SlashNext Phishing Incident Response


SlashNext Phishing Incident Response integration enables Cortex XSOAR users to fully automate analysis of suspicious URLs. For example, IR teams responsible for abuse inbox management can extract links or domains out of suspicious emails and automatically analyze them with the SlashNext SEER™ threat detection cloud to get definitive, binary verdicts (malicious or benign) along with IOCs, screen shots, and more. Automating URL analysis can save IR teams hundreds of hours versus manually triaging these emails or checking URLs and domains against less accurate phishing databases and domain reputation services.

This integration was integrated and tested with version v1.1 of SlashNext Phishing Incident Response APIs.

SlashNext Phishing Incident Response Playbook

SlashNext have developed two sample playbooks to demonstrate two of the major use cases.

  • SlashNext - Host Reputation Default v1
  • SlashNext - URL Scan Default v1

Use Cases

  • Abuse inbox management
  • Playbooks that mine and analyze network logs

Detailed Description

SlashNext Phishing Incident Response integration uses an API key to authenticate with SlashNext Cloud. If you don’t have a valid API key, contact the SlashNext team support@slashnext.com

Fetch Incidents

Any phishing incidents/events that contain supsicious URLs, domains, or IP addresses through the use of an Abuse Inbox or by manual reporting.

Configure SlashNext Phishing Incident Response on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for SlashNext Phishing Incident Response using the search box on the top of the page.
  3. Click Add instance to create and configure a new integration instance.
    • Name : A textual name for the integration instance.
    • SlashNext API Base URL : Use the default value unless specifically provided by SlashNext.
    • SlashNext API Key : If you don’t have a valid API key, please reach us at support@slashnext.com
  4. Click Test to validate the new instance.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. ip
  2. domain
  3. slashnext-host-reputation
  4. slashnext-host-report
  5. slashnext-host-urls
  6. slashnext-url-scan
  7. slashnext-url-scan-sync
  8. slashnext-scan-report
  9. slashnext-download-screenshot
  10. slashnext-download-html
  11. slashnext-download-text
  12. slashnext-api-quota

1. ip


Lookup an IP address indicator in SlashNext Threat Intelligence database.

Base Command

ip

Input
Argument Name Description Required
ip IPv4 address which to be looked up in SlashNext Threat Intelligence database. Required

Context Output
Path Type Description
DBotScore.Indicator string The indicator that was tested
DBotScore.Type string Indicator type
DBotScore.Vendor string Vendor used to calculate the score
DBotScore.Score number The actual score
IP.Address string IP address
IP.Malicious.Vendor string For malicious IP addresses, the vendor that made the decision
IP.Malicious.Description string For malicious IP addresses, the reason that the vendor made the decision
SlashNext.IP.Value string Value of the Indicator of Compromise (IoC)
SlashNext.IP.Type string Type of the Indicator of Compromise (IoC)
SlashNext.IP.Verdict string SlashNext Phishing Incident Response verdict on the IoC
SlashNext.IP.ThreatStatus string Threat status of the IoC
SlashNext.IP.ThreatName string Name of the threat posed by the IoC
SlashNext.IP.ThreatType string Type of the threat posed by the IoC
SlashNext.IP.FirstSeen date Time when the IoC was first observed
SlashNext.IP.LastSeen date Time when the IoC was last observed

Command Example

!ip ip=8.8.8.8

Context Example
{
    "DBotScore": {
        "Indicator": "8.8.8.8",
        "Score": 1,
        "Type": "ip",
        "Vendor": "SlashNext Phishing Incident Response"
    },
    "IP": {
        "Address": "8.8.8.8"
    },
    "SlashNext.IP": {
        "FirstSeen": "09-26-2019 07:46:25 UTC",
        "LastSeen": "09-26-2019 07:46:36 UTC",
        "ThreatName": "N/A",
        "ThreatStatus": "N/A",
        "ThreatType": "N/A",
        "Type": "IP",
        "Value": "8.8.8.8",
        "Verdict": "Benign"
    }
}
Human Readable Output

SlashNext Phishing Incident Response - IP Lookup

ip = 8.8.8.8
Value Type Verdict ThreatStatus ThreatName ThreatType FirstSeen LastSeen
8.8.8.8 IP Benign N/A N/A N/A 09-26-2019 07:46:25 UTC 09-26-2019 07:46:36 UTC

2. domain


Lookup a FQDN indicator in SlashNext Threat Intelligence database.

Base Command

domain

Input
Argument Name Description Required
domain FQDN which to be looked up in SlashNext Threat Intelligence database. Required

Context Output
Path Type Description
DBotScore.Indicator string The indicator that was tested
DBotScore.Type string Indicator type
DBotScore.Vendor string Vendor used to calculate the score
DBotScore.Score number The actual score
Domain.Name string Domain name
Domain.Malicious.Vendor string For malicious domain names, the vendor that made the decision
Domain.Malicious.Description string For malicious domain names, the reason that the vendor made the decision
SlashNext.Domain.Value string Value of the Indicator of Compromise (IoC)
SlashNext.Domain.Type string Type of the Indicator of Compromise (IoC)
SlashNext.Domain.Verdict string SlashNext Phishing Incident Response verdict on the IoC
SlashNext.Domain.ThreatStatus string Threat status of the IoC
SlashNext.Domain.ThreatName string Name of the threat posed by the IoC
SlashNext.Domain.ThreatType string Type of the threat posed by the IoC
SlashNext.Domain.FirstSeen date Time when the IoC was first observed
SlashNext.Domain.LastSeen date Time when the IoC was last observed

Command Example

!domain domain=www.google.com

Context Example
{
    "DBotScore": {
        "Indicator": "www.google.com",
        "Score": 1,
        "Type": "domain",
        "Vendor": "SlashNext Phishing Incident Response"
    },
    "Domain": {
        "Name": "www.google.com"
    },
    "SlashNext.Domain": {
        "FirstSeen": "12-10-2018 13:04:17 UTC",
        "LastSeen": "10-10-2019 11:26:43 UTC",
        "ThreatName": "N/A",
        "ThreatStatus": "N/A",
        "ThreatType": "N/A",
        "Type": "Domain",
        "Value": "www.google.com",
        "Verdict": "Benign"
    }
}
Human Readable Output

SlashNext Phishing Incident Response - Domain Lookup

domain = www.google.com
Value Type Verdict ThreatStatus ThreatName ThreatType FirstSeen LastSeen
www.google.com Domain Benign N/A N/A N/A 12-10-2018 13:04:17 UTC 10-10-2019 11:26:43 UTC

3. slashnext-host-reputation


Search in SlashNext Cloud database and retrieve reputation of a host.

