urlscan.io
This Integration is part of the URLScan.io Pack.#
Use urlscan.io integration to perform scans on suspected urls and see their reputation.
Configure urlscan.io on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for urlscan.io.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g. https://urlscan.io/api/v1/ )
- API Key (needed only for submitting URLs for scanning)
- Scan Visibility : Determines the visibility level of the scan. This will override the 'public submissions' setting.
- Source Reliability. Reliability of the source providing the intelligence data. (The default value is C - Fairly reliable)
- Trust any certificate (not secure)
- Use system proxy settings
- URL Threshold. Minimum number of positive results from urlscan.io to consider the URL malicious.
- User Agent : User Agent used during scans with this integration.
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Search for indicators: urlscan-search
- (Deprecated) Submit a URL: urlscan-submit
- Submit a URL (specify the "using" argument): url
1. Search for indicators
Search for an indicator that is related to previous urlscan.io scans.
Base Command
urlscan-search
Input
| Argument Name | Description | Required |
|---|---|---|
| searchParameter | Enter a parameter to search as a string (IP, File name, sha256, url, domain) | Required |
| searchType | Allows querying multiple search parameters | Optional |
Context Output
| Path | Description |
|---|---|
| URLScan.URL | Bad URLs found |
| URLScan.Domain | Domain of the URL scanned |
| URLScan.ASN | ASN of the URL scanned |
| URLScan.IP | IP of the url scanned |
| URLScan.ScanID | Scan ID for the URL scanned |
| URLScan.ScanDate | Latest scan date for the URL |
| URLScan.Hash | SHA-256 of file scanned |
| URLScan.FileName | Filename of the file scanned |
| URLScan.FileSize | File size of the file scanned |
| URLScan.FileType | File type of the file scanned |
Command Example
!urlscan-search searchParameter=8.8.8.8
!urlscan-search searchType=advanced searchParameter="filename:logo.png AND date:>now-24h"
2. (Deprecated) Submit a URL directly to urlscan.io
Submits a URL to urlscan.io.
This command is deprecated, but will still work if it is used in a playbook.
Base Command
urlscan-submit
Input
| Argument Name | Description | Required |
|---|---|---|
| url | URL to scan | Required |
| timeout | How many seconds to wait to the scan id result. Default is 30 seconds. | Optional |
| public | Will the submission be public or private | Optional |
| useragent | User Agent used to perform scans | Optional |
| scan_visibility | The submission visibility. If specified, overrides the 'public' parameter | Optional |
Context Output
| Path | Description |
|---|---|
| URLScan.URLs | URLs related to the scanned URL |
| URLScan.RelatedIPs | IPs related to the scanned URL |
| URLScan.RelatedASNs | ASNs related to the scanned URL |
| URLScan.Countries | Countries associated with the scanned URL |
| URLScan.relatedhashes | IOCs found for the scanned URL |
| URLScan.Subdomains | Associated subdomains for the url scanned |
| URLScan.ASN | ASN of the URL scanned |
| URLScan.Data | URL of the file found |
| URLScan.Malicious.Vendor | Vendor reporting the malicious indicator for the file |
| URLScan.Malicious.Description | Description of the malicious indicator |
| URLScan.File.Hash | SHA256 of file found |
| URLScan.File.FileName | File name of file found |
| URLScan.File.FileType | File type of the file found |
| URLScan.File.Hostname | URL where the file was found |
| URLScan.Certificates | Certificates found for the scanned URL |
Command Example
!urlscan-submit url=http://www.github.com/
3. Submit a URL (specify using urlscan.io)
Submit a URL to scan and specify the using argument as urlscan.io.
Base Command
url
Input
| Argument Name | Description | Required |
|---|---|---|
| url | URL to scan | Required |
| timeout | How many seconds to wait for the scan ID result. Default is 30 seconds. | Optional |
| public | Whether the submission will be public or private | Optional |
| retries | Number of retries if the API rate limit is reached. This argument is optional, but if you specify this argument, you need to specify the wait argument. | Optional |
| wait | Time interval (in seconds) between retries, if the API rate limit is reached. This argument is optional, but if you specify the retries argument, you need to specify this argument. | Optional |
| useragent | User Agent used to perform scans | Optional |
| scan_visibility | The submission visibility. If specified, overrides the 'public' parameter | Optional |
| use_url_as_name | Whether to use the URL as the screenshot name. Default is false which sets screenshot name to screenshot.png | Optional |
Context Output
| Path | Description |
|---|---|
| URLScan.URLs | URLs related to the scanned URL |
| URLScan.RelatedIPs | IPs related to the URL scanned |
| URLScan.RelatedASNs | ASNs related to the scanned URL |
| URLScan.Countries | Countries associated with the scanned URL |
| URLScan.relatedhashes | IOCs found for the scanned URL |
| URLScan.Subdomains | Associated sub-domains for the scanned URL |
| URLScan.ASN | ASN of the scanned URL |
| URLScan.Data | URL of the file found |
| URLScan.Malicious.Vendor | Vendor reporting the malicious indicator for the file |
| URLScan.Malicious.Description | Description of the malicious indicator |
| URLScan.File.Hash | SHA-256 of file found |
| URLScan.File.FileName | File name of file found |
| URLScan.File.FileType | File type of the file found |
| URLScan.File.Hostname | URL where the file was found |
| URLScan.Certificates | Certificates found for the scanned URL |
| URLScan.RedirectedURLS | Redirected URLs from the URL scanned |
| URLScan.EffectiveURL | Effective URL of the original URL |
| URL.ASN | The URL ASN. |
| URL.FeedRelatedIndicators.value | Indicators that are associated with the URL. |
| URL.FeedRelatedIndicators.type | The type of the indicators that are associated with the URL. |
| URL.Geo.Country | The URL country. |
| URL.ASOwner | The URL AS owner. |
| URL.Tags | Tags that are associated with the URL. |
Command Example
!url url=http://www.github.com/Â using="urlscan.io"