PhishLabs IOC DRP

This integration was integrated and tested with V1.0 of PhishLabs IOC DRP

Use Cases

  • Get cases by filters from PhishLabs DRP service
  • Get live incidents from PhishLabs DRP service

Detailed Description

PhishLabs Digital Risk Protection (DRP) is a solution that provides proactive detection and rapid mitigation of digital risks across:

  • email
  • domain
  • social media
  • mobile
  • dark
  • deep
  • open web vectors

Configure PhishLabs IOC DRP on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for PhishLabs IOC DRP.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g. https://example.net)
    • User
    • Fetch incidents
    • Incident type
    • First fetch timestamp (
    • Fetch by date field
    • Fetch limit (min 20)
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the new instance.

Fetch Incidents

Fetch incidents done by the following configuration:

  • Limit - limit amount of incidents by fetch
  • Date field - Date field to fetch incidents by - created/modified/closed
  • Time to fetch - date for starting collecting incidents (1 days ago, 1 hours ago etc)
  • Incident type

Incident data example:

  [
  {
    "name": "PhishLabs IOC - DRP: 12d329b7-13db-11ea-94e8-0ee0a3f3cb1c",
    "occurred": "2019-12-01T01:40:36Z",
    "rawJSON": {
      "caseId": "12d329b7-13db-11ea-94e8-0ee0a3f3cb1c",
      "title": "=? =?gb2312?Q?ted:_www.icloud.com.agona.cn?=",
      "description": "From: PhishLabs Security Operations \nSubject: =? =?gb2312?Q?ted:_www.icloud.com.agona.cn?=\n\n\r\n________________________________\r\nFrom: west263\r\nSent: Saturday, November 30, 2019 8:36:41 PM (UTC-05:00) Eastern Time (US & Canada)\r\nTo: PhishLabs Security Operations; not@domain.com; not@domain.com\r\nSubject: 回复:[PL-1405082] Malicious domain detected: www.icloud.com.agona.cn\r\n\r\n-- External email--\r\n\r\n\r\nThank you for allowing us an opportunity to assist you.\r\n\r\nWe have suspended our customer to use this domain. You can check it later.\r\n\r\nIf you have any questions, please do not hesitate to contact us. We look forward to assisting you.\r\n\r\nHave a wonderful day!\r\n\r\n\r\n\r\n------------------\r\n\r\nBest regards,\r\n\r\nLillian\r\n\r\n\r\n------------------ 原始邮件 ------------------\r\n\r\n发件人:  PhishLabs Security Operations;\r\n日  期:  2019-11-30 (星期六) 08:37:19\r\n收件人:  not@domain.com;not@domain.com;not@domain.com;\r\n主  题:  [PL-1405082] Malicious domain detected: www.icloud.com.agona.cn\r\n\r\n\r\nDuring an investigation of fraud, we discovered a domain(s) registered for the sole intent of malicious activity, which is being used to attack our client and their customers.\r\n\r\nWe have addressed this report to the responsible authoritative providers over this website who have the ability to disable the malicious content in question. This includes but is not limited to the hosting provider(s), nameserver, registrar and if applicable, the registry.  Based on your relationship to the content in question or services provided, please see our specific request below.\r\n\r\nThis threat has been active for at least 2.1 hours.\r\n\r\nhXXp www[.]icloud[.]com[.]agona[.]cn/ios/uy930glgr8yx54n4zkcw[.]asp?uy930glgr8yx54n4zkcw=\r\nhXXp www[.]icloud[.]com[.]agona[.]cn/ios/upvf7o4kon1kpt4vfy18[.]asp?upvf7o4kon1kpt4vfy18=\r\nhXXp www[.]icloud[.]com[.]agona[.]cn/ios/vweixhklbjw1t1ve3b4n[.]asp?vweixhklbjw1t1ve3b4n=\r\nhXXp www[.]icloud[.]com[.]agona[.]cn/an3n3abqqtkpuok9vw9c[.]asp?an3n3abqqtkpuok9vw9c\r\n\r\nFirst detection of malicious activity: 11-29-2019 22:26:17 UTC\r\nMost recent observation of malicious activity: 11-30-2019 00:35:06 UTC\r\nAssociated IP Addresses: 8.8.8.8\r\n\r\nEvidence of malicious content is provided below my signature.\r\n\r\n===   HOSTING  PROVIDER AND/OR WEBSITE OWNER    ===\r\nIf you agree that this is malicious, we kindly request that you take steps to have the content removed as soon as possible.  It is highly likely that the intruder who set up this phishing content has also left additional fraudulent material on this server such as illegitimate access points.\r\n\r\n===   REGISTRAR / REGISTRY   ===\r\nWe kindly request that this domain is placed on hold as soon as possible and all client related information sink holed. It is also very likely the registrant in question has registered various other domains through your service and it is suggested you investigate as you see fit.\r\n\r\n===   NAMESERVER, SOA   ===\r\nIf it is within your power, please consider disabling the routing to this domain to prevent further abuse to the public.\r\n\r\n===   CERT/CIRT, ETC.   ===\r\nIf you're able to assist in any means possible to see to the termination of this content, please do so.  Your local expertise and influence on this matter is critical to this effort.\r\n\r\nIf we have contacted you in error, or if there is a better way for us to report this incident, please let us know so that we may continue our investigation.\r\n\r\nWe are extremely grateful for your assistance.\r\n\r\nKind regards,\r\n\r\nYogender Chauhan\r\nPhishLabs Security Operations\r\n12023866001\r\nAvailable 24/7\r\n\r\n\r\nEvidence:\r\nPlease see attached screenshot.\r\n.\r\n\r\n[PL-1405082]\r\n\r\n\r\n ",
      "caseNumber": 1406220,
      "createdBy": {
        "id": "30c2e916-c72d-11e3-860e-002590387e36",
        "name": "soc.phishlabs",
        "displayName": "SOC PhishLabs"
      },
      "brand": "",
      "caseType": "Other",
      "resolutionStatus": "Accidental creation",
      "caseStatus": "Rejected",
      "dateCreated": "2019-12-01T01:37:02Z",
      "dateClosed": "2019-12-01T01:40:36Z",
      "dateModified": "2019-12-01T01:40:36Z",
      "customer": "PhishLabs",
      "attachments": [
        {
          "id": "12e5eeaa-13db-11ea-8247-0ad24386a0d6",
          "type": "Email",
          "description": "Source Email for case creation",
          "dateAdded": "2019-12-01T01:37:02Z",
          "fileName": "msg.oFAH.eml",
          "fileURL": "https://caseapi.phishlabs.com/v1/data/attachment/12e5eeaa-13db-11ea-8247-0ad24386a0d6"
        }
      ],
      "formReceiver": false,
      "brandAbuseFlag": false,
      "appDate": "0001-01-01T00:00:00Z",
      "primaryMarketplace": false
    }
  }
]