Base Command

slashnext-host-reputation

Input
Argument Name Description Required
host host can either be a domain name or an IPv4 address. Required

Context Output
Path Type Description
DBotScore.Indicator string The indicator that was tested
DBotScore.Type string Indicator type
DBotScore.Vendor string Vendor used to calculate the score
DBotScore.Score number The actual score
IP.Address string IP address
IP.Malicious.Vendor string For malicious IP addresses, the vendor that made the decision
IP.Malicious.Description string For malicious IP addresses, the reason that the vendor made the decision
SlashNext.IP.Value string Value of the Indicator of Compromise (IoC)
SlashNext.IP.Type string Type of the Indicator of Compromise (IoC)
SlashNext.IP.Verdict string SlashNext Phishing Incident Response verdict on the IoC
SlashNext.IP.ThreatStatus string Threat status of the IoC
SlashNext.IP.ThreatName string Name of the threat posed by the IoC
SlashNext.IP.ThreatType string Type of the threat posed by the IoC
SlashNext.IP.FirstSeen date Time when the IoC was first observed
SlashNext.IP.LastSeen date Time when the IoC was last observed
Domain.Name string Domain name
Domain.Malicious.Vendor string For malicious domain names, the vendor that made the decision
Domain.Malicious.Description string For malicious domain names, the reason that the vendor made the decision
SlashNext.Domain.Value string Value of the Indicator of Compromise (IoC)
SlashNext.Domain.Type string Type of the Indicator of Compromise (IoC)
SlashNext.Domain.Verdict string SlashNext Phishing Incident Response verdict on the IoC
SlashNext.Domain.ThreatStatus string Threat status of the IoC
SlashNext.Domain.ThreatName string Name of the threat posed by the IoC
SlashNext.Domain.ThreatType string Type of the threat posed by the IoC
SlashNext.Domain.FirstSeen date Time when the IoC was first observed
SlashNext.Domain.LastSeen date Time when the IoC was last observed

Command Example

!slashnext-host-reputation host=www.google.com

Context Example
{
    "DBotScore": {
        "Indicator": "www.google.com",
        "Score": 1,
        "Type": "domain",
        "Vendor": "SlashNext Phishing Incident Response"
    },
    "Domain": {
        "Name": "www.google.com"
    },
    "SlashNext.Domain": {
        "FirstSeen": "12-10-2018 13:04:17 UTC",
        "LastSeen": "10-10-2019 11:26:43 UTC",
        "ThreatName": "N/A",
        "ThreatStatus": "N/A",
        "ThreatType": "N/A",
        "Type": "Domain",
        "Value": "www.google.com",
        "Verdict": "Benign"
    }
}
Human Readable Output

SlashNext Phishing Incident Response - Host Reputation

host = www.google.com
Value Type Verdict ThreatStatus ThreatName ThreatType FirstSeen LastSeen
www.google.com Domain Benign N/A N/A N/A 12-10-2018 13:04:17 UTC 10-10-2019 11:26:43 UTC

4. slashnext-host-report


Search in SlashNext Cloud database and retrieve a detailed report for a host and associated URL.

Base Command

slashnext-host-report

Input
Argument Name Description Required
host host can either be a domain name or IPv4 address. Required

Context Output
Path Type Description
DBotScore.Indicator string The indicator that was tested
DBotScore.Type string Indicator type
DBotScore.Vendor string Vendor used to calculate the score
DBotScore.Score number The actual score
IP.Address string IP address
IP.Malicious.Vendor string For malicious IP addresses, the vendor that made the decision
IP.Malicious.Description string For malicious IP addresses, the reason that the vendor made the decision
SlashNext.IP.Value string Value of the Indicator of Compromise (IoC)
SlashNext.IP.Type string Type of the Indicator of Compromise (IoC)
SlashNext.IP.Verdict string SlashNext Phishing Incident Response verdict on the IoC
SlashNext.IP.ThreatStatus string Threat status of the IoC
SlashNext.IP.ThreatName string Name of the threat posed by the IoC
SlashNext.IP.ThreatType string Type of the threat posed by the IoC
SlashNext.IP.FirstSeen date Time when the IoC was first observed
SlashNext.IP.LastSeen date Time when the IoC was last observed
Domain.Name string Domain name
Domain.Malicious.Vendor string For malicious domain names, the vendor that made the decision
Domain.Malicious.Description string For malicious domain names, the reason that the vendor made the decision
SlashNext.Domain.Value string Value of the Indicator of Compromise (IoC)
SlashNext.Domain.Type string Type of the Indicator of Compromise (IoC)
SlashNext.Domain.Verdict string SlashNext Phishing Incident Response verdict on the IoC
SlashNext.Domain.ThreatStatus string Threat status of the IoC
SlashNext.Domain.ThreatName string Name of the threat posed by the IoC
SlashNext.Domain.ThreatType string Type of the threat posed by the IoC
SlashNext.Domain.FirstSeen date Time when the IoC was first observed
SlashNext.Domain.LastSeen date Time when the IoC was last observed

