forked from demisto/content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathintegration-IsItPhishing.yml
195 lines (183 loc) · 10.4 KB
/
integration-IsItPhishing.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
commonfields:
id: IsItPhishing
version: -1
name: IsItPhishing
display: IsItPhishing
category: Data Enrichment & Threat Intelligence
image: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAHgAAAATCAYAAABbV8lLAAAKYklEQVR4Ac2adVQjydeG67fu7u7u7jsKJOmEMOvuHAYI6QRbd3d39w0knU6Q8Zl1d3d3d1++5+1J7wdDmOVssufMH88habl1731LblUw4USuT1S39PSFEl27ghGBWHqVkJ272kq431m2+0vQzt9dFe/cDIxPJOleXtM2qS8K4ebcftiZUt3SK3tFqWmf3GfZ2YaI7e5c3Trh7+uRZL7PSuTeC8bSp42ovXMZMIAf2SuibRP7RCjuHghGBJsyVZHmnr5o60Ts5RwwVXZmR9mKyq7tTgLjUZtfKNjUmbRs5zXuy86LwaZsg66DEUHbTeJPoZ3sKWCEcoCNT2STNl7b+XB30dENmaX5/G51a6/aeXdMbWrxcCyze5gYZF92QrZ7MxhB7k6WXV1XO2BEIHDp/PhxpJXIP6N3rbj7ltXktI041FkCTLkoKnCwIbMe116TWJHmbt0jcd7nb6ymziAYKJvAvshKGh3qmVG1d68NpQpMgDctQBLvwH/sdykO6BWI4KQDsdsXg/IKjF8I+5xvu5jAW9des1DAzt4uf/z8Vnt/id92ZgTrUyuAKQPFBQ7TAyUGSSGI3BfcfyqccH8loRppL/vOFxF4Rk3bZAWpd/uJ1+Vd2+OY6dhzYr7AvrC6p/b1mXaV5LvAQEkChxo7K/32+f4HMTxHwt/XdyUzEOtshLIKrBho46eqhsyOUFTgysbsYdUtExDXy++PvPckef0Svwo+ZM4GUwYGCqzE73Vyaj6JqATg9A+BRG53Y8z/GFnHR2eK8meoKbsTzCKwcxD3Nq5un7hTdbJrp3Aif360kDSu36Zre7ZP3anSTq9IJxqjgNUGz03jHvacWp77DrGVoA+3P+D2xUJ29tISBOY55yS1odj4fDEjZ94x49NrMR2+jN+y2eXZi2cT5RIYCp0n3QwI7AyeouNuGt/Jb9dfWi7AVIzvCPDuT7yLD86TeyVSC4IplQECK9GBWM9ioYT7sRpC6He2j126GJhwMrdDTfsUbxSGku5eMEBgK5k9GIxPJJGr5Z5GpOyfAcYnFO+qVMAKkrbuASNI/MNqV6OtojG1ZtB2Li5FYE3x8k3Xx8Qy48AIOk7Hnsffr+feAL7n7PIJnJfAstMNLGXuSbMKbCWyT8ycjrO/VjR2bgAmQIfW7FK4/mkglloWTKkMEriiZeLCjNb39F3TRrAhvTqYqO0sEW3uieJsNNLmrgSzFRib9f0EPnsogWmrA4xAkAcLa/hfgZizdskCxzNnqB3NCrxTB0aE7fxW0bYpUSuZHw0mmMiVaQTn9dwv/P0DsT4YfeSdy9Npjx8scK4gMMVrsns9MFr2WEK+2OOYGbr+Y0VdZjkwpTJA4HBzfhdj+v5HA1MJqtATMyeCKcIcL3BVU7omnJhZXFnY3p4kghlI+YosCiaJ8yz334kku/+qxM9wPHv07ASuirvrg1cQkoPToi0TLrPiubNG1KcWAVMSQxdZzkE4UCiOur6vtrN7gpmVsgtsOw957bLODxK4yd0XjGA7MXpYVTSzDkI976/DgSbnmo33Ss0Hpj+zCHyiL7BGETY/Hq7AagdbXcSSV9ys7ecyRR8zHIH/K4oKvBdJCMadPMKpV6oY+MGK5/cB058yCXwXmFGJ1MpMZx8W1uAvRh98y9KMukuUHHU0kvIS7073sHPPktBh7YMDsWyY93+lQxSm6uxVFQfdujAYH1/gQuX/tt8OPAS/kpvhCYwNaokU9o5R3GyX7mPGUbE5bIFHH3X3ekE7e3VlIrUUmFIpKrDQIo+z05RERIauXwPxzFFgfEoVWAlHrOcp4I5D5AeZ1rxRxBQ1BQzFxuWFKtwTc9zRUzz8wmk4AotQLG2Hk92/EIdfAN3Vfwr0BfYrYL8d+e5PvcMRWG2rgKNAHIWtP+iwXyBWjjiHJXBlfXokfr7J/R8q6m5dDgxo+l6CuuFItmAnB+Pp3bTTIWd2tKXnBDrRCaFYdgygWc/8Gojh5p5TQnbXOB2mDCmwUC9C5F5vz6aR3Nz9czCeGQsGShbYaxe7NRINIWWHIL4OkDDwquBSR7DPzG1Y3hPZEyLmXHTyyX1zQdlGsOySr8zog/WM+x6x/BmiUOXekAJbTfl1VfdUNWYSmillg+uf+VW0tnZ878DvX7DzDu/+HGrIHMLnb3j+50gi/yp1xh9sA/cmX2dXN3t+vYLfP2rQzFZgUdFy68Jy2i+66JXPaisF5RAY3N/CiKotmWXnXfVQMEICl7IGzwojt55Z4jeJLLGrbGcElGsN9gXOSjCLkavviKw4iwpM7D8FG1ObhmKZdmLqZlR+h28DBI4c6S6vTsZIvWdMPLWaOiG+peQX+cnIH80WrPd3M8rfQNSnWWLnxsYte5/4cN8/CixG1OaX4ZlXNNWoh+CIBaWvwWAlXbfmmClL+52mP6WfRQ+GQ4bribUwnTrXANukshx0FGy6Lhitw/6x7VACazQyNW9m1aVW1kBSJ+f6AIGD9d0rhG0GQcK5rdDhKN6cTl/gHfdKLahBQsdK89zbdKgHgVjTW9UcPfnwgQLrRGl815J874629kzixevVG0FTcqtfGBHAqVCWIiucdFNgivCvBSZBE7TGquDx4rBz94TG37EkmIr6jp2U2EIiHwP/oKO8Ajekd6Od3/0DkKH3wZn1wHCusCj5fq+owIxgi7Pr0XFvNHvrPH8/wM6jYTqn4gna3g8X70QS7n06uxjXPjlE/sYMEJgpckcddPOdImOqetibYACBOyxGsF9InAfl3SYN5t+P4Ljbqy0SAn9DsSQhvlFcgMB3rYrtrwoj6CX4TwTWIQdCvUbOBgnM98f7r8HgLYUI/K6uI9qn/yQw39/R7oDR+hPLzSfBRnebCCdhxDNFhRax/Al9g06y1JMs76jSc+wrGtkITMDOna7GJWYo4TTDHCswf3tVQZKI5+SzkkAlHQLD4UO1ElYQYzL8JwJ7NGU7aH+QwIw25+9zfY5QwYyp69wSob7W8/JbgsPsRvDHWue1hlNk/UUReQPX3kKTB/dKsQYn8pcp/4NOskDOpWvaJxUKBPdti2FP4z+rAKDX/FbJ/A5zssATgVlH++hJfnX8ucW+FD7Xd70bjGVawT+qLLvAVLbxogI3unUzt59dsvsZOZ7q/8olf+U3GFFTN5F1N/87Yt66C8sMn72fOiUwQruqXbQGW6zHXHuHz4+AYVm6aFz7lOJF1tj61Bb0gDflnKYY/ySICvQPjB4HZk6eov0ia2yjuxJV9yMR+U/n/P94vAOPnKZx8Kvosgtc0dSxk34ORLgBAqs+YHRn/Lz2/0t8D3jLZDK3Bz5fiP3VQmx3GFzvI25KMVqNTlskmftUAqtm4vpv+HQrz91GXn6mzasjCa/DfDNkFV1Rn10VZy729nHetJCbXhXPVoLxmdMFFhKRKfBERsjrMwue7IscgzaW/z86BgusZ4njTcQZILDQoQR7/aNYM59BIO8/OgLx7LF+p+Og50b9cqcirGp8an2eeUl5Zv9+vnY1iPitpugRI06eR75xvJxVlc31SfrVjzy5eu//AM0GS8m1Zz4oAAAAAElFTkSuQmCC
description: Collaborative web service that provides validation on whether a URL is
a phishing page or not by analyzing the content of the webpage
configuration:
- display: Server URL (e.g. https://192.168.0.1)
name: url
defaultvalue: https://ws.isitphishing.org
type: 0
required: false
- display: Customer's name
name: name
defaultvalue: ""
type: 0
required: true
- display: Customer's License
name: license
defaultvalue: ""
type: 0
required: true
- display: Use system proxy settings
name: proxy
defaultvalue: "true"
type: 8
required: false
- display: Trust any certificate (unsecure)
name: insecure
defaultvalue: "false"
type: 8
required: false
script:
script: |+
var auth = 'Bearer ' + btoa(params.name + ':' + params.license);
var sendRequest = function(method, api, body) {
var url = params.url;
var requestUrl = url.replace(/[\/]+$/, '') + '/' + api;
var res = http(
requestUrl,
{
Method: method,
Headers: {
'Authorization': [auth],
'Content-Type': ['application/x-www-form-urlencoded']
},
Body: encodeToURLQuery(body).substring(1)
},
params.insecure,
params.proxy
);
if (res.StatusCode < 200 || res.StatusCode >= 300) {
throw 'Request Failed.\nStatus code: ' + res.StatusCode + '.\nBody: ' + JSON.stringify(res) + '.';
}
return res;
};
var isPhishing = function(url, force, smart, area, timeout) {
var md;
var body = {
name: params.name,
license: params.license,
version: '2',
force: force,
url: url,
area: area,
timeout: timeout
};
if (!area) {
delete body.area;
}
if (!timeout) {
delete body.timeout;
}
var res = sendRequest('POST', 'check', body);
var ec = {
IsItPhishing: {Url: url},
DBotScore: {
Indicator: url,
Score: 0,
Type: 'url',
Vendor: 'IsItPhishing'
}
};
var resBody = res.Body.trim();
if (resBody.substring(0,17) == 'TOO_MANY_REQUESTS') {
md = 'You have reached the maximum number of requests for your license. You must wait for the returned period of time' + resBody.substring(17) + 'before running requests again.';
ec.IsItPhishing.Status = 'TOO_MANY_REQUESTS';
}
if (resBody.substring(0,5) == 'ERROR') {
md = 'An error has occurred. Please refer to the description of the error indicated in the' + resBody.substring(0,5) + 'value.';
ec.IsItPhishing.Status = 'ERROR';
