/
CheckPhish.yml
216 lines (216 loc) · 6.2 KB
/
CheckPhish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
category: Data Enrichment & Threat Intelligence
commonfields:
id: CheckPhish
version: -1
configuration:
- defaultvalue: https://developers.checkphish.ai/api/neo/scan
display: CheckPhish API URL
name: url
required: false
type: 0
- display: API Token
name: token
required: false
type: 4
hidden: true
- displaypassword: API Token
name: credentials_api_token
required: false
hiddenusername: true
type: 9
- display: 'Good Dispositions (CheckPhish labels for non-phishing URLs. Default is "clean")'
name: good_disp
options:
- adult
- cryptojacking
- drug_spam
- gambling
- hacked_website
- likely_phish
- phish
- scam
- streaming
- suspicious
required: false
type: 16
- display: 'Suspicious dispositions (CheckPhish labels for suspicious phishing URLs). Default is "drug_spam", "gambling", "hacked_website", "streaming", "suspicious"'
name: susp_disp
options:
- adult
- cryptojacking
- drug_spam
- gambling
- hacked_website
- likely_phish
- phish
- scam
- streaming
- suspicious
required: false
type: 16
- display: 'Bad dispositions (CheckPhish labels for phishing URLs). Defaults are "cryptojacking", "phish", "likely_phish", "scam".'
name: bad_disp
options:
- adult
- cryptojacking
- drug_spam
- gambling
- hacked_website
- likely_phish
- phish
- scam
- streaming
- suspicious
required: false
type: 16
- additionalinfo: Reliability of the source providing the intelligence data.
defaultvalue: B - Usually reliable
display: Source Reliability
name: integrationReliability
options:
- A+ - 3rd party enrichment
- A - Completely reliable
- B - Usually reliable
- C - Fairly reliable
- D - Not usually reliable
- E - Unreliable
- F - Reliability cannot be judged
required: true
type: 15
- display: Trust any certificate (not secure)
name: insecure
required: false
type: 8
- display: Use system proxy settings
name: proxy
required: false
type: 8
description: Check any URL to detect supsicious behavior.
display: CheckPhish
name: CheckPhish
script:
commands:
- arguments:
- default: false
description: A CSV list of URLs to check.
isArray: true
name: url
required: true
secret: false
deprecated: false
description: Checks URLs against the CheckPhish database and returns the results.
execution: false
name: CheckPhish-check-urls
outputs:
- contextPath: CheckPhish.URL.url
description: URL that was submitted.
type: String
- contextPath: CheckPhish.URL.status
description: CheckPhish job status of the URL.
type: String
- contextPath: CheckPhish.URL.jobID
description: CheckPhish jobID that was assigned to the URL when it was submitted.
type: String
- contextPath: CheckPhish.URL.disposition
description: The CheckPhish category (disposition) of the URL.
type: String
- contextPath: CheckPhish.URL.brand
description: The brand (attack target) countered by the URL.
type: String
- contextPath: DBotScore.Indicator
description: The indicator that was tested.
type: String
- contextPath: DBotScore.Type
description: The indicator type.
type: String
- contextPath: DBotScore.Vendor
description: The vendor used to calculate the score.
type: String
- contextPath: DBotScore.Score
description: The actual score.
type: Number
- contextPath: DBotScore.Reliability
description: Reliability of the source providing the intelligence data.
type: String
- contextPath: URL.Data
description: URL that was submitted.
type: String
- contextPath: URL.Malicious.Vendor
description: CheckPhish.
type: String
- contextPath: URL.Malicious.Description
description: The brand (attack target) countered by the URL.
type: String
- arguments:
- default: true
description: URL to query.
isArray: true
name: url
required: true
secret: false
deprecated: false
description: Retrieves URL information from CheckPhish.
execution: false
name: url
outputs:
- contextPath: CheckPhish.URL.url
description: URL that was submitted.
type: String
- contextPath: CheckPhish.URL.status
description: CheckPhish job status of the URL.
type: String
- contextPath: CheckPhish.URL.jobID
description: CheckPhish jobID that was assigned to the URL when it was submitted.
type: String
- contextPath: CheckPhish.URL.disposition
description: The CheckPhish category (disposition) of the URL.
type: String
- contextPath: CheckPhish.URL.brand
description: The brand (attack target) countered by the URL.
type: String
- contextPath: DBotScore.Indicator
description: The indicator that was tested.
type: String
- contextPath: DBotScore.Type
description: The indicator type.
type: String
- contextPath: DBotScore.Vendor
description: The vendor used to calculate the score.
type: String
- contextPath: DBotScore.Score
description: The actual score.
type: Number
- contextPath: DBotScore.Reliability
description: Reliability of the source providing the intelligence data.
type: String
- contextPath: URL.Data
description: URL that was submitted.
type: String
- contextPath: URL.Malicious.Vendor
description: CheckPhish.
type: String
- contextPath: URL.Malicious.Description
description: The brand (attack target) countered by the URL.
type: String
- contextPath: DBotScore.Indicator
description: The indicator that was tested.
type: String
- contextPath: DBotScore.Type
description: The indicator type.
type: String
- contextPath: DBotScore.Vendor
description: The vendor used to calculate the score.
type: String
- contextPath: DBotScore.Score
description: The actual score.
type: Number
- contextPath: DBotScore.Reliability
description: Reliability of the source providing the intelligence data.
type: String
isfetch: false
runonce: false
script: '-'
type: python
subtype: python3
dockerimage: demisto/python3:3.10.12.63474
fromversion: 5.0.0