Command Example

!slashnext-host-report host=www.google.com

Context Example
{
    "DBotScore": {
        "Indicator": "www.google.com",
        "Score": 1,
        "Type": "domain",
        "Vendor": "SlashNext Phishing Incident Response"
    },
    "Domain": {
        "Name": "www.google.com"
    },
    "SlashNext.Domain": {
        "FirstSeen": "12-10-2018 13:04:17 UTC",
        "LastSeen": "10-10-2019 11:26:43 UTC",
        "ThreatName": "N/A",
        "ThreatStatus": "N/A",
        "ThreatType": "N/A",
        "Type": "Domain",
        "Value": "www.google.com",
        "Verdict": "Benign"
    }
}{
    "DBotScore": [
        {
            "Indicator": "http://www.google.com/wasif",
            "Score": 1,
            "Type": "url",
            "Vendor": "SlashNext Phishing Incident Response"
        }
    ],
    "SlashNext.URL": {
        "FirstSeen": "10-03-2019 08:24:04 UTC",
        "LastSeen": "10-03-2019 08:24:14 UTC",
        "ScanID": "61fe7c96-88e3-440e-a56f-75834b734b06",
        "ThreatName": "N/A",
        "ThreatStatus": "N/A",
        "ThreatType": "N/A",
        "Type": "Scanned URL",
        "Value": "http://www.google.com/wasif",
        "Verdict": "Benign"
    },
    "URL": [
        {
            "Data": "http://www.google.com/wasif"
        }
    ]
}
Human Readable Output

SlashNext Phishing Incident Response - Host Report

host = www.google.com
Value Type Verdict ThreatStatus ThreatName ThreatType FirstSeen LastSeen
www.google.com Domain Benign N/A N/A N/A 12-10-2018 13:04:17 UTC 10-10-2019 11:26:43 UTC

SlashNext Phishing Incident Response - Latest Scanned URL

host = www.google.com
Value Type Verdict ScanID ThreatStatus ThreatName ThreatType FirstSeen LastSeen
http://www.google.com/wasif Scanned URL Benign 61fe7c96-88e3-440e-a56f-75834b734b06 N/A N/A N/A 10-03-2019 08:24:04 UTC 10-03-2019 08:24:14 UTC

Forensics: Webpage Screenshot for the Scanned URL = http://www.google.com/wasif
Forensics: Webpage HTML for the Scanned URL = http://www.google.com/wasif
Forensics: Webpage Rendered Text for the Scanned URL = http://www.google.com/wasif

5. slashnext-host-urls


Search in SlashNext Cloud database and retrieve list of all URLs associated with the specified host.

Base Command

slashnext-host-urls

Input
Argument Name Description Required
host host can either be a domain name or IPv4 address. Required
limit maximum number of URL records to fetch. This is an optional parameter with a default value of 10. Optional

Context Output
Path Type Description
DBotScore.Indicator string The indicator that was tested
DBotScore.Type string Indicator type
DBotScore.Vendor string Vendor used to calculate the score
DBotScore.Score number The actual score
URL.Data string URL reported
URL.Malicious.Vendor string For malicious URLs, the vendor that made the decision
URL.Malicious.Description string For malicious URLs, the reason that the vendor made the decision
SlashNext.URL.Value string Value of the Indicator of Compromise (IoC)
SlashNext.URL.Type string Type of the Indicator of Compromise (IoC)
SlashNext.URL.ScanID string Scan ID to be used to get the IoC forensics data for further investigation
SlashNext.URL.Verdict string SlashNext Phishing Incident Response verdict on the IoC
SlashNext.URL.ThreatStatus string Threat status of the IoC
SlashNext.URL.ThreatName string Name of the threat posed by the IoC
SlashNext.URL.ThreatType string Type of the threat posed by the IoC
SlashNext.URL.FirstSeen date Time when the IoC was first observed
SlashNext.URL.LastSeen date Time when the IoC was last observed
SlashNext.URL.Final.Value string Final IoC value in case original IoC is a redirector to same domain
SlashNext.URL.Final.Type string Type of the final IoC
SlashNext.URL.Final.Verdict string SlashNext Phishing Incident Response verdict on the final IoC
SlashNext.URL.Landing.Value string Landing IoC value in case original IoC is a redirector to different domain
SlashNext.URL.Landing.Type string Type of the landing IoC
SlashNext.URL.Landing.ScanID string Scan ID to be used to get the landing IoC forensics data for further investigation
SlashNext.URL.Landing.Verdict string SlashNext Phishing Incident Response verdict on the landing IoC
SlashNext.URL.Landing.ThreatStatus string Threat status of the landing IoC
SlashNext.URL.Landing.ThreatName string Name of the threat posed by the landing IoC
SlashNext.URL.Landing.ThreatType string Type of the threat posed by the landing IoC
SlashNext.URL.Landing.FirstSeen date Time when the landing IoC was first observed
SlashNext.URL.Landing.LastSeen date Time when the landing IoC was last observed