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Get cases by filters: phishlabs-ioc-drp-get-cases
  2. Get case by ID: phishlabs-ioc-drp-get-case-by-id
  3. Get open cases filters: phishlabs-ioc-drp-get-open-cases
  4. Get closed cases by filters: phishlabs-ioc-drp-get-closed-cases

1. phishlabs-ioc-drp-get-cases


Get cases by filters

Base Command

phishlabs-ioc-drp-get-cases

Input
Argument Name Description Required
status Filter cases based on the case status Optional
case_type Filter cases by case type Optional
max_records Maximum number of cases to return, default is 20, maximum is 200 Optional
offset Paginate results used in conjunction with maxRecords. Optional
date_field Field to use to query using dateBegin and dateEnd parameters. Optional
begin_date Date query beginning date Optional
end_date Date query endining date Optional
period timestamp ( Optional
Context Output
Path Type Description
PhishlabsIOC.DRP.CaseID String Case ID
PhishlabsIOC.DRP.Title String Case title
PhishlabsIOC.DRP.Description String Case description
PhishlabsIOC.DRP.CaseNumber String Case number
PhishlabsIOC.DRP.Resolution String Resolution
PhishlabsIOC.DRP.ResolutionStatus String Resolution status
PhishlabsIOC.DRP.CreatedBy.ID String Case creator ID
PhishlabsIOC.DRP.CreatedBy.Name String Case creator name
PhishlabsIOC.DRP.CreatedBy.DisplayName String Case creator display name
PhishlabsIOC.DRP.Brand String Brand reported in case
PhishlabsIOC.DRP.Email String Email of case creator
PhishlabsIOC.DRP.CaseType String Type of the case
PhishlabsIOC.DRP.CaseStatus String Status of the case
PhishlabsIOC.DRP.DateCreated String Case creation date
PhishlabsIOC.DRP.DateClosed String Case closing date
PhishlabsIOC.DRP.DateModified String Case modification date
PhishlabsIOC.DRP.Customer String Customer reporting the case
PhishlabsIOC.DRP.AttackSources.URL String URL of the attack source
PhishlabsIOC.DRP.AttackSources.UrlType String URL type of the attack source
PhishlabsIOC.DRP.AttackSources.IP String IP of the attack source
PhishlabsIOC.DRP.AttackSources.ISP String ISP of the attack source
PhishlabsIOC.DRP.AttackSources.Country String ISP of the attack source
PhishlabsIOC.DRP.AttackSources.TargetedBrands String Target brands of the attack source
PhishlabsIOC.DRP.AttackSources.FQDN String FQDN of the attack source
PhishlabsIOC.DRP.AttackSources.Domain String Domain of the attack source
PhishlabsIOC.DRP.AttackSources.IsMaliciousDomain Boolean Detect if domain of attack source is malicious
PhishlabsIOC.DRP.AttackSources.WhoIs.Registrant String URL of the registrant
PhishlabsIOC.DRP.AttackSources.WhoIs.Registration.Created String Creation date of the registration
PhishlabsIOC.DRP.AttackSources.WhoIs.Registration.Expires String Expiriation date of the registration
PhishlabsIOC.DRP.AttackSources.WhoIs.Registration.Updated String Update date of the registration
PhishlabsIOC.DRP.AttackSources.WhoIs.Registration.Registrar String Registrar of the URL
PhishlabsIOC.DRP.AttackSources.WhoIs.NameServers String Name servers of the URL
PhishlabsIOC.DRP.Attachments.ID String ID of case attachment
PhishlabsIOC.DRP.Attachments.Type String Type of case attachment
PhishlabsIOC.DRP.Attachments.Description String Description of case attachment
PhishlabsIOC.DRP.Attachments.DateAdded String Date adding of case attachment
PhishlabsIOC.DRP.Attachments.FileName String File name of case attachment
PhishlabsIOC.DRP.Attachments.FileURL String File URL of case attachment
PhishlabsIOC.DRP.ApplicationName String Application reported in the case
PhishlabsIOC.DRP.Platform String Platform reported in the case
PhishlabsIOC.DRP.Severity String Sevirity of DRP
PhishlabsIOC.DRP.Developer String Developer of the application reported
