PhishLabs IOC

PhishLabs’ three 24/7 Security Operations Centers enables enterprise security teams to rapidly detect and respond to the email-based threats that reach the inboxes of end users.

In Demisto, PhishLabs IOC can be used to retrieve indicators from the global feed or fetch email based incidents from the user feed.

PhishLabs IOC Playbooks

image
image

Use Cases

  1. Retrieve and populate indicators from the PhishLabs IOC global feed
  2. Fetch and retrieve indicators for email based incidents in the PhishLabs IOC user feed

Configure PhishLabs IOC on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for PhishLabs IOC.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g., https://ioc.phishlabs.com)
    • Credentials
    • Trust any certificate (not secure)
    • Use system proxy settings
    • Fetch incidents
    • Fetch for this time period, e.g., “1d”, “1h”, “10m”. The default is 1h.
    • Number of incidents to fetch each time
    • Incident type
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

1. Get the global IOC feed


Retrieves the global IOC feed from PhishLabs.

Base Command

phishlabs-global-feed

Input
Argument Name Description Required
since Duration (from now) for which to pull updated data, for example, “1d”, “1h” or “10m”. Optional
limit Maximum number of results to return. Optional
indicator_type Filter the data by indicator type. Optional
remove_protocol Removes the protocol part from indicators, when the rule can be applied. Optional
remove_query Removes the query string part from indicators, when the rules can be applied. Optional
false_positive Whether the indicator is a false positive. Optional

Context Output
Path Type Description
URL.Data String URL address.
URL.Malicious.Vendor String Vendor reporting the malicious status.
URL.Malicious.Description String Description of the malicious URL.
PhishLabs.URL.Data String URL address.
PhishLabs.URL.ID String URL PhishLabs ID.
PhishLabs.URL.CreatedAt Date URL creation time, in PhishLabs.
PhishLabs.URL.UpdatedAt Date URL update time, in PhishLabs.
PhishLabs.URL.Attribute.Name String URL attribute name.
PhishLabs.URL.Attribute.Value String URL attribute value.
PhishLabs.URL.Attribute.CreatedAt Date URL attribute creation time.
PhishLabs.URL.FalsePositive Boolean Whether this URL is a false positive.
Domain.Name String Domain name.
Domain.Malicious.Vendor String Vendor reporting the malicious status.
Domain.Malicious.Description String Description of the malicious domain.
PhishLabs.Domain.Name String Domain name.
PhishLabs.Domain.ID String Domain PhishLabs ID.
PhishLabs.Domain.CreatedAt Date Domain creation time, in PhishLabs.
PhishLabs.Domain.UpdatedAt Date Domain update time, in PhishLabs.
PhishLabs.Domain.Attribute.Name String Domain attribute name.
PhishLabs.Domain.Attribute.Value String Domain attribute value.
PhishLabs.Domain.Attribute.CreatedAt Date Domain attribute creation time.
PhishLabs.Domain.FalsePositive Boolean Whether this domain is a false positive.
File.Name String Full filename.
File.MD5 String MD5 hash of the file.
File.Type String File type.
PhishLabs.File.ID String File PhishLabs ID.
PhishLabs.File.Name String Full filename.
PhishLabs.File.MD5 String MD5 hash of the file.
PhishLabs.File.Type String File type.
PhishLabs.File.CreatedAt Date File creation time, in PhishLabs.
PhishLabs.File.UpdatedAt Date File update time, in PhishLabs.
PhishLabs.File.Attribute.Name String File attribute name.
PhishLabs.File.Attribute.Value String File attribute value.
PhishLabs.File.Attribute.CreatedAt Date File attribute creation time.
PhishLabs.File.FalsePositive Boolean Whether this file is a false positive.
DBotScore.Indicator string The indicator that was tested.
DBotScore.Type string Indicator type.
DBotScore.Vendor string Vendor used to calculate the score.
DBotScore.Score number The actual score.