Command Example

!slashnext-host-urls host=www.google.com

Context Example
{
    "DBotScore": [
        {
            "Indicator": "http://www.google.com/wasif",
            "Score": 1,
            "Type": "url",
            "Vendor": "SlashNext Phishing Incident Response"
        },
        {
            "Indicator": "http://www.google.com/abrar",
            "Score": 1,
            "Type": "url",
            "Vendor": "SlashNext Phishing Incident Response"
        },
        {
            "Indicator": "http://www.google.com/saadat",
            "Score": 1,
            "Type": "url",
            "Vendor": "SlashNext Phishing Incident Response"
        },
        {
            "Indicator": "https://www.google.com/",
            "Score": 1,
            "Type": "url",
            "Vendor": "SlashNext Phishing Incident Response"
        },
        {
            "Indicator": "https://www.google.com/url?q=replacedlink/&source=gmail&...",
            "Score": 1,
            "Type": "url",
            "Vendor": "SlashNext Phishing Incident Response"
        },
        {
            "Indicator": "http://www.google.com/",
            "Score": 1,
            "Type": "url",
            "Vendor": "SlashNext Phishing Incident Response"
        },
        {
            "Indicator": "https://www.google.com/?gws_rd=ssl",
            "Score": 1,
            "Type": "url",
            "Vendor": "SlashNext Phishing Incident Response"
        },
        {
            "Indicator": "http://www.google.com/maps/place/2307",
            "Score": 1,
            "Type": "url",
            "Vendor": "SlashNext Phishing Incident Response"
        },
        {
            "Indicator": "https://www.google.com/maps/place/2307",
            "Score": 1,
            "Type": "url",
            "Vendor": "SlashNext Phishing Incident Response"
        },
        {
            "Indicator": "http://www.google.com/maps/place/2307+Watterson+Trail",
            "Score": 1,
            "Type": "url",
            "Vendor": "SlashNext Phishing Incident Response"
        },
        {
            "Indicator": "https://www.google.com/maps/place/2307+Watterson+Trail",
            "Score": 1,
            "Type": "url",
            "Vendor": "SlashNext Phishing Incident Response"
        },
        {
            "Indicator": "http://www.google.com/maps/place/2307+Watterson+Trail",
            "Score": 1,
            "Type": "url",
            "Vendor": "SlashNext Phishing Incident Response"
        },
        {
            "Indicator": "https://www.google.com/maps/place/2307+Watterson+Trail",
            "Score": 1,
            "Type": "url",
            "Vendor": "SlashNext Phishing Incident Response"
        },
        {
            "Indicator": "http://www.google.com/maps/place/2307+Watterson+Trail,+Jeffersontown,+KY+40299/@38.2107207,-85.5607165,17z/data=!3m1!4b1!4m5!3m4!1s0x8869a1b57420f6d9:0xccc95b8f32dcfd4b!8m2!3d38.2107165!4d-85.5585225",
            "Score": 1,
            "Type": "url",
            "Vendor": "SlashNext Phishing Incident Response"
        },
        {
            "Indicator": "https://www.google.com/maps/place/2307+Watterson+Trail,+Jeffersontown,+KY+40299/@38.2107207,-85.5607165,17z/data=!3m1!4b1!4m5!3m4!1s0x8869a1b57420f6d9:0xccc95b8f32dcfd4b!8m2!3d38.2107165!4d-85.5585225",
            "Score": 1,
            "Type": "url",
            "Vendor": "SlashNext Phishing Incident Response"
        }
    ],
    "SlashNext.URL": [
        {
            "FirstSeen": "10-03-2019 08:24:04 UTC",
            "LastSeen": "10-03-2019 08:24:14 UTC",
            "ScanID": "61fe7c96-88e3-440e-a56f-75834b734b06",
            "ThreatName": "N/A",
            "ThreatStatus": "N/A",
            "ThreatType": "N/A",
            "Type": "Scanned URL",
            "Value": "http://www.google.com/wasif",
            "Verdict": "Benign"
        },
        {
            "FirstSeen": "10-03-2019 08:22:36 UTC",
            "LastSeen": "10-03-2019 08:22:46 UTC",
            "ScanID": "820275cd-c6de-46e9-b3a3-7cb072179bb4",
            "ThreatName": "N/A",
            "ThreatStatus": "N/A",
            "ThreatType": "N/A",
            "Type": "Scanned URL",
            "Value": "http://www.google.com/abrar",
            "Verdict": "Benign"
        },
        {
            "FirstSeen": "10-03-2019 08:17:49 UTC",
            "LastSeen": "10-03-2019 08:18:00 UTC",
            "ScanID": "905cf63e-7761-4681-b314-4b8820f04c41",
            "ThreatName": "N/A",
            "ThreatStatus": "N/A",
            "ThreatType": "N/A",
            "Type": "Scanned URL",
            "Value": "http://www.google.com/saadat",
            "Verdict": "Benign"
        },
        {
            "FirstSeen": "08-27-2019 10:32:19 UTC",
            "LastSeen": "08-27-2019 12:34:52 UTC",
            "ScanID": "4f1540b9-3517-4e6c-bca8-923acc3eed43",
            "ThreatName": "N/A",
            "ThreatStatus": "N/A",
            "ThreatType": "N/A",
            "Type": "Scanned URL",
            "Value": "https://www.google.com/",
            "Verdict": "Benign"
        },
        {
            "FirstSeen": "08-30-2019 06:06:10 UTC",
            "LastSeen": "08-30-2019 06:06:21 UTC",
            "ScanID": "7277ea43-df3d-4692-8615-8c15485249c5",
            "ThreatName": "N/A",
            "ThreatStatus": "N/A",
            "ThreatType": "N/A",
            "Type": "Scanned URL",
            "Value": "https://www.google.com/url?q=replacedlink/&source=gmail&...",
            "Verdict": "Benign"
        },
        {
            "Final": {
                "Type": "Final URL",
                "Value": "https://www.google.com/?gws_rd=ssl",
                "Verdict": "Benign"
            },
            "FirstSeen": "08-26-2019 17:29:38 UTC",
            "LastSeen": "08-26-2019 19:41:19 UTC",
            "ScanID": "48ae7b06-5915-4633-bc51-2cfaa0036742",
            "ThreatName": "N/A",
            "ThreatStatus": "N/A",
            "ThreatType": "N/A",
            "Type": "Scanned URL",
            "Value": "http://www.google.com/",
            "Verdict": "Benign"
        },
        {
            "Final": {
                "Type": "Final URL",
                "Value": "https://www.google.com/maps/place/2307",
                "Verdict": "Benign"
            },
            "FirstSeen": "10-01-2019 12:50:34 UTC",
            "LastSeen": "10-01-2019 12:50:47 UTC",
            "ScanID": "N/A",
            "ThreatName": "N/A",
            "ThreatStatus": "N/A",
            "ThreatType": "N/A",
            "Type": "Scanned URL",
            "Value": "http://www.google.com/maps/place/2307",
            "Verdict": "Benign"
        },
        {
            "Final": {
                "Type": "Final URL",
                "Value": "https://www.google.com/maps/place/2307+Watterson+Trail",
                "Verdict": "Benign"
            },
            "FirstSeen": "10-01-2019 12:50:12 UTC",
            "LastSeen": "10-01-2019 12:50:26 UTC",
            "ScanID": "N/A",
            "ThreatName": "N/A",
            "ThreatStatus": "N/A",
            "ThreatType": "N/A",
            "Type": "Scanned URL",
            "Value": "http://www.google.com/maps/place/2307+Watterson+Trail",
            "Verdict": "Benign"
        },
        {
            "Final": {
                "Type": "Final URL",
                "Value": "https://www.google.com/maps/place/2307+Watterson+Trail",
                "Verdict": "Benign"
            },
            "FirstSeen": "10-01-2019 12:50:11 UTC",
            "LastSeen": "10-01-2019 12:50:24 UTC",
            "ScanID": "N/A",
            "ThreatName": "N/A",
            "ThreatStatus": "N/A",
            "ThreatType": "N/A",
            "Type": "Scanned URL",
            "Value": "http://www.google.com/maps/place/2307+Watterson+Trail",
            "Verdict": "Benign"
        },
        {
            "Final": {
                "Type": "Final URL",
                "Value": "https://www.google.com/maps/place/2307+Watterson+Trail,+Jeffersontown,+KY+40299/@38.2107207,-85.5607165,17z/data=!3m1!4b1!4m5!3m4!1s0x8869a1b57420f6d9:0xccc95b8f32dcfd4b!8m2!3d38.2107165!4d-85.5585225",
                "Verdict": "Benign"
            },
            "FirstSeen": "10-01-2019 12:49:44 UTC",
            "LastSeen": "10-01-2019 12:49:58 UTC",
            "ScanID": "N/A",
            "ThreatName": "N/A",
            "ThreatStatus": "N/A",
            "ThreatType": "N/A",
            "Type": "Scanned URL",
            "Value": "http://www.google.com/maps/place/2307+Watterson+Trail,+Jeffersontown,+KY+40299/@38.2107207,-85.5607165,17z/data=!3m1!4b1!4m5!3m4!1s0x8869a1b57420f6d9:0xccc95b8f32dcfd4b!8m2!3d38.2107165!4d-85.5585225",
            "Verdict": "Benign"
        }
    ],
    "URL": [
        {
            "Data": "http://www.google.com/wasif"
        },
        {
            "Data": "http://www.google.com/abrar"
        },
        {
            "Data": "http://www.google.com/saadat"
        },
        {
            "Data": "https://www.google.com/"
        },
        {
            "Data": "https://www.google.com/url?q=replacedlink/&source=gmail&..."
        },
        {
            "Data": "http://www.google.com/"
        },
        {
            "Data": "https://www.google.com/?gws_rd=ssl"
        },
        {
            "Data": "http://www.google.com/maps/place/2307"
        },
        {
            "Data": "https://www.google.com/maps/place/2307"
        },
        {
            "Data": "http://www.google.com/maps/place/2307+Watterson+Trail"
        },
        {
            "Data": "https://www.google.com/maps/place/2307+Watterson+Trail"
        },
        {
            "Data": "http://www.google.com/maps/place/2307+Watterson+Trail"
        },
        {
            "Data": "https://www.google.com/maps/place/2307+Watterson+Trail"
        },
        {
            "Data": "http://www.google.com/maps/place/2307+Watterson+Trail,+Jeffersontown,+KY+40299/@38.2107207,-85.5607165,17z/data=!3m1!4b1!4m5!3m4!1s0x8869a1b57420f6d9:0xccc95b8f32dcfd4b!8m2!3d38.2107165!4d-85.5585225"
        },
        {
            "Data": "https://www.google.com/maps/place/2307+Watterson+Trail,+Jeffersontown,+KY+40299/@38.2107207,-85.5607165,17z/data=!3m1!4b1!4m5!3m4!1s0x8869a1b57420f6d9:0xccc95b8f32dcfd4b!8m2!3d38.2107165!4d-85.5585225"
        }
    ]
}
Human Readable Output

