EmailRep.io

EmailRep.io provides the reputation and reports for email addresses. This integration was integrated and tested with version EmailRep Alpha API v0.1 of EmailRep.io

Configure EmailRepIO on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for EmailRepIO.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer URL (e.g., https://emailrep.io\)True
apikeyAPI KeyFalse
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

emailrepio-email-reputation-get


Gets the EmailRepIO reputation for the given email address.

Base Command

emailrepio-email-reputation-get

Input

Argument NameDescriptionRequired
email_addressThe email address to get the reputation for.Required

Context Output

PathTypeDescription
EmailRepIO.Email.emailStringThe email address that was queried.
EmailRepIO.Email.reputationStringThe reputation of the email. Possible values are: "high", "medium", "low", and "none".
EmailRepIO.Email.suspiciousBooleanWhether the email address should be treated as suspicious or risky.
EmailRepIO.Email.referencesNumberThe total number of positive and negative sources of the reputation. Note that these may not all be direct references to the email address, but can include reputation sources for the domain or other related information.
EmailRepIO.Email.details.blacklistedBooleanWhether the email is believed to be malicious or spam.
EmailRepIO.Email.details.malicious_activityBooleanWhether the email exhibited malicious behavior (e.g., phishing or fraud).
EmailRepIO.Email.details.malicious_activity_recentBooleanWhether the email exhibited malicious behavior in the last 90 days (e.g., in the case of temporal account takeovers).
EmailRepIO.Email.details.credentials_leakedBooleanWhether the email credentials were ever leaked (e.g., a data breach, pastebin, dark web, etc.).
EmailRepIO.Email.details.credentials_leaked_recentBooleanWhether the email credentials were leaked in the last 90 days.
EmailRepIO.Email.details.data_breachBooleanWhether the email was ever in a data breach.
EmailRepIO.Email.details.first_seenDateThe first date the email was observed in a breach, credential leak, or exhibiting malicious or spammy behavior. Displays "never" if the email was never observed in a breach, credential leak, or exhibiting malicious or spammy behavior.
EmailRepIO.Email.details.last_seenDateThe last date the email was observed in a breach, credential leak, or exhibiting malicious or spammy behavior. Displays "never" if the email was never observed in a breach, credential leak, or exhibiting malicious or spammy behavior.
EmailRepIO.Email.details.domain_existsBooleanWhether the domain is a valid domain.
EmailRepIO.Email.details.domain_reputationStringThe reputation of the domain. Possible values are: "high", "medium", "low", and "n/a". Displays "n/a" if the domain is a free_provider, disposable, or doesn’t exist.
EmailRepIO.Email.details.new_domainBooleanWhether the domain was created within the last year.
EmailRepIO.Email.details.days_since_domain_creationNumberThe number of days since the domain was created.
EmailRepIO.Email.details.suspicious_tldBooleanWhether the email has a suspicious top level domain (tld).
EmailRepIO.Email.details.spamBooleanWhether the email has exhibited spammy behavior (e.g., spam traps, login form abuse).
EmailRepIO.Email.details.free_providerBooleanWhether the email uses a free email provider.
EmailRepIO.Email.details.disposableBooleanWhether the email uses a temporary or disposable service.
EmailRepIO.Email.details.deliverableBooleanWhether the email is deliverable.
EmailRepIO.Email.details.accept_allBooleanWhether the mail server has a default accept all policy. Some mail servers return inconsistent responses, so the default may be an accept all policy.
EmailRepIO.Email.details.valid_mxBooleanWhether the email has a mail exchanger (MX) record.
EmailRepIO.Email.details.spoofableBooleanWhether the email address can be spoofed (e.g., not a strict SPF policy or DMARC is not enforced).
EmailRepIO.Email.details.spf_strictBooleanWhether there is a sufficiently strict SPF record to prevent spoofing.
EmailRepIO.Email.details.dmarc_enforcedBooleanWhether DMARC is configured correctly and enforced.
EmailRepIO.Email.details.profilesStringThe online profiles used by the email.

Command Example

!emailrepio-email-reputation-get email_address="test@example.com"

email


Gets the DBot score for the given email address using the EmailRepIO reputation.

