PhishLabs IOC DRP

This Integration is part of the PhishLabs Pack.#

This integration was integrated and tested with V1.0 of PhishLabs IOC DRP

Use Cases

Get cases by filters from PhishLabs DRP service
Get live incidents from PhishLabs DRP service

Detailed Description

PhishLabs Digital Risk Protection (DRP) is a solution that provides proactive detection and rapid mitigation of digital risks across:

email
domain
social media
mobile
dark
deep
open web vectors

Configure PhishLabs IOC DRP on Cortex XSOAR

Navigate to Settings > Integrations > Servers & Services .
Search for PhishLabs IOC DRP.
Click Add instance to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g. https://example.net)
- User
- Fetch incidents
- Incident type
- First fetch timestamp ( , e.g., 12 hours, 7 days)
- Fetch by date field
- Fetch limit (min 20)
- Trust any certificate (not secure)
- Use system proxy settings
Click Test to validate the new instance.

Fetch Incidents

Fetch incidents done by the following configuration:

Limit - limit amount of incidents by fetch
Date field - Date field to fetch incidents by - created/modified/closed
Time to fetch - date for starting collecting incidents (1 days ago, 1 hours ago etc)
Incident type

Incident data example:

  [
  {
    "name": "PhishLabs IOC - DRP: 12d329b7-13db-11ea-94e8-0ee0a3f3cb1c",
    "occurred": "2019-12-01T01:40:36Z",
    "rawJSON": {
      "caseId": "12d329b7-13db-11ea-94e8-0ee0a3f3cb1c",
      "title": "=? =?gb2312?Q?ted:_www.icloud.com.agona.cn?=",
      "description": "From: PhishLabs Security Operations \nSubject: =? =?gb2312?Q?ted:_www.icloud.com.agona.cn?=\n\n\r\n________________________________\r\nFrom: west263\r\nSent: Saturday, November 30, 2019 8:36:41 PM (UTC-05:00) Eastern Time (US & Canada)\r\nTo: PhishLabs Security Operations; not@domain.com; not@domain.com\r\nSubject: 回复：[PL-1405082] Malicious domain detected: www.icloud.com.agona.cn\r\n\r\n-- External email--\r\n\r\n\r\nThank you for allowing us an opportunity to assist you.\r\n\r\nWe have suspended our customer to use this domain. You can check it later.\r\n\r\nIf you have any questions, please do not hesitate to contact us. We look forward to assisting you.\r\n\r\nHave a wonderful day!\r\n\r\n\r\n\r\n------------------\r\n\r\nBest regards,\r\n\r\nLillian\r\n\r\n\r\n------------------ 原始邮件 ------------------\r\n\r\n发件人:  PhishLabs Security Operations;\r\n日  期:  2019-11-30 (星期六) 08:37:19\r\n收件人:  not@domain.com;not@domain.com;not@domain.com;\r\n主  题:  [PL-1405082] Malicious domain detected: www.icloud.com.agona.cn\r\n\r\n\r\nDuring an investigation of fraud, we discovered a domain(s) registered for the sole intent of malicious activity, which is being used to attack our client and their customers.\r\n\r\nWe have addressed this report to the responsible authoritative providers over this website who have the ability to disable the malicious content in question. This includes but is not limited to the hosting provider(s), nameserver, registrar and if applicable, the registry.  Based on your relationship to the content in question or services provided, please see our specific request below.\r\n\r\nThis threat has been active for at least 2.1 hours.\r\n\r\nhXXp www[.]icloud[.]com[.]agona[.]cn/ios/uy930glgr8yx54n4zkcw[.]asp?uy930glgr8yx54n4zkcw=\r\nhXXp www[.]icloud[.]com[.]agona[.]cn/ios/upvf7o4kon1kpt4vfy18[.]asp?upvf7o4kon1kpt4vfy18=\r\nhXXp www[.]icloud[.]com[.]agona[.]cn/ios/vweixhklbjw1t1ve3b4n[.]asp?vweixhklbjw1t1ve3b4n=\r\nhXXp www[.]icloud[.]com[.]agona[.]cn/an3n3abqqtkpuok9vw9c[.]asp?an3n3abqqtkpuok9vw9c\r\n\r\nFirst detection of malicious activity: 11-29-2019 22:26:17 UTC\r\nMost recent observation of malicious activity: 11-30-2019 00:35:06 UTC\r\nAssociated IP Addresses: 8.8.8.8\r\n\r\nEvidence of malicious content is provided below my signature.\r\n\r\n===   HOSTING  PROVIDER AND/OR WEBSITE OWNER    ===\r\nIf you agree that this is malicious, we kindly request that you take steps to have the content removed as soon as possible.  It is highly likely that the intruder who set up this phishing content has also left additional fraudulent material on this server such as illegitimate access points.\r\n\r\n===   REGISTRAR / REGISTRY   ===\r\nWe kindly request that this domain is placed on hold as soon as possible and all client related information sink holed. It is also very likely the registrant in question has registered various other domains through your service and it is suggested you investigate as you see fit.\r\n\r\n===   NAMESERVER, SOA   ===\r\nIf it is within your power, please consider disabling the routing to this domain to prevent further abuse to the public.\r\n\r\n===   CERT/CIRT, ETC.   ===\r\nIf you're able to assist in any means possible to see to the termination of this content, please do so.  Your local expertise and influence on this matter is critical to this effort.\r\n\r\nIf we have contacted you in error, or if there is a better way for us to report this incident, please let us know so that we may continue our investigation.\r\n\r\nWe are extremely grateful for your assistance.\r\n\r\nKind regards,\r\n\r\nYogender Chauhan\r\nPhishLabs Security Operations\r\n12023866001\r\nAvailable 24/7\r\n\r\n\r\nEvidence:\r\nPlease see attached screenshot.\r\n.\r\n\r\n[PL-1405082]\r\n\r\n\r\n ",
      "caseNumber": 1406220,
      "createdBy": {
        "id": "30c2e916-c72d-11e3-860e-002590387e36",
        "name": "soc.phishlabs",
        "displayName": "SOC PhishLabs"
      },
      "brand": "",
      "caseType": "Other",
      "resolutionStatus": "Accidental creation",
      "caseStatus": "Rejected",
      "dateCreated": "2019-12-01T01:37:02Z",
      "dateClosed": "2019-12-01T01:40:36Z",
      "dateModified": "2019-12-01T01:40:36Z",
      "customer": "PhishLabs",
      "attachments": [
        {
          "id": "12e5eeaa-13db-11ea-8247-0ad24386a0d6",
          "type": "Email",
          "description": "Source Email for case creation",
          "dateAdded": "2019-12-01T01:37:02Z",
          "fileName": "msg.oFAH.eml",
          "fileURL": "https://caseapi.phishlabs.com/v1/data/attachment/12e5eeaa-13db-11ea-8247-0ad24386a0d6"
        }
      ],
      "formReceiver": false,
      "brandAbuseFlag": false,
      "appDate": "0001-01-01T00:00:00Z",
      "primaryMarketplace": false
    }
  }
]