SlashNext Phishing Incident Response - Host URLs

host = www.google.com
Value Type Verdict ScanID ThreatStatus ThreatName ThreatType FirstSeen LastSeen
http://www.google.com/wasif Scanned URL Benign 61fe7c96-88e3-440e-a56f-75834b734b06 N/A N/A N/A 10-03-2019 08:24:04 UTC 10-03-2019 08:24:14 UTC
http://www.google.com/abrar Scanned URL Benign 820275cd-c6de-46e9-b3a3-7cb072179bb4 N/A N/A N/A 10-03-2019 08:22:36 UTC 10-03-2019 08:22:46 UTC
http://www.google.com/saadat Scanned URL Benign 905cf63e-7761-4681-b314-4b8820f04c41 N/A N/A N/A 10-03-2019 08:17:49 UTC 10-03-2019 08:18:00 UTC
https://www.google.com/ Scanned URL Benign 4f1540b9-3517-4e6c-bca8-923acc3eed43 N/A N/A N/A 08-27-2019 10:32:19 UTC 08-27-2019 12:34:52 UTC
https://www.google.com/url?q=replacedlink/&source=gmail&... Scanned URL Benign 7277ea43-df3d-4692-8615-8c15485249c5 N/A N/A N/A 08-30-2019 06:06:10 UTC 08-30-2019 06:06:21 UTC
http://www.google.com/ Scanned URL Benign 48ae7b06-5915-4633-bc51-2cfaa0036742 N/A N/A N/A 08-26-2019 17:29:38 UTC 08-26-2019 19:41:19 UTC
--------> https://www.google.com/?gws_rd=ssl Final URL Benign
http://www.google.com/maps/place/2307 Scanned URL Benign N/A N/A N/A N/A 10-01-2019 12:50:34 UTC 10-01-2019 12:50:47 UTC
--------> https://www.google.com/maps/place/2307 Final URL Benign
http://www.google.com/maps/place/2307+Watterson+Trail Scanned URL Benign N/A N/A N/A N/A 10-01-2019 12:50:12 UTC 10-01-2019 12:50:26 UTC
--------> https://www.google.com/maps/place/2307+Watterson+Trail Final URL Benign
http://www.google.com/maps/place/2307+Watterson+Trail Scanned URL Benign N/A N/A N/A N/A 10-01-2019 12:50:11 UTC 10-01-2019 12:50:24 UTC
--------> https://www.google.com/maps/place/2307+Watterson+Trail Final URL Benign
http://www.google.com/maps/place/2307+Watterson+Trail,+Jeffersontown,+KY+40299/@38.2107207,-85.5607165,17z/data=!3m1!4b1!4m5!3m4!1s0x8869a1b57420f6d9:0xccc95b8f32dcfd4b!8m2!3d38.2107165!4d-85.5585225 Scanned URL Benign N/A N/A N/A N/A 10-01-2019 12:49:44 UTC 10-01-2019 12:49:58 UTC
--------> https://www.google.com/maps/place/2307+Watterson+Trail,+Jeffersontown,+KY+40299/@38.2107207,-85.5607165,17z/data=!3m1!4b1!4m5!3m4!1s0x8869a1b57420f6d9:0xccc95b8f32dcfd4b!8m2!3d38.2107165!4d-85.5585225 Final URL Benign