PhishlabsIOC.DRP.DeveloperWebsite String Developer website of the application reported
PhishlabsIOC.DRP.ApplicationDescription String Descripion of the application reported
PhishlabsIOC.DRP.Language String Language of the application reported
PhishlabsIOC.DRP.Phone String Phone number of case creator
PhishlabsIOC.DRP.Hardware String Hardware used by the application
PhishlabsIOC.DRP.AssociatedURLs.URL String URL of the attack source
PhishlabsIOC.DRP.AssociatedURLs.UrlType String URL type of the attack source
PhishlabsIOC.DRP.AssociatedURLs.TargetedBrands String Target brands of the attack source
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registrant String URL of the registrant
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registration.Created String Creation date of the registration
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registration.Expires String Expiriation date of the registration
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registration.Updated String Update date of the registration
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registration.Registrar String Registrar of the URL
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.NameServers String Name servers of the URL

Command Example

!phishlabs-ioc-drp-get-cases max_records=2

Context Example
{
    "PhishLabsIOC": {
        "DRP": [
            {
                "Attachments": [
                    {
                        "DateAdded": "2019-12-09T07:56:02Z",
                        "Description": "Source Email for case creation",
                        "FileName": "msg.mFAH.eml",
                        "FileURL": "https://caseapi.phishlabs.com/v1/data/attachment/",
                        "ID": "581ba28d-1a59-11ea-8247-0ad24386a0d6",
                        "Type": "Email"
                    }
                ],
                "CaseID": "5808ec5a-1a59-11ea-94e8-0ee0a3f3cb1c",
                "CaseNumber": 1417871,
                "CaseStatus": "Rejected",
                "CaseType": "Other",
                "CreatedBy": {
                    "DisplayName": "SOC PhishLabs",
                    "ID": "30c2e916",
                    "Name": "soc.phishlabs"
                },
                "Customer": "PhishLabs",
                "DateClosed": "2019-12-09T08:01:34Z",
                "DateCreated": "2019-12-09T07:56:01Z",
                "DateModified": "2019-12-09T08:01:34Z",
                "Description": "From: ",
                "ResolutionStatus": "Accidental creation",
                "Title": "=?gb2312?B?"
            },
            {
                "Attachments": [
                    {
                        "DateAdded": "2019-12-09T07:46:02Z",
                        "Description": "Source Email for case creation",
                        "FileName": "msg.fKAH.eml",
                        "FileURL": "https://caseapi.phishlabs.com/v1/data/",
                        "ID": "f24c36a6",
                        "Type": "Email"
                    }
                ],
                "CaseID": "f239fe62",
                "CaseNumber": 1417866,
                "CaseStatus": "Rejected",
                "CaseType": "Other",
                "CreatedBy": {
                    "DisplayName": "SOC PhishLabs",
                    "ID": "30c2e916",
                    "Name": "soc.phishlabs"
                },
                "Customer": "PhishLabs",
                "DateClosed": "2019-12-09T07:49:11Z",
                "DateCreated": "2019-12-09T07:46:01Z",
                "DateModified": "2019-12-09T07:49:11Z",
                "Description": "From: ",
                "ResolutionStatus": "Accidental creation",
                "Title": "=?gb231"
            }
        ]
    }
}
Human Readable Output