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

Get cases by filters: phishlabs-ioc-drp-get-cases
Get case by ID: phishlabs-ioc-drp-get-case-by-id
Get open cases filters: phishlabs-ioc-drp-get-open-cases
Get closed cases by filters: phishlabs-ioc-drp-get-closed-cases

1. phishlabs-ioc-drp-get-cases

Get cases by filters

Base Command

phishlabs-ioc-drp-get-cases

Input

Argument Name	Description	Required
status	Filter cases based on the case status	Optional
case_type	Filter cases by case type	Optional
max_records	Maximum number of cases to return, default is 20, maximum is 200	Optional
offset	Paginate results used in conjunction with maxRecords.	Optional
date_field	Field to use to query using dateBegin and dateEnd parameters.	Optional
begin_date	Date query beginning date	Optional
end_date	Date query endining date	Optional
period	timestamp ( , e.g., 12 hours, 7 days)	Optional

Context Output

Path	Type	Description
PhishlabsIOC.DRP.CaseID	String	Case ID
PhishlabsIOC.DRP.Title	String	Case title
PhishlabsIOC.DRP.Description	String	Case description
PhishlabsIOC.DRP.CaseNumber	String	Case number
PhishlabsIOC.DRP.Resolution	String	Resolution
PhishlabsIOC.DRP.ResolutionStatus	String	Resolution status
PhishlabsIOC.DRP.CreatedBy.ID	String	Case creator ID
PhishlabsIOC.DRP.CreatedBy.Name	String	Case creator name
PhishlabsIOC.DRP.CreatedBy.DisplayName	String	Case creator display name
PhishlabsIOC.DRP.Brand	String	Brand reported in case
PhishlabsIOC.DRP.Email	String	Email of case creator
PhishlabsIOC.DRP.CaseType	String	Type of the case
PhishlabsIOC.DRP.CaseStatus	String	Status of the case
PhishlabsIOC.DRP.DateCreated	String	Case creation date
PhishlabsIOC.DRP.DateClosed	String	Case closing date
PhishlabsIOC.DRP.DateModified	String	Case modification date
PhishlabsIOC.DRP.Customer	String	Customer reporting the case
PhishlabsIOC.DRP.AttackSources.URL	String	URL of the attack source
PhishlabsIOC.DRP.AttackSources.UrlType	String	URL type of the attack source
PhishlabsIOC.DRP.AttackSources.IP	String	IP of the attack source
PhishlabsIOC.DRP.AttackSources.ISP	String	ISP of the attack source
PhishlabsIOC.DRP.AttackSources.Country	String	ISP of the attack source
PhishlabsIOC.DRP.AttackSources.TargetedBrands	String	Target brands of the attack source
PhishlabsIOC.DRP.AttackSources.FQDN	String	FQDN of the attack source
PhishlabsIOC.DRP.AttackSources.Domain	String	Domain of the attack source
PhishlabsIOC.DRP.AttackSources.IsMaliciousDomain	Boolean	Detect if domain of attack source is malicious
PhishlabsIOC.DRP.AttackSources.WhoIs.Registrant	String	URL of the registrant
PhishlabsIOC.DRP.AttackSources.WhoIs.Registration.Created	String	Creation date of the registration
PhishlabsIOC.DRP.AttackSources.WhoIs.Registration.Expires	String	Expiriation date of the registration
PhishlabsIOC.DRP.AttackSources.WhoIs.Registration.Updated	String	Update date of the registration
PhishlabsIOC.DRP.AttackSources.WhoIs.Registration.Registrar	String	Registrar of the URL
PhishlabsIOC.DRP.AttackSources.WhoIs.NameServers	String	Name servers of the URL
PhishlabsIOC.DRP.Attachments.ID	String	ID of case attachment
PhishlabsIOC.DRP.Attachments.Type	String	Type of case attachment
PhishlabsIOC.DRP.Attachments.Description	String	Description of case attachment
PhishlabsIOC.DRP.Attachments.DateAdded	String	Date adding of case attachment
PhishlabsIOC.DRP.Attachments.FileName	String	File name of case attachment
PhishlabsIOC.DRP.Attachments.FileURL	String	File URL of case attachment
PhishlabsIOC.DRP.ApplicationName	String	Application reported in the case
PhishlabsIOC.DRP.Platform	String	Platform reported in the case
PhishlabsIOC.DRP.Severity	String	Sevirity of DRP
PhishlabsIOC.DRP.Developer	String	Developer of the application reported
