Skip to main content

FraudWatch

Manage incidents via the Fraudwatch API. FraudWatch International provides a fully managed Enterprise Digital Brand Protection Suite, including online brand management & monitoring as well as providing other brand protection solutions that protect organizations and their customers around the world against online brand-related abuse. This integration was integrated and tested with version v1 of FraudWatch Phishportal

Retrieve FraudWatch API token#

  1. Navigate to the Phishportal site.
  2. Enter your Username and Password.
  3. On the left sidebar, click on 'Portal API'.
  4. On the top of the page, you should see your API Token.
  5. If the API token is out of date, click on the Regenerate Token button adjacent to the API token, to generate a new token.
  6. Set the API token in the Password parameter. NOTE: no need to set the Username parameter it can be left blank (visible only on 6.0.2 and lower versions).

FraudWatch Retrieve API token

Configure FraudWatch on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for FraudWatch.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Fetch incidentsFalse
    API Token (leave empty. Fill in the API token in the password field.)False
    Server URLURL of the server.True
    BrandFetch incidents that match the specified brand. An error is encountered if the brand does not exist. A list of the existing brands can be retrieved by the 'fraudwatch-brands-list' command.False
    StatusFetch incidents that have the specified status.False
    Incident typeFalse
    Incidents Fetch IntervalFalse
    First fetch timestampformat: (<number> <time unit>, e.g., 12 hours, 1 day)False
    Maximum Incidents To FetchFalse
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Fetch Incidents#

Due to limitations in FraudWatch API, first fetch timestamp can be at most 1 day.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

fraudwatch-incidents-list#


Get a list of incidents from FraudWatch service.

Base Command#

fraudwatch-incidents-list

Input#

Argument NameDescriptionRequired
brandRetrieve incidents that match the specified brand. An error is encountered if the brand does not exist. A list of the existing brands can be retrieved by the 'fraudwatch-brands-list' command.Optional
statusRetrieve incidents that have the specified status. Possible values are: active, new, monitor, reactive, onhold, closed, closedmonitor, rejected, duplicate.Optional
limitNumber of incidents to retrieve.Optional
page_sizeThe number of incidents in a page. Maximum value is 200.Optional
pageRetrieve incidents by the given page number.Optional
fromRetrieve alerts for which 'date opened' is higher or equal to the 'from' value. Supports ISO and time range (<number> <time unit>, e.g., 12 hours, 7 days) formats. If not specified, the default value of 'to' is the current time.Optional
toRetrieve alerts for which 'date opened' is lower or equal to the 'to' value. Supports ISO and time range (<number> <time unit>, e.g., 12 hours, 7 days) formats. If not specified, the default value of 'from' is 12 months before 'to'.Optional

Context Output#

PathTypeDescription
FraudWatch.Incident.identifierStringIncident identifier.
FraudWatch.Incident.reference_idStringIncident reference ID.
FraudWatch.Incident.urlStringMain URL associated with the incident.
FraudWatch.Incident.statusStringIncident status.
FraudWatch.Incident.typeStringIncident type.
FraudWatch.Incident.brandStringIncident brand.
FraudWatch.Incident.clientStringIncident client.
FraudWatch.Incident.content_ipStringIncident content IP.
FraudWatch.Incident.hostStringIncident host.
FraudWatch.Incident.host_countryStringIncident host country.
FraudWatch.Incident.host_timezoneStringIncident host timezone.
FraudWatch.Incident.created_byStringWho created the incident.
FraudWatch.Incident.discovered_byStringWho discovered the incident.
FraudWatch.Incident.current_durationStringCurrent duration of the incident.
FraudWatch.Incident.active_durationUnknownCurrent active duration of the incident.
FraudWatch.Incident.date_openedDateThe date in which the incident was opened.
FraudWatch.Incident.date_closedDateThe date in which the incident was closed.
FraudWatch.Incident.additional_urlsStringAdditional URLs associated with the incident.
FraudWatch.Incident.linkStringLink to the incident page in the FraudWatch user interface.