PhishLabs IOC - DRP - cases

CaseID Title CaseStatus DateCreated ResolutionStatus CreatedBy
5808ec5a-1a59-11ea-94e8-0ee0a3f3cb1c ?Q?idenform[.]top?= Rejected 2019-12-09T07:56:01Z Accidental creation ID: 30c2e916
Name: soc.phishlabs
DisplayName: SOC PhishLabs
f239fe62-1a57-11ea-94e8-0ee0a3f3cb1c =?gb2312?B?R Rejected 2019-12-09T07:46:01Z Accidental creation ID: 30c2e916
Name: soc.phishlabs
DisplayName: SOC PhishLabs

2. phishlabs-ioc-drp-get-case-by-id


Get case by ID of Phishlabs DRP service

Base Command

phishlabs-ioc-drp-get-case-by-id

Input
Argument Name Description Required
case_id ID of case, for expample ID from previous command Required

Context Output
Path Type Description
PhishlabsIOC.DRP.CaseID String Case ID
PhishlabsIOC.DRP.Title String Case title
PhishlabsIOC.DRP.Description String Case description
PhishlabsIOC.DRP.CaseNumber String Case number
PhishlabsIOC.DRP.Resolution String Resolution
PhishlabsIOC.DRP.ResolutionStatus String Resolution status
PhishlabsIOC.DRP.CreatedBy.ID String Case creator ID
PhishlabsIOC.DRP.CreatedBy.Name String Case creator name
PhishlabsIOC.DRP.CreatedBy.DisplayName String Case creator display name
PhishlabsIOC.DRP.Brand String Brand reported in case
PhishlabsIOC.DRP.Email String Email of case creator
PhishlabsIOC.DRP.CaseType String Type of the case
PhishlabsIOC.DRP.CaseStatus String Status of the case
PhishlabsIOC.DRP.DateCreated String Case creation date
PhishlabsIOC.DRP.DateClosed String Case closing date
PhishlabsIOC.DRP.DateModified String Case modification date
PhishlabsIOC.DRP.Customer String Customer reporting the case
PhishlabsIOC.DRP.AttackSources.URL String URL of the attack source
PhishlabsIOC.DRP.AttackSources.UrlType String URL type of the attack source
PhishlabsIOC.DRP.AttackSources.IP String IP of the attack source
PhishlabsIOC.DRP.AttackSources.ISP String ISP of the attack source
PhishlabsIOC.DRP.AttackSources.Country String ISP of the attack source
PhishlabsIOC.DRP.AttackSources.TargetedBrands String Target brands of the attack source
PhishlabsIOC.DRP.AttackSources.FQDN String FQDN of the attack source
PhishlabsIOC.DRP.AttackSources.Domain String Domain of the attack source
PhishlabsIOC.DRP.AttackSources.IsMaliciousDomain Boolean Detect if domain of attack source is malicious
PhishlabsIOC.DRP.AttackSources.WhoIs.Registrant String URL of the registrant
PhishlabsIOC.DRP.AttackSources.WhoIs.Registration.Created String Creation date of the registration
PhishlabsIOC.DRP.AttackSources.WhoIs.Registration.Expires String Expiriation date of the registration
PhishlabsIOC.DRP.AttackSources.WhoIs.Registration.Updated String Update date of the registration
PhishlabsIOC.DRP.AttackSources.WhoIs.Registration.Registrar String Registrar of the URL
PhishlabsIOC.DRP.AttackSources.WhoIs.NameServers String Name servers of the URL
PhishlabsIOC.DRP.Attachments.ID String ID of case attachment
PhishlabsIOC.DRP.Attachments.Type String Type of case attachment
PhishlabsIOC.DRP.Attachments.Description String Description of case attachment
PhishlabsIOC.DRP.Attachments.DateAdded String Date adding of case attachment
PhishlabsIOC.DRP.Attachments.FileName String File name of case attachment
PhishlabsIOC.DRP.Attachments.FileURL String File URL of case attachment
PhishlabsIOC.DRP.ApplicationName String Application reported in the case
PhishlabsIOC.DRP.Platform String Platform reported in the case
PhishlabsIOC.DRP.Severity String Sevirity of DRP
PhishlabsIOC.DRP.Developer String Developer of the application reported
PhishlabsIOC.DRP.DeveloperWebsite String Developer website of the application reported
PhishlabsIOC.DRP.ApplicationDescription String Descripion of the application reported
PhishlabsIOC.DRP.Language String Language of the application reported
PhishlabsIOC.DRP.Hardware String Hardware used by the application
PhishlabsIOC.DRP.Phone String Phone number of case creator
PhishlabsIOC.DRP.Hardware String Hardware used by the application
PhishlabsIOC.DRP.AssociatedURLs.URL String URL of the attack source
PhishlabsIOC.DRP.AssociatedURLs.UrlType String URL type of the attack source
PhishlabsIOC.DRP.AssociatedURLs.TargetedBrands String Target brands of the attack source
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registrant String URL of the registrant
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registration.Created String Creation date of the registration
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registration.Expires String Expiriation date of the registration
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registration.Updated String Update date of the registration
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registration.Registrar String Registrar of the URL
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.NameServers String Name servers of the URL