Command Example
phishlabs-global-feed since=30d indicator_type=Domain remove_protocol=true limit=10
Context Example
{
    "Domain": [
        {
            "Malicious": {
                "Vendor": "PhishLabs", 
                "Description": "Domain in PhishLabs feed"
            }, 
            "Name": "malicious1.tk/"
        }, 
        {
            "Malicious": {
                "Vendor": "PhishLabs", 
                "Description": "Domain in PhishLabs feed"
            }, 
            "Name": "malicious2.tk/"
        }, 
        {
            "Malicious": {
                "Vendor": "PhishLabs", 
                "Description": "Domain in PhishLabs feed"
            }, 
            "Name": "malicious3.tk/"
        }, 
        {
            "Malicious": {
                "Vendor": "PhishLabs", 
                "Description": "Domain in PhishLabs feed"
            }, 
            "Name": "malicious4.com/"
        }
    ], 
    "DBotScore": [
        {
            "type": "domain", 
            "Indicator": "malicious1.tk/", 
            "Score": 3, 
            "Vendor": "PhishLabs"
        }, 
        {
            "type": "domain", 
            "Indicator": "malicious2.tk/", 
            "Score": 3, 
            "Vendor": "PhishLabs"
        }, 
        {
            "type": "domain", 
            "Indicator": "malicious3.tk/", 
            "Score": 3, 
            "Vendor": "PhishLabs"
        }, 
        {
            "type": "domain", 
            "Indicator": "malicious4.com/", 
            "Score": 3, 
            "Vendor": "PhishLabs"
        }
    ], 
    "PhishLabs.Domain": [
        {
            "ID": "009d2062-bc79-4836-a649-80286612199e", 
            "CreatedAt": "2019-05-17T03:29:54Z", 
            "Name": "malicious1.tk/"
        }, 
        {
            "ID": "80c16ebb-afe1-4898-91a6-c4b39d50a14f", 
            "CreatedAt": "2019-05-17T03:29:54Z", 
            "Name": "malicious2.tk/"
        }, 
        {
            "ID": "a435f1e4-1e92-4921-8a5f-12bc1a7a67ce", 
            "CreatedAt": "2019-05-17T03:29:54Z", 
            "Name": "malicious3.tk/"
        }, 
        {
            "ID": "f3923b6c-0445-40ef-998c-8cf57adb391d", 
            "CreatedAt": "2019-05-15T19:57:43Z", 
            "Name": "malicious4.com/"
        }
    ]
}
Human Readable Output

PhishLabs Global Feed

Indicator Type Created At False Positive
malicious1.tk/ Domain 2019-05-17T03:29:54Z false
malicious2.tk/ Domain 2019-05-17T03:29:54Z false
malicious3.tk/ Domain 2019-05-17T03:29:54Z false
malicious4.com/ Domain 2019-05-15T19:57:43Z false

2. Get indicators for an incident


Retrieves indicators from a specified PhishLabs incident. To fetch incidents to Demisto, enable fetching incidents.

Base Command

phishlabs-get-incident-indicators

Input
Argument Name Description Required
incident_id PhishLabs incident reference ID, for example, “INC123456”. Required
since Duration (from now) for which to pull updated data, for example, “1d”, “1h” or “10m”. Optional
limit Maximum number of results to return. Optional
indicator_type Filter the data by indicator type. Optional
indicators_classification How to classify indicators from the feed. Optional
remove_protocol Removes the protocol part from indicators, when the rule can be applied. Optional
remove_query Removes the query string part from indicators, when the rules can be applied. Optional