PhishlabsIOC.DRP.DeveloperWebsite	String	Developer website of the application reported
PhishlabsIOC.DRP.ApplicationDescription	String	Descripion of the application reported
PhishlabsIOC.DRP.Language	String	Language of the application reported
PhishlabsIOC.DRP.Phone	String	Phone number of case creator
PhishlabsIOC.DRP.Hardware	String	Hardware used by the application
PhishlabsIOC.DRP.AssociatedURLs.URL	String	URL of the attack source
PhishlabsIOC.DRP.AssociatedURLs.UrlType	String	URL type of the attack source
PhishlabsIOC.DRP.AssociatedURLs.TargetedBrands	String	Target brands of the attack source
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registrant	String	URL of the registrant
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registration.Created	String	Creation date of the registration
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registration.Expires	String	Expiriation date of the registration
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registration.Updated	String	Update date of the registration
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registration.Registrar	String	Registrar of the URL
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.NameServers	String	Name servers of the URL

Command Example

!phishlabs-ioc-drp-get-cases max_records=2

Context Example

{
    "PhishLabsIOC": {
        "DRP": [
            {
                "Attachments": [
                    {
                        "DateAdded": "2019-12-09T07:56:02Z",
                        "Description": "Source Email for case creation",
                        "FileName": "msg.mFAH.eml",
                        "FileURL": "https://caseapi.phishlabs.com/v1/data/attachment/",
                        "ID": "581ba28d-1a59-11ea-8247-0ad24386a0d6",
                        "Type": "Email"
                    }
                ],
                "CaseID": "5808ec5a-1a59-11ea-94e8-0ee0a3f3cb1c",
                "CaseNumber": 1417871,
                "CaseStatus": "Rejected",
                "CaseType": "Other",
                "CreatedBy": {
                    "DisplayName": "SOC PhishLabs",
                    "ID": "30c2e916",
                    "Name": "soc.phishlabs"
                },
                "Customer": "PhishLabs",
                "DateClosed": "2019-12-09T08:01:34Z",
                "DateCreated": "2019-12-09T07:56:01Z",
                "DateModified": "2019-12-09T08:01:34Z",
                "Description": "From: ",
                "ResolutionStatus": "Accidental creation",
                "Title": "=?gb2312?B?"
            },
            {
                "Attachments": [
                    {
                        "DateAdded": "2019-12-09T07:46:02Z",
                        "Description": "Source Email for case creation",
                        "FileName": "msg.fKAH.eml",
                        "FileURL": "https://caseapi.phishlabs.com/v1/data/",
                        "ID": "f24c36a6",
                        "Type": "Email"
                    }
                ],
                "CaseID": "f239fe62",
                "CaseNumber": 1417866,
                "CaseStatus": "Rejected",
                "CaseType": "Other",
                "CreatedBy": {
                    "DisplayName": "SOC PhishLabs",
                    "ID": "30c2e916",
                    "Name": "soc.phishlabs"
                },
                "Customer": "PhishLabs",
                "DateClosed": "2019-12-09T07:49:11Z",
                "DateCreated": "2019-12-09T07:46:01Z",
                "DateModified": "2019-12-09T07:49:11Z",
                "Description": "From: ",
                "ResolutionStatus": "Accidental creation",
                "Title": "=?gb231"
            }
        ]
    }
}

Human Readable Output