Command Example

!phishlabs-ioc-drp-get-case-by-id case_id=08baa0d0-1a54-11ea-94e8-0ee0a3f3cb1c

Context Example
{
    "PhishLabsIOC": {
        "DRP": [
            {
                "Attachments": [
                    {
                        "DateAdded": "2019-12-09T07:18:01Z",
                        "Description": "Source Email for case creation",
                        "FileName": "msg.nFAH.eml",
                        "FileURL": "https://caseapi.phishlabs.com/v1/data/attachment/08d0611d",
                        "ID": "08d0611d",
                        "Type": "Email"
                    }
                ],
                "CaseID": "08baa0d0",
                "CaseNumber": 1417854,
                "CaseStatus": "Rejected",
                "CaseType": "Other",
                "CreatedBy": {
                    "DisplayName": "SOC PhishLabs",
                    "ID": "30c2e916",
                    "Name": "soc.phishlabs"
                },
                "Customer": "PhishLabs",
                "DateClosed": "2019-12-09T07:18:46Z",
                "DateCreated": "2019-12-09T07:18:01Z",
                "DateModified": "2019-12-09T07:18:46Z",
                "Description": "From: PhishLabs Security Operations ",
                "ResolutionStatus": "Accidental creation",
                "Title": "=?gb2312?"
            }
        ]
    }
}
Human Readable Output

PhishLabs IOC - DRP - case ID None

CaseID Title CaseStatus DateCreated ResolutionStatus CreatedBy
08baa0d0-1a54-11ea-94e8-0ee0a3f3cb1c =?gb2312?B? Rejected 2019-12-09T07:18:01Z Accidental creation ID: 30c2e916
Name: soc.phishlabs
DisplayName: SOC PhishLabs

3. phishlabs-ioc-drp-get-open-cases


Get open cases of Phishlabs DRP service by filters

Base Command

phishlabs-ioc-drp-get-open-cases

Input
Argument Name Description Required
case_type Filter cases by case type Optional
max_records Maximum number of cases to return, default is 20, maximum is 200 Optional
offset Paginate results used in conjunction with maxRecords, first 200 records maxRecords=200&offset=0 second 200 records maxRecords=200&offset=200 Optional
date_field Field to use to query using dateBegin and dateEnd parameters. Optional
begin_date Date query beginning date Optional
end_date Date query beginning date Optional
period timestamp ( Optional

