ipwhois: name: IP Whois otypes: - ipv4 ipwhois: results: - key: '@' multi_match: keys: - asn - asn_cidr - asn_date - asn_registry - asn_country_code pretty_name: ASN Information - key: nets multi_match: keys: - cidr - handle - name - range pretty_name: Network Information - key: nets multi_match: keys: - description - key: created regex: '(\d+-\d+-\d+)T' - key: updated regex: '(\d+-\d+-\d+)T' pretty_name: Registration Info - key: nets multi_match: keys: - city - state - postal_code - country pretty_name: Registration Locality # For when we use RWS - key: nets multi_match: keys: - key: abuse_emails split: "\n" pretty_name: Abuse Email - key: nets multi_match: keys: - key: tech_emails split: "\n" pretty_name: Tech Email # For when we fall back to regular whois - key: nets multi_match: keys: - key: emails split: "\n" pretty_name: Contacts spamhaus_ip: name: Spamhaus Zen BL default: False otypes: - ipv4 webscraper: request: url: 'http://www.spamhaus.org/query/ip/{target}' method: get strip_comments: true results: - regex: '\S+ is (listed in the \w+)' values: - spamhaus_zenbl pretty_name: Spamhaus Zen BL spamhaus_domain: name: Spamhaus Domain BL default: False otypes: - fqdn webscraper: request: url: 'http://www.spamhaus.org/query/domain/{target}' method: get results: - regex: '\S+ is (listed in the \w+)' values: - spamhaus_dbl pretty_name: Spamhaus DBL ipvoid: name: IPVoid default: False otypes: - ipv4 json: request: url: 'https://endpoint.apivoid.com/iprep/v1/pay-as-you-go/' params: key: ip: '{target}' method: get results: - key: data.report.blacklists.detections pretty_name: Number of detections - key: data.report.blacklists.detection_rate pretty_name: IP Void Detection Rate - key: data.report.blacklists.engines pretty_name: Engines multi_match: keys: - engine - reference onlyif: detected urlvoid: name: URLVoid otypes: - fqdn webscraper: request: url: 'http://www.urlvoid.com/scan/{target}' method: get results: - regex: 'Analysis Date<\/td>(.+?)<\/td>' values: urlvoid_analysis_date pretty_name: Last Analysis - regex: '(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}).{5,30}Find\swebsites\shosted\shere' values: urlvoid_ip pretty_name: IP from URLVoid - regex: '\/>(.+?)<\/td><\/i>' values: urlvoid_blacklist pretty_name: Blacklist from URL Void - regex: 'Domain\s1st\sRegistered.+\(.+)\<\/td\>' values: urlvoid_domain_age pretty_name: Domain Age from URL Void - regex: 'latitude\s/\slongitude.+\(.+)\<\/td\>' values: urlvoid_location pretty_name: Geo Coordinates from URLVoid - regex: 'alt="flag"\s/>\s\(\w+\)\s+([\w\s]+)' values: urlvoid_country_code pretty_name: Country from URLVoid unshorten: name: URL Unshorten otypes: - fqdn - url webscraper: request: url: http://www.toolsvoid.com/unshorten-url method: post data: urladdr: '{target}' results: - regex: 'class="myarea">(.*?))\d{1,3})' values: - AbuseIPReports pretty_name: 'AbuseIPDB reports' - regex: '((?<=most\srecent\sreport\swas\s)\d{1,3}\s\w+\s\w+)' values: - Last_seen pretty_name: 'Last seen' RansomwareTracker: name: RansomwareTracker otypes: - ipv4 webscraper: request: url: 'https://ransomwaretracker.abuse.ch/host/{target}' method: get results: - regex: '((?<=Host\sStatus:)\w+)' values: - Active pretty_name: 'Host Status' - regex: '((?<=\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})' values: - Last_seen pretty_name: 'Last seen' - regex: '((?