Skip to main content

url-enrichment

This Script is part of the Aggregated Scripts Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

This script gathers URL reputation data from multiple integrations and returns a "URLEnrichment" object with consolidated information in the context output.

Script Data#


NameDescription
Script Typepython3
Tagsbasescript
Cortex XSOAR Version6.10.0

Inputs#


Argument NameDescription
url_listAccepts a list of URLs to enrich.
- From CLI: Provide a comma-separated list.
If a URL contains a comma, wrap the URLs in a JSON array.
Example: "[\"https://example.com/search?tags=red,yellow,green\\", \"https://example2.com\\"\]".
- From Context: Pass JSON arrays directly, without modification.
external_enrichmentWhether to call external integrations for enrichment: - 'true': enrich using enabled external integrations (e.g., VirusTotal (API v3), AlienVault OTX v2). - 'false': use only existing TIM data; skip external integrations. If the 'brands' argument is provided, this flag is ignored and enrichment is run only on the brands provided.
verboseRetrieve a human-readable entry for each command; if false, only the final result is summarized and errors are suppressed.
brandsA list of integration brands to run enrichment against.
Example: `"VirusTotal (API v3), AlienVault OTX v2"`.
- If provided, only the selected brands are used.
- If left empty, the script runs enrichment on all enabled integrations,
depending on the `external_enrichment` flag.
To see the available brands for the `url` command, run: `!ProvidesCommand command=url`.
additional_fieldsWhen set to true, the output includes an `AdditionalFields` object
for each of the indicator result.
`AdditionalFields` contains all fields returned by TIM or the integrations
that are not part of the standard output keys: `Data`, `DetectionEngines`,
`PositiveDetections`, `Score`, and `Brand`.
When set to false, only the standard keys are returned.

Outputs#


PathDescriptionType
URLEnrichment.ValueThe URL.string
URLEnrichment.MaxScoreThe max score of all the indicators found.number
URLEnrichment.MaxVerdictThe max verdict of all the indicators found.string
URLEnrichment.ResultsList of all indicators found for the URL.array
URLEnrichment.TIMScoreThe TIM score of the URL.number
URLEnrichment.StatusThe status of the indicator: "Manual" if the score was changed manually, "Fresh" if modified within the last week, "Stale" if modified more than a week ago, and "None" if never modified.string
URLEnrichment.ModifiedTimeThe time the indicator was last modified.Date
URLEnrichment.Results.BrandThe brand of the indicator.string
URLEnrichment.Results.ScoreThe score of the indicator.number
URLEnrichment.Results.VerdictThe verdict of the indicator.string
URLEnrichment.Results.DetectionEnginesThe detection engines of the indicator.number
URLEnrichment.Results.PositiveDetectionsThe positive detections of the indicator.number
URLEnrichment.Results.DataThe URL it self.string
URLEnrichment.Results.AdditionalFieldsAll fields extracted from the indicator other then the main keys ("Brand", "Score", "Verdict", "DetectionEngines", "PositiveDetections", "Data").Object
URLEnrichment.Results.AdditionalFields.Relationships.EntityAThe source of the relationship.string
URLEnrichment.Results.AdditionalFields.Relationships.EntityBThe destination of the relationship.string
URLEnrichment.Results.AdditionalFields.Relationships.RelationshipThe name of the relationship.string
URLEnrichment.Results.AdditionalFields.Relationships.EntityATypeThe type of the source of the relationship.string
URLEnrichment.Results.AdditionalFields.Relationships.EntityBTypeThe type of the destination of the relationship.string
URLEnrichment.Results.AdditionalFields.CategoryThe category associated with the indicator.String
URLEnrichment.Results.AdditionalFields.Malicious.VendorThe vendor reporting the URL as malicious.String
URLEnrichment.Results.AdditionalFields.Malicious.DescriptionA description of the malicious URL.String
URLEnrichment.Results.AdditionalFields.Tags(List) Tags of the URL.Unknown
URLEnrichment.Results.AdditionalFields.FeedRelatedIndicators.valueIndicators that are associated with the URL.String
URLEnrichment.Results.AdditionalFields.FeedRelatedIndicators.typeThe type of the indicators that are associated with the URL.String
URLEnrichment.Results.AdditionalFields.FeedRelatedIndicators.descriptionThe description of the indicators that are associated with the URL.String
URLEnrichment.Results.AdditionalFields.MalwareFamilyThe malware family associated with the URL.String
URLEnrichment.Results.AdditionalFields.PortPorts that are associated with the URL.String
URLEnrichment.Results.AdditionalFields.InternalWhether or not the URL is internal or external.Bool
URLEnrichment.Results.AdditionalFields.CampaignThe campaign associated with the URL.String
URLEnrichment.Results.AdditionalFields.TrafficLightProtocolThe Traffic Light Protocol (TLP) color that is suitable for the URL.String
URLEnrichment.Results.AdditionalFields.ThreatTypes.threatcategoryThe threat category associated to this indicator by the source vendor. For example, Phishing, Control, TOR, etc.String
URLEnrichment.Results.AdditionalFields.ThreatTypes.threatcategoryconfidenceThreat Category Confidence is the confidence level provided by the vendor for the threat type category For example a confidence of 90 for threat type category 'malware' means that the vendor rates that this is 90% confidence of being a malware.String
URLEnrichment.Results.AdditionalFields.ASNThe autonomous system name for the URL, for example: 'AS8948'.String
URLEnrichment.Results.AdditionalFields.ASOwnerThe autonomous system owner of the URL.String
URLEnrichment.Results.AdditionalFields.GeoCountryThe country in which the URL is located.String
URLEnrichment.Results.AdditionalFields.OrganizationThe organization of the URL.String
URLEnrichment.Results.AdditionalFields.CommunityNotes.noteNotes on the URL that were given by the community.String
URLEnrichment.Results.AdditionalFields.CommunityNotes.timestampThe time in which the note was published.Date
URLEnrichment.Results.AdditionalFields.Publications.sourceThe source in which the article was published.String
URLEnrichment.Results.AdditionalFields.Publications.titleThe name of the article.String
URLEnrichment.Results.AdditionalFields.Publications.linkA link to the original article.String
URLEnrichment.Results.AdditionalFields.Publications.timestampThe time in which the article was published.Date