}
switch (resBody){
case 'SPAM':
md = 'URL was identified as spam.';
ec.IsItPhishing.Status = 'SPAM';
ec.DBotScore.Score = 2;
addMalicious(ec, outputPaths.url, {
Data: url,
Malicious: {Vendor: 'IsItPhishing', Description: 'URL found as spam by IsItPhishing'}
});
break;
case 'PHISHING':
md = 'URL was identified as phishing.';
ec.IsItPhishing.Status = 'PHISHING';
ec.DBotScore.Score = 3;
addMalicious(ec, outputPaths.url, {
Data: url,
Malicious: {Vendor: 'IsItPhishing', Description: 'URL found as phishing by IsItPhishing'}
});
break;
case 'UNKNOWN':
md = 'URL is clean.';
ec.IsItPhishing.Status = 'CLEAN';
ec.DBotScore.Score = 1;
break;
case 'TIMEOUT':
md = 'Timeout for the request has been reached. No verdict was returned for the request, and the URL should be considered clean.';
ec.IsItPhishing.Status = 'TIMEOUT';
break;
case 'NOT_EXPLORED':
md = 'The URL was not analyzed as triggering the analysis may cause collateral damage (unsubscribe, order conformation, etc.)';
ec.IsItPhishing.Status = 'NOT_EXPLORED';
break;
case 'NOT_AUTHORIZED':
md = 'Authorization has failed for one of the following reasons:\n• Invalid customer name,\n• Invalid customer license.';
ec.IsItPhishing.Status = 'NOT_AUTHORIZED';
break;
case 'REVOKED':
md = 'The license provided is no longer valid for one of the following reasons:\n• Validity period has expired,\n• License has been revoked.';
ec.IsItPhishing.Status = 'REVOKED';
break;
}
return {Type: entryTypes.note, Contents: resBody, ContentsFormat: formats.text, HumanReadable: md, EntryContext: ec, HumanReadableFormat: formats.text};
};
switch (command) {
case 'test-module':
return 'ok';
case 'url':
return isPhishing(args.url, args.force, args.smart, args.area, args.timeout);
default:
}
type: javascript
commands:
- name: url
arguments:
- name: url
required: true
description: URL to be checked if phishing
- name: force
description: Set true to analyze URL, or false to check whether URL may cause
collateral damage to the end user
defaultValue: "false"
- name: smart
description: Set true to force checks on URLs that may cause collateral damage
to the end user, or false to ignore the argument
defaultValue: "true"
- name: area
description: The regional area to force using a proxy
- name: timeout
description: Timeout in milliseconds. Default value set to 10000, with a minimum
value of 1000. Once timeout is reached, TIMEOUT response is returned
outputs:
- contextPath: URL.Status
description: URL identification result
- contextPath: URL.Url
description: The URL that was tested
- contextPath: URL.Malicious.Vendor
description: For malicious URLs, the vendor that made the decision
- contextPath: URL.Malicious.Description
description: For malicious URLs, the reason for the vendor to make the decision
- contextPath: DBotScore.Indicator
description: The indicator that was tested
- contextPath: DBotScore.Type
description: The type of the indicator
- contextPath: DBotScore.Vendor
description: Vendor used to calculate the score
- contextPath: DBotScore.Score
description: The actual score
description: Checks if URL is phishing