urlscan.io

Use urlscan.io integration to perform scans on suspected urls and see their reputation.

This integration was integrated and tested with version xx of urlscan.io.

Configure urlscan.io on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for urlscan.io.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g. https://urlscan.io/api/v1/ )
    • API Key (needed only for submitting URLs for scanning)
    • Trust any certificate (not secure)
    • Use system proxy settings
    • URL Threshold. Minimum number of positive results from urlscan.io to consider the URL malicious.
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Search for indicators: urlscan-search
  2. (Deprecated) Submit a URL: urlscan-submit
  3. Submit a URL (specify the "using" argument): url

1. Search for indicators


Search for an indicator that is related to previous urlscan.io scans.

Base Command

urlscan-search

Input
Argument Name Description Required
searchParameter Enter a parameter to search as a string (IP, File name, sha256, url, domain) Required
Context Output
Path Description
URLScan.URL Bad URLs found
URLScan.Domain Domain of the URL scanned
URLScan.ASN ASN of the URL scanned
URLScan.IP IP of the url scanned
URLScan.ScanID Scan ID for the URL scanned
URLScan.ScanDate Latest scan date for the URL
URLScan.Hash SHA-256 of file scanned
URLScan.FileName Filename of the file scanned
URLScan.FileSize File size of the file scanned
URLScan.FileType File type of the file scanned
Command Example

!urlscan-search searchParameter=8.8.8.8

2. (Deprecated) Submit a URL directly to urlscan.io


Submits a URL to urlscan.io.

This command is deprecated, but will still work if it is used in a playbook.

Base Command

urlscan-submit

Input
Argument Name Description Required
url URL to scan Required
timeout How many seconds to wait to the scan id result. Default is 30 seconds. Optional
public Will the submission be public or private Optional
Context Output
Path Description
URLScan.URLs URLs related to the scanned URL
URLScan.RelatedIPs IPs related to the scanned URL
URLScan.RelatedASNs ASNs related to the scanned URL
URLScan.Countries Countries associated with the scanned URL
URLScan.relatedhashes IOCs found for the scanned URL
URLScan.Subdomains Associated subdomains for the url scanned
URLScan.ASN ASN of the URL scanned
URLScan.Data URL of the file found
URLScan.Malicious.Vendor Vendor reporting the malicious indicator for the file
URLScan.Malicious.Description Description of the malicious indicator
URLScan.File.Hash SHA256 of file found
URLScan.File.FileName File name of file found
URLScan.File.FileType File type of the file found
URLScan.File.Hostname URL where the file was found
URLScan.Certificates Certificates found for the scanned URL
Command Example

!urlscan-submit url= http://www.github.com

3. Submit a URL (specify using urlscan.io)


Submit a URL to scan and specify the using argument as urlscan.io.

Base Command

url

Input
Argument Name Description Required
url URL to scan Required
timeout How many seconds to wait for the scan ID result. Default is 30 seconds. Optional
public Whether the submission will be public or private Optional
retries Number of retries if the API rate limit is reached. This argument is optional, but if you specify this argument, you need to specify the wait argument. Optional
wait Time interval (in seconds) between retries, if the API rate limit is reached. This argument is optional, but if you specify the retries argument, you need to specify this argument. Optional
Context Output
Path Description
URLScan.URLs URLs related to the scanned URL
URLScan.RelatedIPs IPs related to the URL scanned
URLScan.RelatedASNs ASNs related to the scanned URL
URLScan.Countries Countries associated with the scanned URL
URLScan.relatedhashes IOCs found for the scanned URL
URLScan.Subdomains Associated sub-domains for the scanned URL
URLScan.ASN ASN of the scanned URL
URLScan.Data URL of the file found
URLScan.Malicious.Vendor Vendor reporting the malicious indicator for the file
URLScan.Malicious.Description Description of the malicious indicator
URLScan.File.Hash SHA-256 of file found
URLScan.File.FileName File name of file found
URLScan.File.FileType File type of the file found
URLScan.File.Hostname URL where the file was found
URLScan.Certificates Certificates found for the scanned URL
URLScan.RedirectedURLS Redirected URLs from the URL scanned
URLScan.EffectiveURL Effective URL of the original URL
Command Example

!url url= http://www.github.com using="urlscan.io"