<=Malware:)\w+)' values: - ransomwareType pretty_name: 'Ransomware Type' sans: name: SANS otypes: - ipv4 webscraper: request: url: 'https://isc.sans.edu/api/ip/{target}' method: get results: - regex: 'attacks>(\d+)<' values: - sans_attacks pretty_name: SANS attacks - regex: 'count>(\d+)<' values: - sans_count pretty_name: SANS count - regex: 'count>(\d+)<' values: - sans_count pretty_name: SANS count - regex: 'maxdate>(\d{4}-\d{2}-\d{2})<' values: - sans_maxdate pretty_name: SANS maxdate - regex: 'mindate>(\d{4}-\d{2}-\d{2})<' values: - sans_mindate pretty_name: SANS mindate telize: name: Telize GeoIP default: False otypes: - ipv4 json: request: url: 'https://telize-v1.p.rapidapi.com/location/{target}' method: get headers: x-rapidapi-host: telize-v1.p.rapidapi.com x-rapidapi-key: Accept: application/json results: - key: continent_code pretty_name: GeoIP Continent Code - key: country_code pretty_name: GeoIP Country Code - key: country pretty_name: GeoIP Country - key: region_code pretty_name: GeoIP Region Code - key: region pretty_name: GeoIP Region - key: city pretty_name: GeoIP City - key: postal_code pretty_name: GeoIP Zip Code - key: latitude pretty_name: GeoIP Latitude - key: longitude pretty_name: GeoIP Longitude - key: timezone pretty_name: GeoIP Timezone - key: offset pretty_name: GeoIP UTC Offset - key: asn pretty_name: GeoIP ASN - key: isp pretty_name: GeoIP ISP maxmind: name: MaxMind GeoIP2 Precision default: False otypes: - ipv4 json: request: url: https://geoip.maxmind.com/geoip/v2.1/insights/{target} auth: maxmind results: - key: country.iso_code pretty_name: MaxMind Country Code - key: country.names.en pretty_name: MaxMind Country - key: subdivisions multi_match: keys: - iso_code pretty_name: MaxMind Region Code - key: subdivisions multi_match: keys: - names.en pretty_name: MaxMind Region - key: city.names.en pretty_name: MaxMind City - key: postal.code pretty_name: MaxMind Zip Code - key: location.latitude pretty_name: MaxMind Latitude - key: location.longitude pretty_name: MaxMind Longitude - key: location.time_zone pretty_name: MaxMind Timezone freegeoip: name: freegeoip.io default: true otypes: - ipv4 # - fqdn json: request: url: https://freegeoip.io/json/{target} results: - key: country_code pretty_name: GeoIP Country Code - key: country_name pretty_name: GeoIP Country # - key: region_code # pretty_name: GeoIP Region Code # - key: region_name # pretty_name: GeoIP Region - key: city pretty_name: GeoIP City # - key: zip_code # pretty_name: GeoIP Zip Code # - key: latitude # pretty_name: GeoIP Latitude # - key: longitude # pretty_name: GeoIP Longitude # - key: time_zone # pretty_name: GeoIP Timezone fortinet_classify: name: Fortinet Category default: True otypes: - ipv4 - fqdn - url webscraper: request: url: 'https://www.fortiguard.com/webfilter?q={target}' method: get results: - regex: 'Category:\s(.+)<\/h4>\s' values: - fortinet_category pretty_name: Fortinet URL Category vt_ip: name: VirusTotal pDNS otypes: - ipv4 json: request: url: https://www.virustotal.com/vtapi/v2/ip-address/report params: ip: '{target}' apikey: 308211ef74a1044ea98134424b3d20769451d25beda0b808a8b61036badc0ea1 method: get results: - key: resolutions multi_match: keys: - key: last_resolved regex: '(\d{4}\-\d{1,2}\-\d{1,2})' - hostname onlyif: key: last_resolved maxage: '-30d' pretty_name: pDNS data from VirusTotal - key: detected_urls multi_match: keys: - key: scan_date regex: '(\d{4}\-\d{1,2}\-\d{1,2})' - key: url regex: '(http.{1,70}/)' onlyif: key: scan_date maxage: '-30d' pretty_name: pDNS malicious URLs from VirusTotal # vt_ip: # name: VirusTotal pDNS # otypes: # - ip # webscraper: # request: # url: 'https://www.virustotal.com/en/ip-address/{target}/information/' # method: get # headers: # Accept: 'text/html, application/xhtml+xml, */*' # Accept-Language: 'en-US' # Accept-Encoding: 'gzip, deflate' # DNT: 1 # Connection: 'Keep-Alive' # results: # - regex: '(\d{4}\-\d{1,2}\-\d{1,2})\s+<.