CheckPhish
Use the CheckPhish integration to check URLs for threats.
Configure CheckPhish on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for CheckPhish.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- CheckPhish API URL
- API Token
- Good Dispositions (CheckPhish labels for non-phishing URLs. Default is "clean")
- Suspicious dispositions (CheckPhish labels for suspicious phishing URLs). Default is "drug_spam", "gambling", "hacked_website", "streaming", "suspicious"
- Bad dispositions (CheckPhish labels for phishing URLs). Defaults are "cryptojacking", "phish", "likely_phish", "scam".
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
1. CheckPhish-check-urls
Checks URLs against the CheckPhish database and returns the results.
Base Command
CheckPhish-check-urls
Input
Argument Name | Description | Required |
---|---|---|
url | A CSV list of URLs to check. | Required |
Context Output
Path | Type | Description |
---|---|---|
CheckPhish.URL.url | String | URL that was submitted. |
CheckPhish.URL.status | String | CheckPhish job status of the URL. |
CheckPhish.URL.jobID | String | CheckPhish jobID that was assigned to the URL when it was submitted. |
CheckPhish.URL.disposition | String | The CheckPhish category (disposition) of the URL. |
CheckPhish.URL.brand | String | The brand (attack target) countered by the URL. |
DBotScore.Score | Number | DBot score. |
DBotScore.Type | String | Indicator type that was tested. |
DBotScore.Vendor | String | Vendor that provided the DBot score. |
DBotScore.Indicator | String | Indicator that CheckPhish tested. |
URL.Data | String | URL that was submitted. |
URL.Malicious.Vendor | String | CheckPhish. |
URL.Malicious.Description | String | The brand (attack target) countered by the URL. |
Command Example
CheckPhish-check-urls url=google.com
Context Example
{ "CheckPhish.URL(val.Data && val.Data == obj.Data)": { "brand": "unknown", "disposition": "clean", "jobID": "6d7e9671-29a9-4012-9700-8866f4887f92", "status": "DONE", "url": "http://google.com/" }, "DBotScore": { "Indicator": "http://google.com/", "Score": 1, "Type": "url", "Vendor": "CheckPhish" }, "URL(val.Data \u0026\u0026 val.Data == obj.Data)": { "Data": "http://google.com/" } }
Human Readable Output
CheckPhish reputation for http://google.com/
url | disposition | brand | status | jobID |
---|---|---|---|---|
http://google.com/ | clean | unknown | DONE | 6d7e9671-29a9-4012-9700-8866f4887f92 |