Context Output
Path Type Description
URL.Data String URL address.
URL.Malicious.Vendor String Vendor reporting the malicious status.
URL.Malicious.Description String Description of the malicious URL.
PhishLabs.URL.Data String URL address.
PhishLabs.URL.CreatedAt Date URL creation time, in PhishLabs
PhishLabs.URL.UpdatedAt Date URL update time, in PhishLabs.
PhishLabs.URL.Attribute.Name String URL attribute name.
PhishLabs.URL.Attribute.Value String URL attribute value.
PhishLabs.URL.Attribute.CreatedAt Date URL attribute creation time.
PhishLabs.URL.FalsePositive Boolean Whether this URL is a false positive.
Domain.Name String Domain name.
Domain.Malicious.Vendor String Vendor reporting the malicious status.
Domain.Malicious.Description String Description of the malicious domain.
PhishLabs.Domain.Name String Domain name
PhishLabs.Domain.CreatedAt Date Domain creation time, in PhishLabs.
PhishLabs.Domain.UpdatedAt Date Domain update time, in PhishLabs.
PhishLabs.Domain.Attribute.Name String Domain attribute name.
PhishLabs.Domain.Attribute.Value String Domain attribute value.
PhishLabs.Domain.Attribute.CreatedAt Date Domain attribute creation time.
PhishLabs.Domain.FalsePositive Boolean Whether this domain is a false positive.
Email.To String Recipient of the email.
Email.From String Sender of the email.
Email.Body String Body of the email.
Email.Subject String Subject of the email.
PhishLabs.Email.ID String Email PhishLabs ID.
PhishLabs.Email.To String Recipient of the email.
PhishLabs.Email.From String Sender of the email.
PhishLabs.Email.Body String Body of the email.
PhishLabs.Email.Subject String Subject of the email.
PhishLabs.Email.CreatedAt Date Email creation time, in PhishLabs.
PhishLabs.Email.UpdatedAt Date Email update time, in PhishLabs.
PhishLabs.Email.Attribute.Name String Email attribute name.
PhishLabs.Email.Attribute.Value String Email attribute value.
PhishLabs.Email.Attribute.CreatedAt Date Email attribute creation time.
File.Name String Full filename.
File.MD5 String MD5 hash of the file.
File.Type String File type.
PhishLabs.File.ID String File PhishLabs ID.
PhishLabs.File.Name String Full filename.
PhishLabs.File.MD5 String MD5 hash of the file.
PhishLabs.File.Type String File type.
PhishLabs.File.CreatedAt Date File creation time, in PhishLabs.
PhishLabs.File.UpdatedAt Date File update time, in PhishLabs.
PhishLabs.File.Attribute.Name String File attribute name.
PhishLabs.File.Attribute.Value String File attribute value.
PhishLabs.File.Attribute.CreatedAt Date File attribute creation time.
PhishLabs.File.FalsePositive Boolean Whether this file is a false positive.
DBotScore.Indicator string The indicator that was tested.
DBotScore.Type string Indicator type.
DBotScore.Vendor string Vendor used to calculate the score.
DBotScore.Score number The actual score.