Command Example#

!fraudwatch-incidents-list brand="Testing Brand 2" from="2020-12-12" limit=3 status=monitor

Context Example#

{
"FraudWatch": {
"Incident": [
{
"active_duration": null,
"additional_urls": [
"http://www.malicious2.com",
"http://www.malicious3.com",
"http://www.malicious4.com",
"http://www.malicious5.com"
],
"brand": "Testing Brand 2",
"client": "Palo Alto",
"content_ip": null,
"created_by": "Client",
"current_duration": "85882",
"date_closed": null,
"date_opened": "2021-02-07T15:37:12.000Z",
"discovered_by": "client",
"host": null,
"host_country": null,
"host_timezone": null,
"identifier": "JJJ-595483",
"link": "https://www.phishportal.com/client/incident/JJJ-595483",
"reference_id": "abc1234",
"status": "monitor",
"type": "Vishing",
"url": "http://www.malicious.com"
},
{
"active_duration": null,
"additional_urls": [
"http://www.malicious2.com",
"http://www.malicious3.com",
"http://www.malicious4.com",
"http://www.malicious5.com"
],
"brand": "Testing Brand 2",
"client": "Palo Alto",
"content_ip": null,
"created_by": "Client",
"current_duration": "86649",
"date_closed": null,
"date_opened": "2021-02-07T15:24:25.000Z",
"discovered_by": "client",
"host": null,
"host_country": null,
"host_timezone": null,
"identifier": "JJJ-992295",
"link": "https://www.phishportal.com/client/incident/JJJ-992295",
"reference_id": "abc1234",
"status": "monitor",
"type": "Vishing",
"url": "http://www.malicious.com"
},
{
"active_duration": null,
"additional_urls": [
"abuse.com"
],
"brand": "Testing Brand 2",
"client": "Palo Alto",
"content_ip": "192.168.0.1",
"created_by": "Client",
"current_duration": "340758",
"date_closed": null,
"date_opened": "2021-02-04T16:49:16.000Z",
"discovered_by": "client",
"host": null,
"host_country": null,
"host_timezone": null,
"identifier": "JJJ-302171",
"link": "https://www.phishportal.com/client/incident/JJJ-302171",
"reference_id": "malicious1",
"status": "monitor",
"type": "Brand Abuse",
"url": "http://malicious.com"
}
]
}
}

Human Readable Output#

FraudWatch Incidents#

identifierreference_idurlstatustypebrandclientcontent_ipcreated_bydiscovered_bycurrent_durationdate_openedadditional_urlslink
JJJ-595483abc1234http://www.malicious.commonitorVishingTesting Brand 2Palo AltoClientclient858822021-02-07T15:37:12.000Zhttp://www.malicious2.com,
http://www.malicious3.com,
http://www.malicious4.com,
http://www.malicious5.com
https://www.phishportal.com/client/incident/JJJ-595483
JJJ-992295abc1234http://www.malicious.commonitorVishingTesting Brand 2Palo AltoClientclient866492021-02-07T15:24:25.000Zhttp://www.malicious2.com,
http://www.malicious3.com,
http://www.malicious4.com,
http://www.malicious5.com
https://www.phishportal.com/client/incident/JJJ-992295
JJJ-302171malicious1http://malicious.commonitorBrand AbuseTesting Brand 2Palo Alto192.168.0.1Clientclient3407582021-02-04T16:49:16.000Zabuse.comhttps://www.phishportal.com/client/incident/JJJ-302171

fraudwatch-incident-report#


Report an incident to FraudWatch service.

Base Command#

fraudwatch-incident-report

Input#

Argument NameDescriptionRequired
brandThe brand associated with the reported incident. An error is encountered if the brand does not exist. A list of the existing brands can be retrieved by the 'fraudwatch-brands-list' command.Required
typeThe incident type to be associated with the reported incident. Possible values are: phishing, vishing, brand_abuse, malware, social_media_brand_abuse, mobile_app_unauthorized, pac_file, pharming, messaging, dmarc_email_server.Required
reference_idReference ID to be associated with the reported incident. Should be unique. Reference ID can be used later on to retrieve a specific incident by its reference ID.Optional
primary_urlPrimary URL of the reported incident.Required
urlsA Comma-separated list of additional URLs to be associated with the reported incident.Optional
evidenceEvidence to be added (such as logs, etc...) to the reported incident.Optional
instructionsAdditional instructions to be added for the FraudWatch security team.Optional