6. slashnext-url-scan


Perform a real-time URL scan with SlashNext cloud-based SEER Engine. If the specified URL already exists in the cloud database, scan results will get returned immediately. If not, this command will submit a URL scan request and return with ‘check back later’ message along with a unique Scan ID. User can check results of this scan with ‘slashnext-scan-report’ command after 60 seconds or later using the retuned Scan ID

Base Command

slashnext-url-scan

Input
Argument Name Description Required
url The URL that needs to be scanned. Required
extended_info If extented_info is set ‘true’ the system along with URL reputation also downloads forensics data like screenshot, HTML and rendered text. If this parameter is not filled, the system will consider this as 'false'. Optional

Context Output
Path Type Description
DBotScore.Indicator string The indicator that was tested
DBotScore.Type string Indicator type
DBotScore.Vendor string Vendor used to calculate the score
DBotScore.Score number The actual score
URL.Data string URL reported
URL.Malicious.Vendor string For malicious URLs, the vendor that made the decision
URL.Malicious.Description string For malicious URLs, the reason that the vendor made the decision
SlashNext.URL.Value string Value of the Indicator of Compromise (IoC)
SlashNext.URL.Type string Type of the Indicator of Compromise (IoC)
SlashNext.URL.ScanID string Scan ID to be used to get the IoC forensics data for further investigation
SlashNext.URL.Verdict string SlashNext Phishing Incident Response verdict on the IoC
SlashNext.URL.ThreatStatus string Threat status of the IoC
SlashNext.URL.ThreatName string Name of the threat posed by the IoC
SlashNext.URL.ThreatType string Type of the threat posed by the IoC
SlashNext.URL.FirstSeen date Time when the IoC was first observed
SlashNext.URL.LastSeen date Time when the IoC was last observed
SlashNext.URL.Final.Value string Final IoC value in case original IoC is a redirector to same domain
SlashNext.URL.Final.Type string Type of the final IoC
SlashNext.URL.Final.Verdict string SlashNext Phishing Incident Response verdict on the final IoC
SlashNext.URL.Landing.Value string Landing IoC value in case original IoC is a redirector to different domain
SlashNext.URL.Landing.Type string Type of the landing IoC
SlashNext.URL.Landing.ScanID string Scan ID to be used to get the landing IoC forensics data for further investigation
SlashNext.URL.Landing.Verdict string SlashNext Phishing Incident Response verdict on the landing IoC
SlashNext.URL.Landing.ThreatStatus string Threat status of the landing IoC
SlashNext.URL.Landing.ThreatName string Name of the threat posed by the landing IoC
SlashNext.URL.Landing.ThreatType string Type of the threat posed by the landing IoC
SlashNext.URL.Landing.FirstSeen date Time when the landing IoC was first observed
SlashNext.URL.Landing.LastSeen date Time when the landing IoC was last observed

Command Example

!slashnext-url-scan url=www.google.com extednded_info=true

Context Example
{
    "DBotScore": [
        {
            "Indicator": "http://www.google.com/",
            "Score": 1,
            "Type": "url",
            "Vendor": "SlashNext Phishing Incident Response"
        },
        {
            "Indicator": "https://www.google.com/?gws_rd=ssl",
            "Score": 1,
            "Type": "url",
            "Vendor": "SlashNext Phishing Incident Response"
        }
    ],
    "SlashNext.URL": {
        "Final": {
            "Type": "Final URL",
            "Value": "https://www.google.com/?gws_rd=ssl",
            "Verdict": "Benign"
        },
        "FirstSeen": "08-26-2019 17:29:38 UTC",
        "LastSeen": "08-26-2019 19:41:19 UTC",
        "ScanID": "48ae7b06-5915-4633-bc51-2cfaa0036742",
        "ThreatName": "N/A",
        "ThreatStatus": "N/A",
        "ThreatType": "N/A",
        "Type": "Scanned URL",
        "Value": "http://www.google.com/",
        "Verdict": "Benign"
    },
    "URL": [
        {
            "Data": "http://www.google.com/"
        },
        {
            "Data": "https://www.google.com/?gws_rd=ssl"
        }
    ]
}
Human Readable Output

SlashNext Phishing Incident Response - URL Scan

url = http://www.google.com/
Value Type Verdict ScanID ThreatStatus ThreatName ThreatType FirstSeen LastSeen
http://www.google.com/ Scanned URL Benign 48ae7b06-5915-4633-bc51-2cfaa0036742 N/A N/A N/A 08-26-2019 17:29:38 UTC 08-26-2019 19:41:19 UTC
--------> https://www.google.com/?gws_rd=ssl Final URL Benign

7. slashnext-url-scan-sync


Perform a real-time URL scan with SlashNext cloud-based SEER Engine in a blocking mode. If the specified URL already exists in the cloud database, scan result will get returned immediately. If not, this command will submit a URL scan request and wait for the scan to finish. The scan may take up to 60 seconds to finish.

