CheckPhish
Use the CheckPhish integration to check URLs for threats.
Configure CheckPhish on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for CheckPhish.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- CheckPhish API URL
- API Token
- Good Dispositions (CheckPhish labels for non-phishing URLs. Default is "clean")
- Suspicious dispositions (CheckPhish labels for suspicious phishing URLs). Default is "drug_spam", "gambling", "hacked_website", "streaming", "suspicious"
- Bad dispositions (CheckPhish labels for phishing URLs). Defaults are "cryptojacking", "phish", "likely_phish", "scam".
- Trust any certificate (not secure)
- Use system proxy settings
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
1. CheckPhish-check-urls
Checks URLs against the CheckPhish database and returns the results.
Base Command
CheckPhish-check-urls
Input
| Argument Name | Description | Required |
|---|---|---|
| url | A CSV list of URLs to check. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| CheckPhish.URL.url | String | URL that was submitted. |
| CheckPhish.URL.status | String | CheckPhish job status of the URL. |
| CheckPhish.URL.jobID | String | CheckPhish jobID that was assigned to the URL when it was submitted. |
| CheckPhish.URL.disposition | String | The CheckPhish category (disposition) of the URL. |
| CheckPhish.URL.brand | String | The brand (attack target) countered by the URL. |
| DBotScore.Score | Number | DBot score. |
| DBotScore.Type | String | Indicator type that was tested. |
| DBotScore.Vendor | String | Vendor that provided the DBot score. |
| DBotScore.Indicator | String | Indicator that CheckPhish tested. |
| URL.Data | String | URL that was submitted. |
| URL.Malicious.Vendor | String | CheckPhish. |
| URL.Malicious.Description | String | The brand (attack target) countered by the URL. |
Command Example
CheckPhish-check-urls url=google.com
Context Example
{
"CheckPhish.URL(val.Data && val.Data == obj.Data)": {
"brand": "unknown",
"disposition": "clean",
"jobID": "6d7e9671-29a9-4012-9700-8866f4887f92",
"status": "DONE",
"url": "http://google.com/"
},
"DBotScore": {
"Indicator": "http://google.com/",
"Score": 1,
"Type": "url",
"Vendor": "CheckPhish"
},
"URL(val.Data \u0026\u0026 val.Data == obj.Data)": {
"Data": "http://google.com/"
}
}
Human Readable Output
CheckPhish reputation for http://google.com/
| url | disposition | brand | status | jobID |
|---|---|---|---|---|
| http://google.com/ | clean | unknown | DONE | 6d7e9671-29a9-4012-9700-8866f4887f92 |