Context Output
Path Type Description
PhishlabsIOC.DRP.CaseID String Case ID
PhishlabsIOC.DRP.Title String Case title
PhishlabsIOC.DRP.Description String Case description
PhishlabsIOC.DRP.CaseNumber String Case number
PhishlabsIOC.DRP.Resolution String Resolution
PhishlabsIOC.DRP.ResolutionStatus String Resolution status
PhishlabsIOC.DRP.CreatedBy.ID String Case creator ID
PhishlabsIOC.DRP.CreatedBy.Name String Case creator name
PhishlabsIOC.DRP.CreatedBy.DisplayName String Case creator display name
PhishlabsIOC.DRP.Brand String Brand reported in case
PhishlabsIOC.DRP.Email String Email of case creator
PhishlabsIOC.DRP.CaseType String Type of the case
PhishlabsIOC.DRP.CaseStatus String Status of the case
PhishlabsIOC.DRP.DateCreated String Case creation date
PhishlabsIOC.DRP.DateClosed String Case closing date
PhishlabsIOC.DRP.DateModified String Case modification date
PhishlabsIOC.DRP.Customer String Customer reporting the case
PhishlabsIOC.DRP.AttackSources.URL String URL of the attack source
PhishlabsIOC.DRP.AttackSources.UrlType String URL type of the attack source
PhishlabsIOC.DRP.AttackSources.IP String IP of the attack source
PhishlabsIOC.DRP.AttackSources.ISP String ISP of the attack source
PhishlabsIOC.DRP.AttackSources.Country String ISP of the attack source
PhishlabsIOC.DRP.AttackSources.TargetedBrands String Target brands of the attack source
PhishlabsIOC.DRP.AttackSources.FQDN String FQDN of the attack source
PhishlabsIOC.DRP.AttackSources.Domain String Domain of the attack source
PhishlabsIOC.DRP.AttackSources.IsMaliciousDomain Boolean Detect if domain of attack source is malicious
PhishlabsIOC.DRP.AttackSources.WhoIs.Registrant String URL of the registrant
PhishlabsIOC.DRP.AttackSources.WhoIs.Registration.Created String Creation date of the registration
PhishlabsIOC.DRP.AttackSources.WhoIs.Registration.Expires String Expiriation date of the registration
PhishlabsIOC.DRP.AttackSources.WhoIs.Registration.Updated String Update date of the registration
PhishlabsIOC.DRP.AttackSources.WhoIs.Registration.Registrar String Registrar of the URL
PhishlabsIOC.DRP.AttackSources.WhoIs.NameServers String Name servers of the URL
PhishlabsIOC.DRP.Attachments.ID String ID of case attachment
PhishlabsIOC.DRP.Attachments.Type String Type of case attachment
PhishlabsIOC.DRP.Attachments.Description String Description of case attachment
PhishlabsIOC.DRP.Attachments.DateAdded String Date adding of case attachment
PhishlabsIOC.DRP.Attachments.FileName String File name of case attachment
PhishlabsIOC.DRP.Attachments.FileURL String File URL of case attachment
PhishlabsIOC.DRP.ApplicationName String Application reported in the case
PhishlabsIOC.DRP.Platform String Platform reported in the case
PhishlabsIOC.DRP.Severity String Sevirity of DRP
PhishlabsIOC.DRP.Developer String Developer of the application reported
PhishlabsIOC.DRP.DeveloperWebsite String Developer website of the application reported
PhishlabsIOC.DRP.ApplicationDescription String Descripion of the application reported
PhishlabsIOC.DRP.Language String Language of the application reported
PhishlabsIOC.DRP.Hardware String Hardware used by the application
PhishlabsIOC.DRP.Phone String Phone number of case creator
PhishlabsIOC.DRP.Hardware String Hardware used by the application
PhishlabsIOC.DRP.AssociatedURLs.URL String URL of the attack source
PhishlabsIOC.DRP.AssociatedURLs.UrlType String URL type of the attack source
PhishlabsIOC.DRP.AssociatedURLs.TargetedBrands String Target brands of the attack source
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registrant String URL of the registrant
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registration.Created String Creation date of the registration
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registration.Expires String Expiriation date of the registration
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registration.Updated String Update date of the registration
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registration.Registrar String Registrar of the URL
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.NameServers String Name servers of the URL