Base Command

slashnext-url-scan-sync

Input
Argument Name Description Required
url The URL that needs to be scanned. Required
timeout A timeout value in seconds. If the system is unable to complete a scan within the specified timeout, a timeout error will be returned. User may try again with a different timeout. If no timeout value is specified, a default value of 60 seconds will be used. Optional
extended_info If extented_info is set ‘true’ the system along with URL reputation also downloads forensics data like screenshot, HTML and rendered text. If this parameter is not filled, the system will consider this as 'false'. Optional

Context Output
Path Type Description
DBotScore.Indicator string The indicator that was tested
DBotScore.Type string Indicator type
DBotScore.Vendor string Vendor used to calculate the score
DBotScore.Score number The actual score
URL.Data string URL reported
URL.Malicious.Vendor string For malicious URLs, the vendor that made the decision
URL.Malicious.Description string For malicious URLs, the reason that the vendor made the decision
SlashNext.URL.Value string Value of the Indicator of Compromise (IoC)
SlashNext.URL.Type string Type of the Indicator of Compromise (IoC)
SlashNext.URL.ScanID string Scan ID to be used to get the IoC forensics data for further investigation
SlashNext.URL.Verdict string SlashNext Phishing Incident Response verdict on the IoC
SlashNext.URL.ThreatStatus string Threat status of the IoC
SlashNext.URL.ThreatName string Name of the threat posed by the IoC
SlashNext.URL.ThreatType string Type of the threat posed by the IoC
SlashNext.URL.FirstSeen date Time when the IoC was first observed
SlashNext.URL.LastSeen date Time when the IoC was last observed
SlashNext.URL.Final.Value string Final IoC value in case original IoC is a redirector to same domain
SlashNext.URL.Final.Type string Type of the final IoC
SlashNext.URL.Final.Verdict string SlashNext Phishing Incident Response verdict on the final IoC
SlashNext.URL.Landing.Value string Landing IoC value in case original IoC is a redirector to different domain
SlashNext.URL.Landing.Type string Type of the landing IoC
SlashNext.URL.Landing.ScanID string Scan ID to be used to get the landing IoC forensics data for further investigation
SlashNext.URL.Landing.Verdict string SlashNext Phishing Incident Response verdict on the landing IoC
SlashNext.URL.Landing.ThreatStatus string Threat status of the landing IoC
SlashNext.URL.Landing.ThreatName string Name of the threat posed by the landing IoC
SlashNext.URL.Landing.ThreatType string Type of the threat posed by the landing IoC
SlashNext.URL.Landing.FirstSeen date Time when the landing IoC was first observed
SlashNext.URL.Landing.LastSeen date Time when the landing IoC was last observed

Command Example

!slashnext-url-scan-sync url=www.google.com extednded_info=true

Context Example
{
    "DBotScore": [
        {
            "Indicator": "http://www.google.com/",
            "Score": 1,
            "Type": "url",
            "Vendor": "SlashNext Phishing Incident Response"
        },
        {
            "Indicator": "https://www.google.com/?gws_rd=ssl",
            "Score": 1,
            "Type": "url",
            "Vendor": "SlashNext Phishing Incident Response"
        }
    ],
    "SlashNext.URL": {
        "Final": {
            "Type": "Final URL",
            "Value": "https://www.google.com/?gws_rd=ssl",
            "Verdict": "Benign"
        },
        "FirstSeen": "08-26-2019 17:29:38 UTC",
        "LastSeen": "08-26-2019 19:41:19 UTC",
        "ScanID": "48ae7b06-5915-4633-bc51-2cfaa0036742",
        "ThreatName": "N/A",
        "ThreatStatus": "N/A",
        "ThreatType": "N/A",
        "Type": "Scanned URL",
        "Value": "http://www.google.com/",
        "Verdict": "Benign"
    },
    "URL": [
        {
            "Data": "http://www.google.com/"
        },
        {
            "Data": "https://www.google.com/?gws_rd=ssl"
        }
    ]
}
Human Readable Output

SlashNext Phishing Incident Response - URL Scan Sync

url = http://www.google.com/
Value Type Verdict ScanID ThreatStatus ThreatName ThreatType FirstSeen LastSeen
http://www.google.com/ Scanned URL Benign 48ae7b06-5915-4633-bc51-2cfaa0036742 N/A N/A N/A 08-26-2019 17:29:38 UTC 08-26-2019 19:41:19 UTC
--------> https://www.google.com/?gws_rd=ssl Final URL Benign

8. slashnext-scan-report


Retrieve URL scan results against a previous Scan request. If the scan is finished, result will be retuned immediately; otherwise a ‘check back later’ message will be returned.

Base Command

slashnext-scan-report

Input
Argument Name Description Required
scanid Scan ID returned by an earlier call to ‘slashnext-url-scan’ or ‘slashnext-url-scan-sync’ commands. Required
extended_info If extented_info is set ‘true’ the system along with URL reputation also downloads forensics data like screenshot, HTML and rendered text. If this parameter is not filled, the system will consider this as 'false'. Optional

