CheckPhish

Check any URL to detect supsicious behavior.

Configure CheckPhish on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for CheckPhish.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    CheckPhish API URLFalse
    API TokenTrue
    Good Dispositions (CheckPhish labels for non-phishing URLs. Default is "clean")False
    Suspicious dispositions (CheckPhish labels for suspicious phishing URLs). Default is "drug_spam", "gambling", "hacked_website", "streaming", "suspicious"False
    Bad dispositions (CheckPhish labels for phishing URLs). Defaults are "cryptojacking", "phish", "likely_phish", "scam".False
    Source ReliabilityReliability of the source providing the intelligence data.True
    Trust any certificate (not secure)False
    Use system proxy settingsFalse

  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

CheckPhish-check-urls#

Checks URLs against the CheckPhish database and returns the results.

Base Command#

CheckPhish-check-urls

Input#

Argument NameDescriptionRequired
urlA CSV list of URLs to check.Required

Context Output#

PathTypeDescription
CheckPhish.URL.urlStringURL that was submitted.
CheckPhish.URL.statusStringCheckPhish job status of the URL.
CheckPhish.URL.jobIDStringCheckPhish jobID that was assigned to the URL when it was submitted.
CheckPhish.URL.dispositionStringThe CheckPhish category (disposition) of the URL.
CheckPhish.URL.brandStringThe brand (attack target) countered by the URL.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
URL.DataStringURL that was submitted.
URL.Malicious.VendorStringCheckPhish.
URL.Malicious.DescriptionStringThe brand (attack target) countered by the URL.

Command Example#

!CheckPhish-check-urls url=`test.com

Context Example#

{
"CheckPhish": {
"URL": {
"brand": "unknown",
"disposition": "clean",
"jobID": "49a3a20b-ec4b-4581-9a55-56716d9e0c6e",
"status": "DONE",
"url": "http://test.com/"
}
},
"DBotScore": {
"Indicator": "http://test.com/",
"Reliability": "B - Usually reliable",
"Score": 1,
"Type": "url",
"Vendor": "CheckPhish"
},
"URL": {
"Data": "http://test.com/"
}
}

Human Readable Output#

CheckPhish reputation for http://test.com/#

urldispositionbrandstatusjobID
http://test.com/cleanunknownDONE49a3a20b-ec4b-4581-9a55-56716d9e0c6e

url#

Retrieves URL information from CheckPhish.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlURL to query.Required

Context Output#

PathTypeDescription
CheckPhish.URL.urlStringURL that was submitted.
CheckPhish.URL.statusStringCheckPhish job status of the URL.
CheckPhish.URL.jobIDStringCheckPhish jobID that was assigned to the URL when it was submitted.
CheckPhish.URL.dispositionStringThe CheckPhish category (disposition) of the URL.
CheckPhish.URL.brandStringThe brand (attack target) countered by the URL.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
URL.DataStringURL that was submitted.
URL.Malicious.VendorStringCheckPhish.
URL.Malicious.DescriptionStringThe brand (attack target) countered by the URL.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.

Command Example#

!url url=test.com

Context Example#

{
"CheckPhish": {
"URL": {
"brand": "unknown",
"disposition": "clean",
"jobID": "6df1ebef-3be3-48a9-8970-c5afeda8d58d",
"status": "DONE",
"url": "http://test.com/"
}
},
"DBotScore": {
"Indicator": "http://test.com/",
"Reliability": "B - Usually reliable",
"Score": 1,
"Type": "url",
"Vendor": "CheckPhish"
},
"URL": {
"Data": "http://test.com/"
}
}

Human Readable Output#

CheckPhish reputation for http://test.com/#

urldispositionbrandstatusjobID
http://test.com/cleanunknownDONE6df1ebef-3be3-48a9-8970-c5afeda8d58d
Edit this page
Report an Issue