Context Output#

PathTypeDescription
FraudWatch.Incident.identifierStringIncident identifier.
FraudWatch.Incident.reference_idStringIncident reference ID.
FraudWatch.Incident.urlStringMain URL associated with the incident.
FraudWatch.Incident.statusStringIncident status.
FraudWatch.Incident.typeStringIncident type.
FraudWatch.Incident.brandStringIncident brand.
FraudWatch.Incident.clientStringIncident client.
FraudWatch.Incident.content_ipStringIncident content IP.
FraudWatch.Incident.hostStringIncident host.
FraudWatch.Incident.host_countryStringIncident host contry.
FraudWatch.Incident.host_timezoneStringIncident host timezone.
FraudWatch.Incident.created_byStringWho created the incident.
FraudWatch.Incident.discovered_byStringWho discovered the incident.
FraudWatch.Incident.current_durationStringCurrent duration of the incident.
FraudWatch.Incident.active_durationUnknownCurrent active duration of the incident.
FraudWatch.Incident.date_openedDateThe date in which the incident was opened.
FraudWatch.Incident.date_closedDateThe date in which the incident was closed. This field is expected to be empty because the incident was just created.
FraudWatch.Incident.additional_urlsStringAdditional URLs associated with the incident.
FraudWatch.Incident.linkStringLink to the incident page in the FraudWatch user interface.

Command Example#

!fraudwatch-incident-report brand="Testing Brand 1" primary_url="http://www.maliciousaddress.com" type="vishing" reference_id="abc123" urls="http://abuse.com"

Context Example#

{
"FraudWatch": {
"Incident": {
"active_duration": null,
"additional_urls": [
"http://abuse.com"
],
"brand": "Testing Brand 1",
"client": "Palo Alto",
"content_ip": null,
"created_by": "FraudWatch",
"current_duration": "0",
"date_closed": null,
"date_opened": "2021-02-08T15:28:37.000Z",
"discovered_by": "client",
"host": null,
"host_country": null,
"host_timezone": null,
"identifier": "JJJ-358877",
"link": "https://www.phishportal.com/client/incident/JJJ-358877",
"reference_id": "abc123",
"status": "monitor",
"type": "Vishing",
"url": "http://www.maliciousaddress.com"
}
}
}

Human Readable Output#

Created FraudWatch Incident#

additional_urlsbrandclientcreated_bycurrent_durationdate_openeddiscovered_byidentifierlinkreference_idstatustypeurl
http://abuse.comTesting Brand 1Palo AltoFraudWatch02021-02-08T15:28:37.000ZclientJJJ-358877https://www.phishportal.com/client/incident/JJJ-358877abc123monitorVishinghttp://www.maliciousaddress.com

fraudwatch-incident-update#


Updates the incident associated with the 'incident_id' with the specified argument values.

Base Command#

fraudwatch-incident-update

Input#

Argument NameDescriptionRequired
incident_idThe ID of the incident to be updated. The incident ID is the 'identifier' field returned by the 'fraudwatch-incidents-list' command.Required
brandUpdates the incident associated with the 'incident_id' with the brand specified. An error is encountered if the brand does not exist. A list of the existing brands can be retrieved by the 'fraudwatch-brands-list' command.Optional
reference_idUpdates the incident associated with the 'incident_id' with the reference ID specified. Reference ID should be unique, and can be used by the 'fraudwatch-incident-get-by-identifier' command to retrieve a specific incident by its reference id.Optional
evidenceEvidence to be added (such as logs, etc...) to the incident.Optional
instructionsUpdates the incident associated with the 'incident_id' with additional instructions for the FraudWatch security team.Optional

Context Output#

There is no context output for this command.

Command Example#

!fraudwatch-incident-update incident_id=JJJ-504830 brand="Testing Brand 2" reference_id="reference123"

Human Readable Output#

Incident with ID JJJ-504830 was updated successfully#

fraudwatch-incident-get-by-identifier#


Gets an incident from FraudWatch service by its reference ID or incident ID. Single values of 'reference_id' and 'incident_id' should be specified.