Command Example
phishlabs-get-incident-indicators incident_id=INC0037375 indicators_classification=Suspicious since=7d
Context Example
{
    "URL": [
        {
            "Data": "https://malicious1?email=dbot@demisto.com"
        }, 
        {
            "Data": "http://malicious2/index.html?l=_JeHFUq_VJOXK0QWHtoGYDw1774256418&fid.13InboxLight.aspxn.1774256418&fid.125289964252813InboxLight99642_Product-user&user=#dbot@demisto.com"
        }
    ], 
    "PhishLabs.Email": [
        {
            "Body": "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"><table border=\"0\" style=\"font-family: calibri; font-size: 16px; background-color: rgb(255, 255, 255);\" width=\"100%\">\n\t      <tbody><tr><td align=\"center\">\n\t      <table border=\"0\" cellpadding=\"0\" cellspacing=\"0\" height=\"100%\" style=\"min-width: 600px;\" width=\"100%\">\n\t      <tbody><tr align=\"center\"><td>\n\t      <table border=\"0\" cellpadding=\"0\" cellspacing=\"0\" style=\"max-width: 600px;\">\n\t      <tbody><tr><td>\n              <tbody></tbody></table></td></tr><tr height=\"16\"></tr><tr><td>\n              <tbody><tr><td colspan=\"3\" height=\"69px\">&nbsp;</td></tr><tr><td width=\"28px\">&nbsp;</td>\n\t      <td style=\"font-family: Roboto-Regular, Helvetica, Arial, sans-serif; font-size: 57px; color: rgb(255, 255, 255); line-height: 0.25;\">\n              <span style=\"color:#f95316;\">Office-365 Password</span></a></td><td width=\"32px\">&nbsp;</td></tr>\n              <tr><td colspan=\"3\" height=\"18px\">&nbsp;</td></tr></tbody></table></td></tr>\n              <table bgcolor=\"#fff\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\" style=\"min-width: 600px; max-width: 900px; border-width: 0px 1px 1px; border-right-style: solid; border-left-style: solid; border-right-color: rgb(240, 240, 240); border-left-color: rgb(240, 240, 240); border-bottom-style: solid; border-bottom-color: rgb(192, 192, 192); border-bottom-left-radius: 3px; border-bottom-right-radius: 3px;\" width=\"100%\">\n\t      \n\n\t      <tbody><tr height=\"16px\"><td rowspan=\"3\" width=\"32px\">&nbsp;</td><td>&nbsp;</td>\n\t      <td rowspan=\"3\" width=\"32px\">&nbsp;</td></tr><tr><td><table border=\"0\" cellpadding=\"0\" cellspacing=\"0\" style=\"min-width: 300px;\">\n\t      <tbody><tr><td style=\"font-family: Roboto-Regular, Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(32, 32, 32); line-height: 1.5;\">\n              <a href=\"https://bestiankelly.com/kp/index.php?email=dbot@demisto.com\" style=\"text-decoration: none;\">\n                 <span style=\"color:#f95316;\">  </span> .\n<br> <br>\n\n <a href=\"https://bestiankelly.com/kp/index.php?email=dbot@demisto.com\" style=\"text-decoration: none;\">\n              <span style=\"color:#000000;\">\n              Dear <b>dbot</b><div>&nbsp;</div>\n\n\n\t      Your account password is due for expiration today\n<br><br>\t\n<body> Please kindly use the below to continue with same password.\n\n<body> \n<br>\n</head>\n<body style=\"margin: 0.4em;\">\n<p><font color=\"#ffffff\" size=\"4\" style=\"background-color: rgb(38, 136, 217);\"><u><strong>Keep &nbsp; Same password </strong></u></font></p>\n\n\n\n<br>\n \n<br>\n\t      <p>Security Team <br></span></a><br>&nbsp;</p></td>\n\n              </tr></tbody></table></td></tr></tbody></table></td></tr>\n\t      <tr height=\"16\"></tr><tr><td style=\"max-width: 900px; font-family: Roboto-Regular, Helvetica, Arial, sans-serif; font-size: 10px; color: rgb(188, 188, 188); line-height: 1.5;\">&nbsp;</td></tr><tr><td>\n              <table style=\"font-family: Roboto-Regular, Helvetica, Arial, sans-serif; font-size: 10px; color: rgb(102, 102, 102); line-height: 18px; padding-bottom: 10px;\">\n\t      <tbody><tr><td><span style=\"color:#424242;\">This notification was sent to <b>dbot@demisto.com</b> of Microsoft.com.</span></a></td></tr></tbody></table></td></tr></tbody></table></td>\n\t      <td width=\"32px\">&nbsp;</td></tr></tbody></table></td></tr></tbody>\n</table>", 
            "From": [
                "Microsoft update <onme@www1079.sakura.ne.jp>"
            ], 
            "Attribute": [
                {
                    "Value": "Microsoft update <onme@www1079.sakura.ne.jp>", 
                    "Type": null, 
                    "Name": "from", 
                    "CreatedAt": "2019-05-23T16:56:59Z"
                }, 
                {
                    "Value": "<dbot@demisto.com>", 
                    "Type": null, 
                    "Name": "to", 
                    "CreatedAt": "2019-05-23T16:56:59Z"
                }, 
                {
                    "Value": "<tbody><tr><td><span style=\"color:#424242;\">This notification was sent to <b>dbot@demisto.com</b> of Microsoft.com.</span></a></td></tr></tbody></table></td></tr></tbody></table></td>\n\t      <td width=\"32px\">&nbsp;</td></tr></tbody></table></td></tr></tbody>\n</table>", 
                    "Type": null, 
                    "Name": "email-body", 
                    "CreatedAt": "2019-05-23T16:56:59Z"
                }
            ], 
            "To": [
                "<dbot@demisto.com>"
            ], 
            "ID": "cdb80cf5-d012-4b8d-86a7-7956ed026835", 
            "CreatedAt": "2019-05-23T16:56:59Z", 
            "Subject": "[[ Account Password Reset]]"
        }
    ], 
    "DBotScore": [
        {
            "type": "url", 
            "Indicator": "malicious1?email=dbot@demisto.com", 
            "Score": 2, 
            "Vendor": "PhishLabs"
        }, 
        {
            "type": "url", 
            "Indicator": "http://malicious2/index.html?l=_JeHFUq_VJOXK0QWHtoGYDw1774256418&fid.13InboxLight.aspxn.1774256418&fid.125289964252813InboxLight99642_Product-user&user=#dbot@demisto.com", 
            "Score": 2, 
            "Vendor": "PhishLabs"
        }
    ], 
    "Email": [
        {
            "Body": "     <tbody><tr><td><span style=\"color:#424242;\">This notification was sent to <b>dbot@demisto.com</b> of Microsoft.com.</span></a></td></tr></tbody></table></td></tr></tbody></table></td>\n\t      <td width=\"32px\">&nbsp;</td></tr></tbody></table></td></tr></tbody>\n</table>", 
            "To": "<dbot@demisto.com>", 
            "From": "Microsoft update <onme@www1079.sakura.ne.jp>", 
            "Subject": "[[ Account Password Reset]]"
        }
    ], 
    "PhishLabs.URL": [
        {
            "Data": "https://malicious1/index.php?email=dbot@demisto.com", 
            "ID": "04e38909-53d8-4e4a-8593-8d1fd5a10261", 
            "CreatedAt": "2019-05-23T16:56:59Z"
        }, 
        {
            "Data": "http://malicious2/index.html?l=_JeHFUq_VJOXK0QWHtoGYDw1774256418&fid.13InboxLight.aspxn.1774256418&fid.125289964252813InboxLight99642_Product-user&user=#dbot@demisto.com", 
            "ID": "354bbeb8-9fea-4ccd-85bb-ce68cd364113", 
            "CreatedAt": "2019-05-23T16:56:59Z"
        }
    ]
}
Human Readable Output