Command Example

!phishlabs-ioc-drp-get-open-cases max_records=2

Context Example
{
    "PhishLabsIOC": {
        "DRP": [
            {
                "Attachments": [
                    {
                        "DateAdded": "2019-08-16T18:10:53Z",
                        "Description": "Proof CBS owns Maxpreps brand. Requesting take down of maxpreps.us",
                        "FileName": "CBS Maxpreps.png",
                        "FileURL": "https://caseapi.phishlabs.com/v1/data/attachment/2fca6455",
                        "ID": "2fca6455",
                        "Type": "Email"
                    }
                ],
                "CaseID": "7cc6d097",
                "CaseNumber": 1254167,
                "CaseStatus": "Assigned",
                "CaseType": "Other",
                "CreatedBy": {
                    "DisplayName": "Matt T.",
                    "ID": "1e59f06d",
                    "Name": "mtwitty"
                },
                "Customer": "PhishLabs",
                "DateClosed": "0001-01-01T00:00:00Z",
                "DateCreated": "2019-08-09T21:20:18Z",
                "DateModified": "2019-11-01T18:13:21Z",
                "Description": "Courtesy case for CBS ",
                "Title": " Brand Abuse"
            }
        ]
    }
}
Human Readable Output

PhishLabs IOC - DRP - open cases

CaseID Title CaseStatus DateCreated CreatedBy
7cc6d097-baeb-11e9-94e8-0ee0a3f3cb1c Brand Abuse Assigned 2019-08-09T21:20:18Z ID: 1e59f06d-7b03-11e4-b9b0-0025902add30
Name: mtwitty
DisplayName: Matt T.

4. phishlabs-ioc-drp-get-closed-cases


Get closed cases of Phishlabs DRP service by filters

Base Command

phishlabs-ioc-drp-get-closed-cases

Input
Argument Name Description Required
case_type Filter cases by case type Optional
max_records maximum number of cases to return, default is 20, maximum is 200 Optional
offset Paginate results used in conjunction with maxRecords, first 200 records maxRecords=200&offset=0 second 200 records maxRecords=200&offset=200 Optional
Date_field Field to use to query using dateBegin and dateEnd parameters. Optional
begin_date Date query beginning date Optional
end_date Date query beginning date Optional
period timestamp ( Optional

Context Output
Path Type Description
PhishlabsIOC.DRP.CaseID String Case ID
PhishlabsIOC.DRP.Title String Case title
PhishlabsIOC.DRP.Description String Case description
PhishlabsIOC.DRP.CaseNumber String Case number
PhishlabsIOC.DRP.Resolution String Resolution
PhishlabsIOC.DRP.ResolutionStatus String Resolution status
PhishlabsIOC.DRP.CreatedBy.ID String Case creator ID
PhishlabsIOC.DRP.CreatedBy.Name String Case creator name
PhishlabsIOC.DRP.CreatedBy.DisplayName String Case creator display name
PhishlabsIOC.DRP.Brand String Brand reported in case
PhishlabsIOC.DRP.Email String Email of case creator
PhishlabsIOC.DRP.CaseType String Type of the case
PhishlabsIOC.DRP.CaseStatus String Status of the case
PhishlabsIOC.DRP.DateCreated String Case creation date
PhishlabsIOC.DRP.DateClosed String Case closing date
PhishlabsIOC.DRP.DateModified String Case modification date
PhishlabsIOC.DRP.Customer String Customer reporting the case
PhishlabsIOC.DRP.AttackSources.URL String URL of the attack source
PhishlabsIOC.DRP.AttackSources.UrlType String URL type of the attack source
PhishlabsIOC.DRP.AttackSources.IP String IP of the attack source
PhishlabsIOC.DRP.AttackSources.ISP String ISP of the attack source
PhishlabsIOC.DRP.AttackSources.Country String ISP of the attack source
PhishlabsIOC.DRP.AttackSources.TargetedBrands String Target brands of the attack source
PhishlabsIOC.DRP.AttackSources.FQDN String FQDN of the attack source
PhishlabsIOC.DRP.AttackSources.Domain String Domain of the attack source
PhishlabsIOC.DRP.AttackSources.IsMaliciousDomain Boolean Detect if domain of attack source is malicious
PhishlabsIOC.DRP.AttackSources.WhoIs.Registrant String URL of the registrant
PhishlabsIOC.DRP.AttackSources.WhoIs.Registration.Created String Creation date of the registration
PhishlabsIOC.DRP.AttackSources.WhoIs.Registration.Expires String Expiriation date of the registration
PhishlabsIOC.DRP.AttackSources.WhoIs.Registration.Updated String Update date of the registration
PhishlabsIOC.DRP.AttackSources.WhoIs.Registration.Registrar String Registrar of the URL
PhishlabsIOC.DRP.AttackSources.WhoIs.NameServers String Name servers of the URL
PhishlabsIOC.DRP.Attachments.ID String ID of case attachment
PhishlabsIOC.DRP.Attachments.Type String Type of case attachment
PhishlabsIOC.DRP.Attachments.Description String Description of case attachment
PhishlabsIOC.DRP.Attachments.DateAdded String Date adding of case attachment
PhishlabsIOC.DRP.Attachments.FileName String File name of case attachment
PhishlabsIOC.DRP.Attachments.FileURL String File URL of case attachment
PhishlabsIOC.DRP.ApplicationName String Application reported in the case
PhishlabsIOC.DRP.Platform String Platform reported in the case
PhishlabsIOC.DRP.Severity String Sevirity of DRP
PhishlabsIOC.DRP.Developer String Developer of the application reported
PhishlabsIOC.DRP.DeveloperWebsite String Developer website of the application reported
PhishlabsIOC.DRP.ApplicationDescription String Descripion of the application reported
PhishlabsIOC.DRP.Language String Language of the application reported
PhishlabsIOC.DRP.Hardware String Hardware used by the application
PhishlabsIOC.DRP.Phone String Phone number of case creator
PhishlabsIOC.DRP.Hardware String Hardware used by the application
PhishlabsIOC.DRP.AssociatedURLs.URL String URL of the attack source
PhishlabsIOC.DRP.AssociatedURLs.UrlType String URL type of the attack source
PhishlabsIOC.DRP.AssociatedURLs.TargetedBrands String Target brands of the attack source
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registrant String URL of the registrant
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registration.Created String Creation date of the registration
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registration.Expires String Expiriation date of the registration
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registration.Updated String Update date of the registration
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.Registration.Registrar String Registrar of the URL
PhishlabsIOC.DRP.AssociatedURLs.WhoIs.NameServers String Name servers of the URL