Base Command#

fraudwatch-incident-get-by-identifier

Input#

Argument NameDescriptionRequired
incident_idThe ID of the incident to retrieve. Incident ID is the 'identifier' field returned by the 'fraudwatch-incidents-list' command.Optional
reference_idReference id of the incident to retrieve. If more than one incident is associated with 'reference_id' specified, returns the details of the incident with the latest 'date opened'. Reference ID is the 'reference_id' field returned by the 'fraudwatch-incidents-list' command.Optional

Context Output#

PathTypeDescription
FraudWatch.Incident.identifierStringIncident identifier.
FraudWatch.Incident.reference_idStringIncident reference ID.
FraudWatch.Incident.urlStringMain URL associated with the incident.
FraudWatch.Incident.statusStringIncident status.
FraudWatch.Incident.typeStringIncident type.
FraudWatch.Incident.brandStringIncident brand.
FraudWatch.Incident.clientStringIncident client.
FraudWatch.Incident.content_ipStringIncident content IP.
FraudWatch.Incident.hostStringIncident host.
FraudWatch.Incident.host_countryStringIncident host country.
FraudWatch.Incident.host_timezoneStringIncident host timezone.
FraudWatch.Incident.created_byStringWho created the incident.
FraudWatch.Incident.discovered_byStringWho discovered the incident.
FraudWatch.Incident.current_durationStringCurrent duration of the incident.
FraudWatch.Incident.active_durationUnknownCurrent active duration of the incident.
FraudWatch.Incident.date_openedDateThe date in which the incident was opened.
FraudWatch.Incident.date_closedDateThe date in which the incident was closed.
FraudWatch.Incident.additional_urlsStringAdditional URLs associated with the incident.
FraudWatch.Incident.linkStringLink to the incident page in the FraudWatch user interface.

Command Example#

!fraudwatch-incident-get-by-identifier incident_id=JJJ-168840

Context Example#

{
"FraudWatch": {
"Incident": {
"active_duration": null,
"additional_urls": [
"http://malicious1.com",
"http://malicious2.com"
],
"brand": "Testing Brand 1",
"client": "Palo Alto",
"content_ip": null,
"created_by": "Client",
"current_duration": "514313",
"date_closed": null,
"date_opened": "2021-02-02T16:36:50.000Z",
"discovered_by": "client",
"host": null,
"host_country": null,
"host_timezone": null,
"identifier": "JJJ-168840",
"link": "https://www.phishportal.com/client/incident/JJJ-168840",
"reference_id": null,
"status": "monitor",
"type": "Vishing",
"url": "test.com"
}
}
}

Human Readable Output#

FraudWatch Incident#

additional_urlsbrandclientcreated_bycurrent_durationdate_openeddiscovered_byidentifierlinkstatustypeurl
http://malicious1.com,
http://malicious2.com
Testing Brand 1Palo AltoClient5143132021-02-02T16:36:50.000ZclientJJJ-168840https://www.phishportal.com/client/incident/JJJ-168840monitorVishingtest.com

fraudwatch-incident-forensic-get#


Gets the forensic data of the incident associated with the specified incident ID.

Base Command#

fraudwatch-incident-forensic-get

Input#

Argument NameDescriptionRequired
incident_idThe ID of the incident for which to retrieve the forensic data. Incident ID is the 'identifier' field returned by the 'fraudwatch-incidents-list' command.Required

Context Output#

PathTypeDescription
FraudWatch.IncidentForensicData.host_provider.nameStringName of the host provider.
FraudWatch.IncidentForensicData.host_provider.countryStringCountry of the host provider.
FraudWatch.IncidentForensicData.host_nameserversStringNames of the host servers.
FraudWatch.IncidentForensicData.host_domain_registrar.nameStringHost domain registrar name.
FraudWatch.IncidentForensicData.host_domain_registrar.emailStringHost domain registrar email.
FraudWatch.IncidentForensicData.host_domain_registrar.countryStringHost domain registrar country.
FraudWatch.IncidentForensicData.host_site_ownerUnknownHost site owner.
FraudWatch.IncidentForensicData.host_site_adminUnknownHost site admin.
FraudWatch.IncidentForensicData.host_domain_adminUnknownHost domain admin.
FraudWatch.IncidentForensicData.host_ip_providierUnknownHost IP provider.
FraudWatch.IncidentForensicData.identifierStringIdentifier of the incident.