{30,70}/en/domain/(.{1,80})/information' # values: # - vt_pdns_date # - vt_pdns_domain # pretty_name: 'pDNS data from VirtusTotal' # - regex: '(\d{4}\-\d{1,2}\-\d{1,2}).{1,20}\s+<.{10,80}/en/url/.{1,100}/analysis/.{1,5}\s+(http.{1,70}/)' # values: # - vt_pdns_date # - vt_pdns_url # pretty_name: 'pDNS malicious URLs from VirusTotal' vt_domain: name: VirusTotal pDNS otypes: - fqdn json: request: url: https://www.virustotal.com/vtapi/v2/domain/report params: domain: '{target}' apikey: 308211ef74a1044ea98134424b3d20769451d25beda0b808a8b61036badc0ea1 method: get results: - key: resolutions multi_match: keys: - key: last_resolved regex: '(\d{4}\-\d{1,2}\-\d{1,2})' - ip_address pretty_name: pDNS data from VirusTotal - key: Websense ThreatSeeker category pretty_name: Websense ThreatSeeker category - key: Webutation domain info.Safety score pretty_name: Webutation Safety score # vt_domain: # name: VirusTotal pDNS # otypes: # - fqdn # webscraper: # request: # url: 'https://www.virustotal.com/en/domain/{target}/information/' # method: get # headers: # Accept: 'text/html, application/xhtml+xml, */*' # Accept-Language: 'en-US' # Accept-Encoding: 'gzip, deflate' # DNT: 1 # Connection: 'Keep-Alive' # results: # - regex: '(\d{4}\-\d{1,2}\-\d{1,2})\s+<.{30,70}/en/ip-address/(.{1,80})/information' # values: # - vt_pdns_date # - vt_pdns_ip # pretty_name: 'pDNS data from VirtusTotal' # - regex: '(\d{4}\-\d{1,2}\-\d{1,2}).{1,20}\s+<.{10,80}/en/url/.{1,100}/analysis/.{1,5}\s+(http.{1,70}/)' # values: # - vt_pdns_date # - vt_pdns_url # pretty_name: 'pDNS malicious URLs from VirusTotal' vt_url: name: VirusTotal URL Report otypes: - url json: request: url: https://www.virustotal.com/vtapi/v2/url/report method: get params: apikey: 308211ef74a1044ea98134424b3d20769451d25beda0b808a8b61036badc0ea1 resource: '{target}' results: - key: scan_date pretty_name: Date submitted - key: positives pretty_name: Detected scanners - key: total pretty_name: Total scanners - key: scans pretty_name: URL Scanner multi_match: keys: - '@' - result onlyif: detected vt_hash: name: VirusTotal File Report otypes: - hash - hash.sha1 - 'hash.sha256' json: request: url: https://www.virustotal.com/vtapi/v2/file/report method: get params: apikey: 308211ef74a1044ea98134424b3d20769451d25beda0b808a8b61036badc0ea1 resource: '{target}' results: - key: scan_date pretty_name: Date submitted - key: positives pretty_name: Detected engines - key: total pretty_name: Total engines - key: scans pretty_name: Scans multi_match: keys: - '@' - result onlyif: detected reputation_authority: name: Reputation Authority otypes: - fqdn - ipv4 webscraper: request: url: 'http://www.reputationauthority.org/lookup.php?ip={target}' method: get results: - regex: '>(\d{1,3}\/\d{1,3})' values: - ra_score pretty_name: Reputation Authority Score threatexpert: name: ThreatExpert otypes: - hash webscraper: request: url: 'http://www.threatexpert.com/report.aspx?md5={target}' method: get results: - regex: 'Submission\sreceived.\s(.+)' values: - threatexpert_date pretty_name: Hash found at ThreatExpert - regex: '1">(.{5,100})\s*(\d+-\d+)\s*\[D\]\s*(.*?)\s*\s*(.*?) - regex: '>(\d{2}\-\d{2})<' values: - vxvault_date pretty_name: Date found at VXVault - regex: '\[D\].{2,40}\Wphp\?id.{2,10}>(.{5,100})([a-zA-Z\s]+)' values: - php_activity_type pretty_name: ProjectHoneyPot activity type - regex: '>First Received From.