Skip to main content

Netcraft

This Integration is part of the Netcraft Pack.#

An integration for Netcraft, allowing you to open and handle takedown requests.

Configure Netcraft on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Netcraft.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    CredentialsTrue
    PasswordTrue
    The maximum number of entries (takedowns/notes) to return. Default is 100.False
    Use system proxy settingsFalse
    Trust any certificate (not secure)False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

netcraft-report-attack#


Reports an attack to Netcraft.

Base Command#

netcraft-report-attack

Input#

Argument NameDescriptionRequired
attackThe attack location you want taken down. For example, a phishing URL or fraudulent email address.Required
commentThe reason for submitting the attack, such as a description of the attack.Required

Context Output#

PathTypeDescription
Netcraft.Takedown.DateSubmittedStringThe date and time of reporting.
Netcraft.Takedown.LastUpdatedStringThe date and time of the last action taken on the takedown.
Netcraft.Takedown.EvidenceURLStringThe URL of the evidence page on incident.netcraft.com.
Netcraft.Takedown.ReporterStringThe person/account that submitted the takedown.
Netcraft.Takedown.DomainStringThe domain of the URL or email address being taken down. This will be blank for attacks without a domain name.
Netcraft.Takedown.HostnameStringThe full hostname of the URL or email address being taken down. This will be blank for attacks without a hostname.
Netcraft.Takedown.CountryCodeStringISO country code of the hosting country.
Netcraft.Takedown.DomainAttackStringWhether the domain is thought to be fraudulent.
Netcraft.Takedown.TargetedURLStringThe URL that this attack is masquarading as. For example, the URL of the legitimate login form that the attack targets.
Netcraft.Takedown.CertificateUnknownHTTPS certificate details for the hostname, or null if no certificate was found. The value returned is the output of PHP's openssl_x509_parse function.
Netcraft.Takedown.IDNumberThe ID of the takedown.
Netcraft.Takedown.GroupIDNumberThe group ID of the takedown, can potentially be the same as ID, or empty if there is no group.
Netcraft.Takedown.StatusStringThe status of the takedown.
Netcraft.Takedown.AttackTypeStringThe type of takedown.
Netcraft.Takedown.AttackURLStringThe location of the attack being taken down.
Netcraft.Takedown.RegionStringThe customer area in which the attack resides.
Netcraft.Takedown.IPStringThe IPv4 address of the attack.

netcraft-get-takedown-info#


Returns information on existing takedowns. You can retrieve the takedown ID when you report the malicious URL and open the takedown, using the netcraft-report-attack command.

Base Command#

netcraft-get-takedown-info

Input#

Argument NameDescriptionRequired
idThe ID of the takedowns for which to get information.Optional
date_fromRetrieve information for takedowns submitted after this date. Format: YYYY-MM-DD HH:MM:SS.Optional
updated_sinceRetrieve information for takedowns updated after this date. Format: YYYY-MM-DD HH:MM:SS.Optional
urlThe URL by which to filter.Optional
ipThe IP by which to filter.Optional
regionThe region by which to filter. If the region is invalid or not specified, all regions are returned.Optional

Context Output#

PathTypeDescription
Netcraft.Takedown.IDnumberThe ID of the takedown.
Netcraft.Takedown.GroupIDnumberThe group ID of the takedown, can potentially be the same as ID or empty if there is no group.
Netcraft.Takedown.StatusstringThe status of the takedown.
Netcraft.Takedown.AttackTypestringThe type of takedown.
Netcraft.Takedown.AttackURLstringThe location of the attack being taken down.
Netcraft.Takedown.RegionstringThe customer area in which the attack resides.
Netcraft.Takedown.DateSubmittedstringThe date and time of reporting.
Netcraft.Takedown.LastUpdatedstringThe date and time of the last action taken on the takedown.
Netcraft.Takedown.EvidenceURLstringThe URL of the evidence page on incident.netcraft.com.
Netcraft.Takedown.ReporterstringThe person/account that submitted the takedown.
Netcraft.Takedown.IPUnknownThe IPv4 address of the attack.
Netcraft.Takedown.DomainUnknownThe domain of the URL or email address being taken down. This will be blank for attacks without a domain name.
Netcraft.Takedown.HostnameUnknownThe full hostname of the URL or email address being taken down. This will be blank for attacks without a hostname.
Netcraft.Takedown.CountryCodeUnknownISO country code of the hosting country.
Netcraft.Takedown.DomainAttackUnknownWhether the domain is thought to be fraudulent.
Netcraft.Takedown.TargetedURLUnknownThe URL which this attack is masquerading as. For example, the URL of the legitimate login form that the attack targets.
Netcraft.Takedown.CertificateUnknownTTPS certificate details for the hostname, or null if no certificate was found. The value returned is the output of PHP's openssl_x509_parse function.

netcraft-get-takedown-notes#


Returns notes for takedowns.

Base Command#

netcraft-get-takedown-notes

Input#

Argument NameDescriptionRequired
takedown_idThe takedown to get notes for.Optional
group_idA takedown group to get notes for.Optional
date_fromRetrieve notes created after this date.Optional
date_toRetrieve notes created before this date.Optional
authorA specific user to get notes for.Optional

Context Output#

PathTypeDescription
Netcraft.Takedown.Note.TakedownIDnumberThe ID of the takedown to which the note belongs.
Netcraft.Takedown.Note.NoteIDnumberThe ID of the note.
Netcraft.Takedown.Note.GroupIDnumberIf this note is attached to all takedowns in a group, group_id is the ID of that group. Otherwise, the value 0 means the note is sent to a single takedown.
Netcraft.Takedown.Note.AuthorstringThe author of the note. "Netcraft" denotes a Netcraft authored note.
Netcraft.Takedown.Note.NotestringThe content (text) of the note.
Netcraft.Takedown.Note.TimestringThe date/time the note was created. Format (UTC): YYYY-MM-DD HH:MM:SS.

netcraft-add-notes-to-takedown#


Adds notes to an existing takedown.

Base Command#

netcraft-add-notes-to-takedown

Input#

Argument NameDescriptionRequired
takedown_idA valid takedown ID to add the note to.Required
noteThe text to add to the takedown.Required
notifyWhether to notify Netcraft. Default is "true". Possible values are: True, False.Optional

Context Output#

There is no context output for this command.

netcraft-escalate-takedown#


Escalates a takedown.

Base Command#

netcraft-escalate-takedown

Input#

Argument NameDescriptionRequired
takedown_idThe ID of the takedown to escalate.Required

Context Output#

There is no context output for this command.