Command Example#

!fraudwatch-incident-forensic-get incident_id=JJJ-397266

Context Example#

{
"FraudWatch": {
"IncidentForensicData": {
"host_domain_registrar": {
"country": "abuse@address.com",
"email": "http://www.abuseaddress.com",
"name": "Moniker Online Services LLC"
},
"host_nameservers": [
"NS1.IRAN.COM",
"NS2.IRAN.COM"
],
"identifier": "JJJ-397266"
}
}
}

Human Readable Output#

FraudWatch Incident Forensic Data#

host_domain_registrarhost_nameserversidentifier
name: Moniker Online Services LLC
email: http://www.abuseaddress.com
country: abuse@address.com
NS1.IRAN.COM,
NS2.IRAN.COM
JJJ-397266

fraudwatch-incident-contact-emails-list#


Provides a list of the messages related to the incident associated with the specified incident ID.

Base Command#

fraudwatch-incident-contact-emails-list

Input#

Argument NameDescriptionRequired
incident_idThe ID of the incident for which to retrieve the related messages. Incident ID is the 'identifier' field returned by the 'fraudwatch-incidents-list' command.Required
limitNumber of related messages to retrieve.Optional
page_sizeMaximum number of related messages in a page. Maximum value is 200.Optional
pageRetrieve related messages by the specified page number.Optional

Context Output#

PathTypeDescription
FraudWatch.IncidentContacts.noteIdStringNote ID of the related message.
FraudWatch.IncidentContacts.subjectStringSubject of the related message.
FraudWatch.IncidentContacts.creatorStringThe creator of the related message.
FraudWatch.IncidentContacts.contentStringThe content of the related message.
FraudWatch.IncidentContacts.dateDateThe date of the related message.

Command Example#

!fraudwatch-incident-contact-emails-list incident_id=JJJ-898410 limit=2

Context Example#

{
"FraudWatch": {
"IncidentContacts": [
{
"content": "This incident is very malicious, please monitor it\r\n",
"creator": "Client",
"date": "2021-02-08T15:26:19.000Z",
"noteId": "11081853",
"subject": "Client Reply"
},
{
"content": "This incident is very malicious, please monitor it\r\n",
"creator": "Client",
"date": "2021-02-08T15:21:58.000Z",
"noteId": "11081828",
"subject": "Client Reply"
}
]
}
}

Human Readable Output#

FraudWatch Incident Contacts Data#

noteIdsubjectcreatorcontentdate
11081853Client ReplyClientThis incident is very malicious, please monitor it
2021-02-08T15:26:19.000Z
11081828Client ReplyClientThis incident is very malicious, please monitor it
2021-02-08T15:21:58.000Z

fraudwatch-incident-messages-add#


Add a new related message to the incident associated with the specified incident ID.

Base Command#

fraudwatch-incident-messages-add

Input#

Argument NameDescriptionRequired
incident_idAdd a related message to the incident with the specified incident ID. Incident ID is the 'identifier' field returned by the 'fraudwatch-incidents-list' command.Required
message_contentContent of the related message.Required

Context Output#

There is no context output for this command.

Command Example#

!fraudwatch-incident-messages-add incident_id=JJJ-898410 message_content="This incident is very malicious, please monitor it"

Human Readable Output#

Message for incident id JJJ-898410 was added successfully.#

fraudwatch-incident-urls-add#


Adds additional URLs to the incident associated with the specified incident ID. Fails if one of the new urls already exists.