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s]+[a-zA-Z])[a-zA-Z0-9><"&:,()=;\s\t/]+Number Received' values: - php_first_mail pretty_name: ProjectHoneyPot first mail received - regex: '>Last Received From.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s]+[a-zA-Z])[a-zA-Z0-9><":,()=;\s\t/]+Number Received' values: - php_last_mail pretty_name: ProjectHoneyPot last mail received - regex: '>Number Received.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s\(\)]+[a-zA-Z\)])' values: - php_total_mail pretty_name: ProjectHoneyPot total mail received - regex: '>Spider First Seen.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s]+[a-zA-Z])' values: - php_first_spider pretty_name: ProjectHoneyPot spider first seen - regex: '>Spider Last Seen.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s\(\)]+[a-zA-Z])' values: - php_last_spider pretty_name: ProjectHoneyPot spider last seen - regex: '>Spider Sightings.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s\(]+[a-zA-Z\)])' values: - php_spider_sightings pretty_name: ProjectHoneyPot total spider sightings - regex: '>User-Agents.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9\-\(\),\s]+[a-zA-Z\)])' values: - php_user_agents pretty_name: ProjectHoneyPot user-agent sightings - regex: '>First Post On.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s]+[a-zA-Z])' values: - php_first_post pretty_name: ProjectHoneyPot first form post - regex: '>Last Post On.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s]+[a-zA-Z])' values: - php_last_post pretty_name: ProjectHoneyPot last form post - regex: '>Form Posts.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s\(\)]+[a-zA-Z\)])' values: - php_form_posts pretty_name: ProjectHoneyPot total form posts - regex: '>First Rule-Break On.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s]+[a-zA-Z])' values: - php_first_rulebreak pretty_name: ProjectHoneyPot first rule break - regex: '>Last Rule-Break On.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s]+[a-zA-Z])' values: - php_last_rulebreak pretty_name: ProjectHoneyPot last rule break - regex: '>Rule Breaks.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s\(\)]+[a-zA-Z\)])' values: - php_total_rulebreaks pretty_name: ProjectHoneyPot total rule breaks - regex: 'Dictionary Attacks[a-zA-Z0-9><":,()=;\s\t/]+>First Received From.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s]+[a-zA-Z])' values: - php_first_dictionary_attack pretty_name: ProjectHoneyPot first dictionary attack - regex: 'Dictionary Attacks[a-zA-Z0-9><"&:,()=;\s\t/]+>Last Received From.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s]+[a-zA-Z])' values: - php_last_dictionary_attack pretty_name: ProjectHoneyPot last dictionary attack - regex: '>Dictionary Attacks.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s\(\)]+[a-zA-Z\)])' values: - php_total_dictionary_attacks pretty_name: ProjectHoneyPot total dictionary attacks - regex: '>First Bad Host Appearance.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s]+[a-zA-Z])' values: - php_first_bad_host pretty_name: ProjectHoneyPot first bad host - regex: '>Last Bad Host Appearance.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s]+[a-zA-Z])' values: - php_last_bad_host pretty_name: ProjectHoneyPot last bad host - regex: '>Bad Host Appearances.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s\(\)\-]+[a-zA-Z\)])' values: - php_total_bad_host pretty_name: ProjectHoneyPot total bad hosts - regex: '>Harvester First Seen.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s]+[a-zA-Z])' values: - php_first_harvester pretty_name: ProjectHoneyPot harvester first seen - regex: '>Harvester Last Seen.