Command Example

!phishlabs-ioc-drp-get-closed-cases max_records=2

Context Example
{
    "PhishLabsIOC": {
        "DRP": [
            {
                "Attachments": [
                    {
                        "DateAdded": "2019-12-09T07:56:02Z",
                        "Description": "Source Email for case creation",
                        "FileName": "msg.mFAH.eml",
                        "FileURL": "https://caseapi.phishlabs.com/v1/data/attachment/581ba28d",
                        "ID": "581ba28d-1a59-11ea-8247-0ad24386a0d6",
                        "Type": "Email"
                    }
                ],
                "CaseID": "5808ec5a",
                "CaseNumber": 1417871,
                "CaseStatus": "Rejected",
                "CaseType": "Other",
                "CreatedBy": {
                    "DisplayName": "SOC PhishLabs",
                    "ID": "30c2e916",
                    "Name": "soc.phishlabs"
                },
                "Customer": "PhishLabs",
                "DateClosed": "2019-12-09T08:01:34Z",
                "DateCreated": "2019-12-09T07:56:01Z",
                "DateModified": "2019-12-09T08:01:34Z",
                "Description": "From: PhishLabs Security Operations \nSubject:",
                "ResolutionStatus": "Accidental creation",
                "Title": "=?gb2312?B?Rlc6I"
            },
            {
                "Attachments": [
                    {
                        "DateAdded": "2019-12-09T07:46:02Z",
                        "Description": "Source Email for case creation",
                        "FileName": "msg.fKAH.eml",
                        "FileURL": "https://caseapi.phishlabs.com/v1/data/attachment/f24c36a3",
                        "ID": "f24c36a3",
                        "Type": "Email"
                    }
                ],
                "CaseID": "f239fe62",
                "CaseNumber": 1417866,
                "CaseStatus": "Rejected",
                "CaseType": "Other",
                "CreatedBy": {
                    "DisplayName": "SOC PhishLabs",
                    "ID": "30c2e916",
                    "Name": "soc.phishlabs"
                },
                "Customer": "PhishLabs",
                "DateClosed": "2019-12-09T07:49:11Z",
                "DateCreated": "2019-12-09T07:46:01Z",
                "DateModified": "2019-12-09T07:49:11Z",
                "Description": "From: PhishLabs Security ",
                "ResolutionStatus": "Accidental creation",
                "Title": "?="
            }
        ]
    }
}
Human Readable Output

PhishLabs IOC - DRP - Closed cases

CaseID Title CaseStatus DateCreated ResolutionStatus CreatedBy
5808ec5a ?= Rejected 2019-12-09T07:56:01Z Accidental creation ID: 30c2e916 SOC PhishLabs
f239fe62c =1?= Rejected 2019-12-09T07:46:01Z Accidental creation ID: 30c2e916
Name: soc.phishlabs
DisplayName: SOC PhishLabs