Base Command

email

Input

Argument NameDescriptionRequired
emailThe email address to get the reputation for.Required

Context Output

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual DBot score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
EmailRepIO.Email.emailStringemail address that was queried
EmailRepIO.Email.reputationStringThe reputation of the email. Possible values are: "high", "medium", "low", and "none".
EmailRepIO.Email.suspiciousBooleanWhether the email address should be treated as suspicious or risky.
EmailRepIO.Email.referencesNumberThe total number of positive and negative sources of the reputation. Note that these may not all be direct references to the email address, but can include reputation sources for the domain or other related information.
EmailRepIO.Email.details.blacklistedBooleanWhether the email is believed to be malicious or spam.
EmailRepIO.Email.details.malicious_activityBooleanWhether the email exhibited malicious behavior (e.g., phishing or fraud).
EmailRepIO.Email.details.malicious_activity_recentBooleanWhether the email exhibited malicious behavior in the last 90 days (e.g., in the case of temporal account takeovers).
EmailRepIO.Email.details.credentials_leakedBooleanWhether the email credentials were ever leaked (e.g., a data breach, pastebin, dark web, etc.).
EmailRepIO.Email.details.credentials_leaked_recentBooleanWhether the email credentials were leaked in the last 90 days.
EmailRepIO.Email.details.data_breachBooleanWhether the email was ever in a data breach.
EmailRepIO.Email.details.first_seenDateThe first date the email was observed in a breach, credential leak, or exhibiting malicious or spammy behavior. Displays "never" if the email was never observed in a breach, credential leak, or exhibiting malicious or spammy behavior.
EmailRepIO.Email.details.last_seenDateThe last date the email was observed in a breach, credential leak, or exhibiting malicious or spammy behavior. Displays "never" if the email was never observed in a breach, credential leak, or exhibiting malicious or spammy behavior.
EmailRepIO.Email.details.domain_existsBooleanWhether the domain is a valid domain.
EmailRepIO.Email.details.domain_reputationStringThe reputation of the domain. Possible values are: "high", "medium", "low", and "n/a". Displays "n/a" if the domain is a free_provider, disposable, or doesn’t exist.
EmailRepIO.Email.details.new_domainBooleanWhether the domain was created within the last year.
EmailRepIO.Email.details.days_since_domain_creationNumberThe number of days since the domain was created.
EmailRepIO.Email.details.suspicious_tldBooleanWhether the email has a suspicious top level domain (tld).
EmailRepIO.Email.details.spamBooleanWhether the email exhibited spammy behavior (e.g., spam traps, login form abuse).
EmailRepIO.Email.details.free_providerBooleanWhether the email uses a free email provider.
EmailRepIO.Email.details.disposableBooleanWhether the email uses a temporary or disposable service.
EmailRepIO.Email.details.deliverableBooleanWhether the email is deliverable.
EmailRepIO.Email.details.accept_allBooleanWhether the mail server has a default accept all policy. Some mail servers return inconsistent responses, so the default may be an accept all policy.
EmailRepIO.Email.details.valid_mxBooleanWhether the email has a mail exchanger (MX) record.
EmailRepIO.Email.details.spoofableBooleanWhether the email has a mail exchanger (MX) record. (e.g., not a strict SPF policy or DMARC is not enforced).
EmailRepIO.Email.details.spf_strictBooleanWhether there is a sufficiently strict SPF record to prevent spoofing.
EmailRepIO.Email.details.dmarc_enforcedBooleanWhether DMARC is configured correctly and enforced.
EmailRepIO.Email.details.profilesStringThe online profiles used by the email.

Command Example

!email email="test@example.com"

emailrepio-email-address-report


Reports a malicious email address to EmailRepIO.  You tag the type of malicious activity associated with the email address. The date of the malicious activity defaults to the current time unless otherwise specified.

Base Command

emailrepio-email-address-report

Input

Argument NameDescriptionRequired
email_addressThe email address to report.Required
tagsThe tags that should be applied. See detailed descriptions in the EmailRepIO documentation for more information.Required
descriptionAdditional information and context.Optional
timestampThe time the activity occurred in UTC time format. Defaults to now().Optional
expiresThe number of hours the email should be considered risky (suspicious=true and blacklisted=true in the QueryResponse). Defaults to no expiration unless the "account_takeover" tag is specified, in which case the default is 14 days.Optional

Context Output

There is no context output for this command.

Command Example

!emailrepio-email-address-report email_address="test@example.com" tags="spam"