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\s\(\)]+[a-zA-Z])' values: - php_last_harvester pretty_name: ProjectHoneyPot harvester last seen - regex: '>Harvester Sightings.+[\n\r\t\s]+.+[\n\r\t\s]+([a-zA-Z0-9,\(\s]+[a-zA-Z\)])' values: - php_total_harvester pretty_name: ProjectHoneyPot total harvester sightings - regex: '(?:>Harvester Results(?:.+[\n\s].+[\n\s]+)\s{2,}|(?:))(?!\s)([0-9a-zA-Z.\s:,()-]+)\s{2,}' values: - php_harvester_results pretty_name: ProjectHoneyPot harvester results mcafee_threat_domain: name: McAfee Threat otypes: - fqdn webscraper: request: url: 'https://www.mcafee.com/threat-intelligence/domain/default.aspx?domain={target}' method: get results: - regex: 'ctl00_breadcrumbContent_imgRisk"[^\r\n]+title="([A-Za-z]+)"' values: - mcafee_risk pretty_name: McAfee Web Risk - regex: '
  • [\n\s]*Web\sCategory:[\n\s]*([A-Z][A-Za-z\s/,]+?)[\n\s]*
    • ' values: - mcafee_category pretty_name: McAfee Web Category - regex: '
  • [\n\s]*Last\sSeen:[\n\s]*([0-9\-]+)[\n\s]*
    • ' values: - mcafee_last_seen pretty_name: McAfee Last Seen mcafee_threat_ip: name: McAfee Threat otypes: - ipv4 webscraper: request: url: 'https://www.mcafee.com/threat-intelligence/ip/default.aspx?ip={target}' method: get results: - regex: 'ctl00_breadcrumbContent_imgRisk"[^\r\n]+src="/img/Threat_IP/rep_([a-z]+)\.png"' values: - mcafee_risk pretty_name: McAfee Web Risk - regex: 'ctl00_breadcrumbContent_imgRisk1"[^\r\n]+src="/img/Threat_IP/rep_([a-z]+)\.png"' values: - mcafee_risk pretty_name: McAfee Email Risk - regex: 'ctl00_breadcrumbContent_imgRisk2"[^\r\n]+src="/img/Threat_IP/rep_([a-z]+)\.png"' values: - mcafee_risk pretty_name: McAfee Network Risk - regex: '
  • [\n\s]*Web\sCategory:[\n\s]*([A-Z][A-Za-z\s/,]+?)[\n\s]*
    • ' values: - mcafee_category pretty_name: McAfee Web Category stopforumspam: name: StopForumSpam otypes: - email webscraper: request: url: 'http://www.stopforumspam.com/search/{target}' method: get results: - regex: '>Found (0*[1-9]\d*) entries' values: - sfs_spam_count pretty_name: Spam email count cymru_mhr: name: Cymru MHR otypes: - hash - hash.sha1 webscraper: request: url: 'https://hash.cymru.com/cgi-bin/bulkmhr.cgi' method: post data: action: do_whois bulk_paste: '{target}' submit_paste: Submit results: - regex: '[a-f0-9]+\s(\d+)\s(\d+)' values: - cymru_mhr_detect_time - cymru_mhr_detect_pct pretty_name: Cymru MHR Detection Percent icsi_notary: name: ICSI Certificate Notary otypes: - sslfp dns: request: query: '{target_stripped}.notary.icsi.berkeley.edu' rrtype: txt results: - regex: 'version=1 first_seen=(\d+) last_seen=(\d+) times_seen=(\d+) validated=(\d+)' values: - icsi_first_seen - icsi_last_seen - icsi_times_seen - icsi_validated pretty_name: ICSI Notary Results totalhash_ip: name: TotalHash default: false otypes: - ip webscraper: request: url: 'https://totalhash.com/network/dnsrr:*{target}*%20or%20ip:{target}' method: get results: - regex: '/analysis/(\w{40}).+(\d{4}\-\d{1,2}\-\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2})' values: - thip_hash - thip_date pretty_name: Totalhash domaintools_parsed_whois: name: DomainTools Whois default: false otypes: - fqdn json: request: url: 'https://api.domaintools.com/v1/{target}/whois/parsed' method: get params: api_username: api_key: results: - key: response.parsed_whois.contacts multi_match: keys: - '@' - name - country - email onlyif: name pretty_name: Whois Contacts - key: response.parsed_whois.created_date pretty_name: Domain registered regex: '(\d{4}\-\d{1,2}\-\d{1,2})' - key: response.parsed_whois.updated_date pretty_name: Whois updated regex: '(\d{4}\-\d{1,2}\-\d{1,2})' - key: response.parsed_whois.expired_date pretty_name: Domain expiration regex: '(\d{4}\-\d{1,2}\-\d{1,2})' - key: response.parsed_whois.name_servers pretty_name: Name Servers #match_all: true - key: response.parsed_whois.registrar pretty_name: Registrar Info multi_match: keys: - name - abuse_contact_phone - abuse_contact_email - url domaintools_reverse_whois: name: DomainTools Reverse Whois default: false otypes: - email json: request: url: 'https://api.domaintools.com/v1/reverse-whois/' method: get params: terms: '{target}' mode: purchase api_username: api_key: results: - key: response.domains match_all: true pretty_name: Registered domain - key: reponse.domain_count.current pretty_name: Currently active registered domains - key: response.domain_count.historic pretty_name: All registered domains domaintools_reputation: name: DomainTools Reputation default: false otypes: - fqdn json: request: url: 'https://api.domaintools.com/v1/reputation/' method: get params: domain: '{target}' include_reasons: 'true' api_username: api_key: results: - key: response.risk_score pretty_name: Risk Score - key: response.reasons pretty_name: Reasons dnsdb_ip: name: Farsight DNSDB default: False otypes: - ipv4 - ipv6 json: multi_json: true request: url: 'https://api.dnsdb.info/lookup/rdata/ip/{target}' method: get headers: Accept: application/json X-Api-Key: results: - key: '@' multi_match: keys: - rrname - rrtype - key: time_first format: as_time - key: time_last format: as_time labels: - Record Name - Record Type - First Seen - Last Seen dnsdb_fqdn: name: Farsight DNSDB default: False otypes: - fqdn json: multi_json: true request: url: 'https://api.dnsdb.info/lookup/rrset/name/{target}' method: get ignored_status_codes: - 404 params: time_last_after: relatime: '-7d' timezone: UTC format: as_epoch headers: Accept: application/json X-Api-Key: results: - key: '@' multi_match: keys: - rrtype - key: rdata # format: as_list - key: time_last format: as_time labels: - Record Type - Record Data - Last Seen onlyif: key: rrtype regex: "^(A|AAAA|MX|SPF|TXT)$" cif: name: Collective Intelligence Framework default: false otypes: - ipv4 - fqdn - email - hash json: request: url: 'https://cif/observables' method: get params: nolog: 1 confidence: 75 observable: '{target}' reporttime: relatime: '-2d' timezone: UTC reporttimeend: relatime: 'now' timezone: UTC headers: Accept: application/vnd.cif.v2+json Authorization: Token token= verify_ssl: False results: - key: '@' multi_match: keys: - asn - cc labels: - AS Number - Country Code - key: '@' multi_match: keys: - key: reporttime regex: '^(\d+-\d+-\d+)T' - confidence - key: tags format: as_list - provider - description labels: - Report Date - Confidence - Tags - Provider - Description threatcrowd_ip_report: name: ThreatCrowd IP Report default: True otypes: - ipv4 json: paginated: false request: url: 'https://www.threatcrowd.org/searchApi/v2/ip/report/?ip={target}' method: get ignored_status_codes: - 404 results: - key: 'resolutions' pretty_name: Passive DNS multi_match: keys: - domain - last_resolved labels: - Domain - Last Resolved onlyif: key: last_resolved maxage: '-30d' - key: 'hashes' pretty_name: Known Malware Hash match_all: true passivetotal_pdns: name: PassiveTotal Passive DNS default: False otypes: - fqdn - ipv4 json: request: url: 'https://api.passivetotal.org/v2/dns/passive' auth: passivetotal params: query: '{target}' method: get headers: Accept: application/json ignored_status_codes: - 401 