Context Output
Path Type Description
DBotScore.Indicator string The indicator that was tested
DBotScore.Type string Indicator type
DBotScore.Vendor string Vendor used to calculate the score
DBotScore.Score number The actual score
URL.Data string URL reported
URL.Malicious.Vendor string For malicious URLs, the vendor that made the decision
URL.Malicious.Description string For malicious URLs, the reason that the vendor made the decision
SlashNext.URL.Value string Value of the Indicator of Compromise (IoC)
SlashNext.URL.Type string Type of the Indicator of Compromise (IoC)
SlashNext.URL.ScanID string Scan ID to be used to get the IoC forensics data for further investigation
SlashNext.URL.Verdict string SlashNext Phishing Incident Response verdict on the IoC
SlashNext.URL.ThreatStatus string Threat status of the IoC
SlashNext.URL.ThreatName string Name of the threat posed by the IoC
SlashNext.URL.ThreatType string Type of the threat posed by the IoC
SlashNext.URL.FirstSeen date Time when the IoC was first observed
SlashNext.URL.LastSeen date Time when the IoC was last observed
SlashNext.URL.Final.Value string Final IoC value in case original IoC is a redirector to same domain
SlashNext.URL.Final.Type string Type of the final IoC
SlashNext.URL.Final.Verdict string SlashNext Phishing Incident Response verdict on the final IoC
SlashNext.URL.Landing.Value string Landing IoC value in case original IoC is a redirector to different domain
SlashNext.URL.Landing.Type string Type of the landing IoC
SlashNext.URL.Landing.ScanID string Scan ID to be used to get the landing IoC forensics data for further investigation
SlashNext.URL.Landing.Verdict string SlashNext Phishing Incident Response verdict on the landing IoC
SlashNext.URL.Landing.ThreatStatus string Threat status of the landing IoC
SlashNext.URL.Landing.ThreatName string Name of the threat posed by the landing IoC
SlashNext.URL.Landing.ThreatType string Type of the threat posed by the landing IoC
SlashNext.URL.Landing.FirstSeen date Time when the landing IoC was first observed
SlashNext.URL.Landing.LastSeen date Time when the landing IoC was last observed

Command Example

!slashnext-scan-report scanid=48ae7b06-5915-4633-bc51-2cfaa0036742 extednded_info=true

Context Example
{
    "DBotScore": [
        {
            "Indicator": "http://www.google.com/",
            "Score": 1,
            "Type": "url",
            "Vendor": "SlashNext Phishing Incident Response"
        },
        {
            "Indicator": "https://www.google.com/?gws_rd=ssl",
            "Score": 1,
            "Type": "url",
            "Vendor": "SlashNext Phishing Incident Response"
        }
    ],
    "SlashNext.URL": {
        "Final": {
            "Type": "Final URL",
            "Value": "https://www.google.com/?gws_rd=ssl",
            "Verdict": "Benign"
        },
        "FirstSeen": "08-26-2019 17:29:38 UTC",
        "LastSeen": "08-26-2019 19:41:19 UTC",
        "ScanID": "48ae7b06-5915-4633-bc51-2cfaa0036742",
        "ThreatName": "N/A",
        "ThreatStatus": "N/A",
        "ThreatType": "N/A",
        "Type": "Scanned URL",
        "Value": "http://www.google.com/",
        "Verdict": "Benign"
    },
    "URL": [
        {
            "Data": "http://www.google.com/"
        },
        {
            "Data": "https://www.google.com/?gws_rd=ssl"
        }
    ]
}
Human Readable Output

SlashNext Phishing Incident Response - Scan Report

url = http://www.google.com/
Value Type Verdict ScanID ThreatStatus ThreatName ThreatType FirstSeen LastSeen
http://www.google.com/ Scanned URL Benign 48ae7b06-5915-4633-bc51-2cfaa0036742 N/A N/A N/A 08-26-2019 17:29:38 UTC 08-26-2019 19:41:19 UTC
--------> https://www.google.com/?gws_rd=ssl Final URL Benign

9. slashnext-download-screenshot


Download webpage screenshot against a previous URL Scan request.

Base Command

slashnext-download-screenshot

Input
Argument Name Description Required
scanid Scan ID returned by an earlier call to ‘slashnext-url-scan’ or ‘slashnext-url-scan-sync’ command. Required
resolution Resolution of the webpage screenshot. Currently only 'high' and 'medium' resolutions are supported. Optional

Context Output
There are no context output for this command.

Command Example

!slashnext-download-screenshot scanid=48ae7b06-5915-4633-bc51-2cfaa0036742

Human Readable Output

Forensics: Webpage Screenshot for URL Scan ID = 48ae7b06-5915-4633-bc51-2cfaa0036742

10. slashnext-download-html


Download webpage HTML against a previous URL Scan request.

Base Command

slashnext-download-html

Input
Argument Name Description Required
scanid Scan ID returned by an earlier call to ‘slashnext-url-scan’ or ‘slashnext-url-scan-sync’ command. Required

Context Output
There are no context output for this command.

Command Example

!slashnext-download-html scanid=48ae7b06-5915-4633-bc51-2cfaa0036742

Human Readable Output

Forensics: Webpage HTML for URL Scan ID = 48ae7b06-5915-4633-bc51-2cfaa0036742

11. slashnext-download-text


Download webpage text against a previous URL Scan request.

Base Command

slashnext-download-text

Input
Argument Name Description Required
scanid Scan ID returned by an earlier call to ‘slashnext-url-scan’ or ‘slashnext-url-scan-sync’ command. Required

Context Output
There are no context output for this command.

Command Example

!slashnext-download-text scanid=48ae7b06-5915-4633-bc51-2cfaa0036742

Human Readable Output

Forensics: Webpage Rendered Text for URL Scan ID = 48ae7b06-5915-4633-bc51-2cfaa0036742

12. slashnext-api-quota


Queries the SlashNext cloud database and retrieves the details of API quota.

Base Command

slashnext-api-quota

Input
No input parameter is required.

Context Output
{
    "SlashNext.Quota": {
        "LicensedQuota": "Unlimited",
        "RemainingQuota": "Unlimited",
        "ExpirationDate": "2020-12-01",
        "IsExpired": false
    }
}

Command Example

!slashnext-api-quota

Human Readable Output

SlashNext Phishing Incident Response - API Quota

Note: Your annual API quota will be reset to zero, once either the limit is reached or upon quota expiration date indicated above.
LicensedQuota RemainingQuota ExpirationDate
Unlimited Unlimited 2020-12-01

Additional Information

Known Limitations

Troubleshooting