CheckPhish - Get URL reputation

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Content Index

This playbooks will be used to submit URL to CheckPhish and gets the repution of URL (Scan result)

Attribute Value
Type Playbook
Solution CheckPhish by Bolster
Source View on GitHub

Logic App Connectors

This playbook uses 2 Logic App connectors / built-in actions:

Connector / Action Type Connections Actions
azuresentinel Managed 1 2
CheckPhishbyBolsterCustomConnector Custom 1 2
Action parameters (URLs, paths, function IDs)

azuresentinel (Managed)

Action Method Endpoint Other
Add_comment_to_incident_(V3) post /Incidents/Comment
Entities_-_Get_URLs post /entities/url

CheckPhishbyBolsterCustomConnector (Custom)

Action Method Endpoint Other
Submit_URL post /api/neo/scan
Get_Scan_Result post /api/neo/scan/status

Additional Documentation

📄 Source: CheckPhishPlaybooks/CheckPhsh-Get-URLScanResult/readme.md

CheckPhish- Get Reputation of URL

Summary

Once a new sentinal incident is created, this playbook gets triggered and performs the following actions:

1. Gets Information from CheckPhish by URL, provided in the alert custom entities.
2. Enriches the incident with the obtained info.

Incident Comment

Playbook Designer view

Prerequisites

  1. CheckPhishbyBolsterCustomConnector Custom Connector needs to be deployed prior to the deployment of this playbook under the same subscription.
  2. API key. To get API Key, login into CheckPhish portal and select APIKey from the left side menu.

Deployment instructions

  1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.

Deploy to Azure Deploy to Azure Gov

  1. Fill in the required paramteres:
    • Playbook Name: Enter the playbook name here (Ex: CheckPhish-Get-URLScanResult)
    • Custom Connector Name: Enter the OpenCTI custom connector name here (Ex: CheckPhishbyBolsterCustomConnector)

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, you will need to authorize each connection.

  1. Click the Azure Sentinel connection resource
  2. Click edit API connection
  3. Click Authorize
  4. Sign in
  5. Click Save
  6. Repeat steps for CheckPhishbyBolsterCustomConnector Connection (For authorizing the CheckPhish API connection, API Key needs to be provided)

b. Configurations in Sentinel

  1. None

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Playbooks · Back to CheckPhish by Bolster