Indicators for incident INC0037375

Indicator

Indicator Type Created At False Positive
malicious1/index.php?email=dbot@demisto.com URL 2019-05-23T16:56:59Z false

No attributes for this indicator

Indicator

Indicator Type Created At False Positive
malicious2/index.html?l=_JeHFUq_VJOXK0QWHtoGYDw1774256418&fid.13InboxLight.aspxn.1774256418&fid.125289964252813InboxLight99642_Product-user&user=#dbot@demisto.com URL 2019-05-23T16:56:59Z false

No attributes for this indicator

Indicator

Indicator Type Created At False Positive
[[ Account Password Reset]] E-mail 2019-05-23T16:56:59Z false

Attributes

Name Value Created At
from Microsoft update onme@www1079.sakura.ne.jp 2019-05-23T16:56:59Z
to dbot@demisto.com 2019-05-23T16:56:59Z
email-body
This notification was sent to dbot@demisto.com of Microsoft.com.


2019-05-23T16:56:59Z

Additional Information

The IOC feed in PhishLabs is divided into two endpoints:

Global Feed

This is the PhishLabs global database for malicious indicators.
This feed consists of indicators that are classified as malicious by PhishLabs -
URLs, domains, and attachments (MD5 hashes). All the indicators from this feed are classified as malicious in Demisto.
To populate indicators from PhishLabs in Demisto, use the PhishLabsPopulateIndicators script/playbooks.

User Feed

This feed is exclusive for the user and consists of emails that were sent to PhishLabs and were classified as malicious emails. For each malicious email, an incident is created that contains the email details and the extracted indicators. These indicators are not necessarily malicious though. In Demisto,
the user can choose whether to classify those indicators as malicious or suspicious. Incidents can be fetched by enabling fetch incidents in the integration configuration.

Known Limitations

The PhishLabs IOC API is on version 0.1.0, it may be subject to change.

Troubleshooting

Retrieving indicators for an incident - if the incident was fetched to Demisto but wasn’t found by the command, try running it with a longer duration, for example, since=30d .
Possible error codes from the API:
400 Bad Request - Unsupported request format
401 Unauthorized - Incorrect credentials provided
403 Forbidden - Insufficient permissions
404 Not Found - Requested resource was not found
For further assistance, contact Demisto Customer Success: support@demisto.com .