urlscan.io
This Integration is part of the URLScan.io Pack.#
Use urlscan.io integration to perform scans on suspected urls and see their reputation.
Configure urlscan.io on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for urlscan.io.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g. https://urlscan.io/api/v1/ )
- API Key (needed only for submitting URLs for scanning)
- Scan Visibility : Determines the visibility level of the scan. This will override the 'public submissions' setting.
- Source Reliability. Reliability of the source providing the intelligence data. (The default value is C - Fairly reliable)
- Scan Country. Specify which country the scan should be performed from. If you omit this value, urlscan will try to do automatic country detection based on the TLD of the URL, GeoIP information of the server and of the user.
- Trust any certificate (not secure)
- Use system proxy settings
- URL Threshold. Minimum number of positive results from urlscan.io to consider the URL malicious.
- User Agent : User Agent used during scans with this integration.
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Search for indicators: urlscan-search
- (Deprecated) Submit a URL: urlscan-submit
- Submit a URL (specify the "using" argument): url
1. Search for indicators
Search for an indicator that is related to previous urlscan.io scans.
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
Base Command
urlscan-search
Input
| Argument Name | Description | Required |
|---|---|---|
| searchParameter | Enter a parameter to search as a string (IP, File name, sha256, url, domain) | Required |
| searchType | Allows querying multiple search parameters | Optional |
Context Output
| Path | Description |
|---|---|
| URLScan.URL | Bad URLs found |
| URLScan.Domain | Domain of the URL scanned |
| URLScan.ASN | ASN of the URL scanned |
| URLScan.IP | IP of the url scanned |
| URLScan.ScanID | Scan ID for the URL scanned |
| URLScan.ScanDate | Latest scan date for the URL |
| URLScan.Hash | SHA-256 of file scanned |
| URLScan.FileName | Filename of the file scanned |
| URLScan.FileSize | File size of the file scanned |
| URLScan.FileType | File type of the file scanned |
Command Example
!urlscan-search searchParameter=8.8.8.8
!urlscan-search searchType=advanced searchParameter="filename:logo.png AND date:>now-24h"
2. (Deprecated) Submit a URL directly to urlscan.io
Submits a URL to urlscan.io.
This command is deprecated, but will still work if it is used in a playbook.
Base Command
urlscan-submit
Input
| Argument Name | Description | Required |
|---|---|---|
| url | URL to scan | Required |
| timeout | How many seconds to wait to the scan id result. Default is 30 seconds. | Optional |
| public | Will the submission be public or private | Optional |
| useragent | User Agent used to perform scans | Optional |
| scan_visibility | The submission visibility. If specified, overrides the 'public' parameter | Optional |
Context Output
| Path | Description |
|---|---|
| URLScan.URLs | URLs related to the scanned URL |
| URLScan.RelatedIPs | IPs related to the scanned URL |
| URLScan.RelatedASNs | ASNs related to the scanned URL |
| URLScan.Countries | Countries associated with the scanned URL |
| URLScan.relatedhashes | IOCs found for the scanned URL |
| URLScan.Subdomains | Associated subdomains for the url scanned |
| URLScan.ASN | ASN of the URL scanned |
| URLScan.Data | URL of the file found |
| URLScan.Malicious.Vendor | Vendor reporting the malicious indicator for the file |
| URLScan.Malicious.Description | Description of the malicious indicator |
| URLScan.File.Hash | SHA256 of file found |
| URLScan.File.FileName | File name of file found |
| URLScan.File.FileType | File type of the file found |
| URLScan.File.Hostname | URL where the file was found |
| URLScan.Certificates | Certificates found for the scanned URL |
Command Example
!urlscan-submit url=http://www.github.com/
3. Submit a URL (specify using urlscan.io)
Submit a URL to scan and specify the using argument as urlscan.io.
Base Command
url
Input
| Argument Name | Description | Required |
|---|---|---|
| url | URL to scan | Required |
| timeout | How many seconds to wait for the scan ID result. Default is 30 seconds. | Optional |
| public | Whether the submission will be public or private | Optional |
| retries | Number of retries if the API rate limit is reached. This argument is optional, but if you specify this argument, you need to specify the wait argument. | Optional |
| wait | Time interval (in seconds) between retries, if the API rate limit is reached. This argument is optional, but if you specify the retries argument, you need to specify this argument. | Optional |
| useragent | User Agent used to perform scans | Optional |
| scan_visibility | The submission visibility. If specified, overrides the 'public' parameter | Optional |
| use_url_as_name | Whether to use the URL as the screenshot name. Default is false which sets screenshot name to screenshot.png | Optional |
Context Output
| Path | Description |
|---|---|
| URLScan.URLs | URLs related to the scanned URL |
| URLScan.RelatedIPs | IPs related to the URL scanned |
| URLScan.RelatedASNs | ASNs related to the scanned URL |
| URLScan.Countries | Countries associated with the scanned URL |
| URLScan.relatedhashes | IOCs found for the scanned URL |
| URLScan.Subdomains | Associated sub-domains for the scanned URL |
| URLScan.ASN | ASN of the scanned URL |
| URLScan.Data | URL of the file found |
| URLScan.Malicious.Vendor | Vendor reporting the malicious indicator for the file |
| URLScan.Malicious.Description | Description of the malicious indicator |
| URLScan.File.Hash | SHA-256 of file found |
| URLScan.File.FileName | File name of file found |
| URLScan.File.FileType | File type of the file found |
| URLScan.File.Hostname | URL where the file was found |
| URLScan.Certificates | Certificates found for the scanned URL |
| URLScan.RedirectedURLS | Redirected URLs from the URL scanned |
| URLScan.EffectiveURL | Effective URL of the original URL |
| URL.ASN | The URL ASN. |
| URL.FeedRelatedIndicators.value | Indicators that are associated with the URL. |
| URL.FeedRelatedIndicators.type | The type of the indicators that are associated with the URL. |
| URL.Geo.Country | The URL country. |
| URL.ASOwner | The URL AS owner. |
| URL.Tags | Tags that are associated with the URL. |
Command Example
!url url=http://www.github.com/Â using="urlscan.io"