results: - key: results format: as_list pretty_name: Results multi_match: keys: - key: resolve - key: queryValue pretty_name: Query Value passivetotal_whois: name: PassiveTotal Whois default: False otypes: - fqdn json: request: url: 'https://api.passivetotal.org/v2/whois' auth: passivetotal params: query: '{target}' method: get headers: Accept: application/json ignored_status_codes: - 401 results: - key: registryUpdatedAt pretty_name: Registry Updated At - key: domain pretty_name: Domain - key: billing pretty_name: Billing - key: zone pretty_name: Zone - key: nameServers pretty_name: Name Servers - key: registered pretty_name: Registered - key: lastLoadedAt pretty_name: Last Loaded At - key: whoisServer pretty_name: Whois Server - key: contactEmail pretty_name: Contact Email - key: admin pretty_name: Admin - key: expiresAt pretty_name: Expires At - key: registrar pretty_name: Registrar - key: tech pretty_name: Tech - key: registrant pretty_name: Registrant passivetotal_sslcert: name: PassiveTotal SSL Certificate History default: False otypes: - ipv4 json: request: url: 'https://api.passivetotal.org/v2/ssl-certificate/history' auth: passivetotal params: query: '{target}' method: get headers: Accept: application/json ignored_status_codes: - 401 results: - key: results multi_match: keys: - key: sha1 pretty_name: Sha1 - key: firstSeen pretty_name: First Seen - key: ipAddresses pretty_name: Ip Addresses - key: lastSeen pretty_name: Last Seen pretty_name: Results passivetotal_components: name: PassiveTotal Components default: False otypes: - fqdn json: request: url: 'https://api.passivetotal.org/v2/host-attributes/components' auth: passivetotal params: query: '{target}' method: get headers: Accept: application/json ignored_status_codes: - 401 results: - key: results multi_match: keys: - key: category pretty_name: Category - key: hostname pretty_name: Hostname - key: lastSeen pretty_name: Last Seen - key: firstSeen pretty_name: First Seen - key: label pretty_name: Label pretty_name: Results passivetotal_trackers: name: PassiveTotal Trackers default: False otypes: - fqdn json: request: url: 'https://api.passivetotal.org/v2/host-attributes/trackers' auth: passivetotal params: query: '{target}' method: get headers: Accept: application/json ignored_status_codes: - 401 results: - key: results multi_match: keys: - key: hostname pretty_name: Hostname - key: attributeType pretty_name: Type - key: attributeValue pretty_name: Value - key: lastSeen pretty_name: Last Seen - key: firstSeen pretty_name: First Seen pretty_name: Results fraudguard: name: FraudGuard default: False otypes: - ipv4 json: request: url: https://api.fraudguard.io/ip/{target} auth: fraudguard results: - key: isocode pretty_name: FraudGuard Country Code - key: country pretty_name: FraudGuard Country - key: state pretty_name: FraudGuard State - key: city pretty_name: FraudGuard City - key: discover_date pretty_name: FraudGuard Discovery Date - key: threat pretty_name: FraudGuard Threat Type - key: risk_level pretty_name: FraudGuard Risk Level shodan: name: Shodan default: False otypes: - ipv4 json: request: url: https://api.shodan.io/shodan/host/{target} params: key: results: - key: '@' multi_match: keys: - asn - org - city - region - country_code - postal_code pretty_name: Shodan Organization - key: hostnames match_all: true pretty_name: Shodan Hostnames - key: isp pretty_name: Shodan ISP - key: data multi_match: keys: - timestamp - transport - port - product - version pretty_name: Shodan Ports - key: data multi_match: keys: - transport - port - ssl.versions onlyif: ssl.versions pretty_name: Shodan SSL Versions - key: data multi_match: keys: - transport - port - ssl.cert.subject.CN - ssl.cert.fingerprint.sha256 onlyif: ssl.cert.fingerprint.sha256 pretty_name: Shodan SSL Certs ipinfoio: name: ipinfo.io default: False otypes: - ipv4 - ipv6 json: request: url: https://ipinfo.io/{target} headers: Accept: application/json results: - key: hostname pretty_name: ipinfo.io hostname - key: city pretty_name: ipinfo.io city - key: region pretty_name: ipinfo.io region - key: country pretty_name: ipinfo.io country - key: loc pretty_name: ipinfo.io geolocation - key: org pretty_name: ipinfo.io organization - key: postal pretty_name: ipinfo.io postal code xforce-malware: name: IBM XForce Malware Report default: False otypes: - ipv4 json: request: url: https://api.xforce.ibmcloud.com/ipr/malware/{target} auth: xforce results: - key: type pretty_name: malware type - key: md5 pretty_name: md5 - key: domain pretty_name: domain name - key: firstseen pretty_name: first seen - key: lastseen pretty_name: last seen hackedip: name: Hacked IP default: False otypes: - ipv4 json: request: url: http://www.hackedip.com/api.php?ip={target} results: - key: '@' format: as_list pretty_name: Hacked IP Threat List metadefender_hash: name: MetaDefender File Report default: False otypes: - hash - hash.sha1 - hash.sha256 json: request: url: https://api.metadefender.com/v2/hash/{target} method: get headers: apikey: results: - key: scan_results.start_time pretty_name: Date submitted - key: scan_results.total_detected_avs pretty_name: Detected engines - key: scan_results.total_avs pretty_name: Total engines - key: scan_results.scan_details pretty_name: Scans multi_match: keys: - '@' - threat_found onlyif: scan_result_i # misp: # name: MISP # default: true # otypes: # - ipv4 # - url # - email # - fqdn # - hash # - hash.sha1 # - hash.sha256 # json: # request: # url: https://***YOUR_MISP_HERE***/events/restSearch/download/{target}/null/null/null/null/7 # method: get # headers: # Authorization: ***YOUR_APIKEY_HERE*** # results: # - key: response # pretty_name: MISP Events # multi_match: # keys: # - Event.date # - Event.id # - Event.info greynoise: # This entry is for the GreyNoise *community* API name: GreyNoise otypes: - ipv4 json: request: url: https://api.greynoise.io/v3/community/{target} # headers: # key: ***YOUR_APIKEY_HERE*** # you can get this from https://viz.greynoise.io/account/ ignored_status_codes: - 404 results: - key: noise pretty_name: GreyNoise Known Scanner - key: riot pretty_name: GreyNoise Rule-It-OuT - key: classification pretty_name: GreyNoise Classification - key: name pretty_name: GreyNoise Name greynoise_ent: # This entry is for the GreyNoise *enterprise* API name: GreyNoise default: False otypes: - ipv4 json: request: url: https://enterprise.api.greynoise.io/v2/noise/context/{target} headers: key: YOUR_APIKEY_HERE ignored_status_codes: - 404 results: - key: seen pretty_name: GreyNoise Known Scanner - key: actor pretty_name: GreyNoise Actor - key: tags pretty_name: GreyNoise Reason - key: metadata.category pretty_name: GreyNoise Category - key: first_seen pretty_name: GreyNoise First Seen - key: last_seen pretty_name: GreyNoise Last Seen - key: raw_data.web.useragents pretty_name: GreyNoise User-agent - key: raw_data.scan multi_match: keys: - port - protocol pretty_name: GreyNoise Observations macvendors: name: MACVendors default: true otypes: - mac webscraper: request: url: 'https://api.macvendors.com/{target}' method: get results: - regex: '(.+)' values: - vendor pretty_name: Mac Address Vendor