Base Command#

fraudwatch-incident-urls-add

Input#

Argument NameDescriptionRequired
incident_idThe ID of the incident to add additional urls to. Incident ID is the 'identifier' field returned by the 'fraudwatch-incidents-list' command.Required
urlsA comma-separated list of additional URLs to be added to the incident associated with the 'incident_id'.Required

Context Output#

PathTypeDescription
FraudWatch.IncidentUrls.successStringWhether the URLs were added successfully.
FraudWatch.IncidentUrls.new_urlsStringThe new URLs that were added.

Command Example#

!fraudwatch-incident-urls-add incident_id=JJJ-162968 urls=http://www.malicious1.com,http://www.malicious2.com

Context Example#

{
"FraudWatch": {
"IncidentUrls": {
"new_urls": [
"http://www.malicious1.com",
"http://www.malicious2.com"
],
"success": "Add additional urls successfully"
}
}
}

Human Readable Output#

FraudWatch Incident Urls#

new_urlssuccess
http://www.malicious1.com,
http://www.malicious2.com
Add additional urls successfully

fraudwatch-incident-attachment-upload#


Adds a new file attachment to the incident associated with the specified incident ID.

Base Command#

fraudwatch-incident-attachment-upload

Input#

Argument NameDescriptionRequired
incident_idThe ID of the incident to add a file attachment to. Incident ID is the 'identifier' field returned by the 'fraudwatch-incidents-list' command.Required
entry_idThe entry id in Cortex XSOAR of the attachment to be added to the incident.Required

Context Output#

There is no context output for this command.

Command Example#

!fraudwatch-incident-attachment-upload entry_id=fmSNZSY2fSCA2WptU8rddf@d382f488-92db-400c-87ff-fdd71f3b7408 incident_id=JJJ-604206

Human Readable Output#

File fraud_test.txt was uploaded successfully to incident with an incident id JJJ-604206#

fraudwatch-brands-list#


Gets a list of brands from FraudWatch service.

Base Command#

fraudwatch-brands-list

Input#

Argument NameDescriptionRequired
limitNumber of brands to retrieve.Optional
page_sizeTotal number of brands in a page. Values range: 20-100.Optional
pageRetrieve brands by the specified page number.Optional

Context Output#

PathTypeDescription
FraudWatch.Brand.clientStringBrand client.
FraudWatch.Brand.alternate business nameStringBrand alternative business name.
FraudWatch.Brand.nameStringBrand name.
FraudWatch.Brand.activeBooleanWether the brand is active or not.
FraudWatch.Brand.services.nameStringBrand service name.
FraudWatch.Brand.services.actionStringBrand service action.

Command Example#

!fraudwatch-brands-list

Context Example#

{
"FraudWatch": {
"Brand": [
{
"active": true,
"alternate business name": "",
"client": "Palo Alto",
"name": "Testing Brand 1",
"services": [
{
"action": "takedown",
"name": "Phishing"
},
{
"action": "monitor",
"name": "Vishing"
},
{
"action": "monitor",
"name": "Brand Abuse"
},
{
"action": "monitor",
"name": "Malware"
},
{
"action": "monitor",
"name": "Social Media Brand Abuse"
},
{
"action": "monitor",
"name": "Mobile App (Unauthorized)"
},
{
"action": "monitor",
"name": "PAC File"
},
{
"action": "monitor",
"name": "Messaging"
},
{
"action": "monitor",
"name": "DMARC Email Server"
}
]
},
{
"active": true,
"alternate business name": "",
"client": "Palo Alto",
"name": "Testing Brand 2",
"services": [
{
"action": "takedown",
"name": "Phishing"
},
{
"action": "monitor",
"name": "Vishing"
},
{
"action": "monitor",
"name": "Brand Abuse"
},
{
"action": "monitor",
"name": "Malware"
},
{
"action": "monitor",
"name": "Social Media Brand Abuse"
},
{
"action": "monitor",
"name": "Mobile App (Unauthorized)"
},
{
"action": "monitor",
"name": "PAC File"
},
{
"action": "monitor",
"name": "Messaging"
},
{
"action": "monitor",
"name": "DMARC Email Server"
}
]
}
]
}
}

Human Readable Output#

FraudWatch Brands#

nameactiveclient
Testing Brand 1truePalo Alto
Testing Brand 2truePalo Alto