Use the CheckPhish integration to check URLs for threats.

Configure CheckPhish on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for CheckPhish.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • CheckPhish API URL
    • API Token
    • Good Dispositions (CheckPhish labels for non-phishing URLs. Default is "clean")
    • Suspicious dispositions (CheckPhish labels for suspicious phishing URLs). Default is "drug_spam", "gambling", "hacked_website", "streaming", "suspicious"
    • Bad dispositions (CheckPhish labels for phishing URLs). Defaults are "cryptojacking", "phish", "likely_phish", "scam".
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the URLs, token, and connection.


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. CheckPhish-check-urls

1. CheckPhish-check-urls

Checks URLs against the CheckPhish database and returns the results.

Base Command


Argument Name Description Required
url A CSV list of URLs to check. Required

Context Output
Path Type Description
CheckPhish.URL.url String URL that was submitted.
CheckPhish.URL.status String CheckPhish job status of the URL.
CheckPhish.URL.jobID String CheckPhish jobID that was assigned to the URL when it was submitted.
CheckPhish.URL.disposition String The CheckPhish category (disposition) of the URL.
CheckPhish.URL.brand String The brand (attack target) countered by the URL.
DBotScore.Score Number DBot score.
DBotScore.Type String Indicator type that was tested.
DBotScore.Vendor String Vendor that provided the DBot score.
DBotScore.Indicator String Indicator that CheckPhish tested.
URL.Data String URL that was submitted.
URL.Malicious.Vendor String CheckPhish.
URL.Malicious.Description String The brand (attack target) countered by the URL.

Command Example
Context Example
  "CheckPhish.URL(val.Data && val.Data == obj.Data)": {
    "brand": "unknown",
    "disposition": "clean",
    "jobID": "6d7e9671-29a9-4012-9700-8866f4887f92",
    "status": "DONE",
    "url": ""
  "DBotScore": {
    "Indicator": "",
    "Score": 1,
    "Type": "url",
    "Vendor": "CheckPhish"
  "URL(val.Data \u0026\u0026 val.Data == obj.Data)": {
    "Data": ""
Human Readable Output

CheckPhish reputation for

url disposition brand status jobID clean unknown DONE 6d7e9671-29a9-4012-9700-8866f4887f92