist-with_output.ipynb)|[8](https://github.com/MISP/misp-playbooks/issues/8)|