Enricher - Urlscan Enricher#

Note

This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.

Specifications

Enricher name

Urlscan Enricher

Supported observable types

  • ipv4

  • hash-sha256

  • domain

  • asn

Output

Indicator entity with associated observables.

API endpoint

https://urlscan.io/api/v1/search/

Description

This enricher looks up for Domain, IPV4, Hash-Sha256, ASN the enriched observable using the Urlscan endpoint.

Requirements#

  • API URL Urlscan.

  • Urlscan API key.

Set up the enricher#

Before using the enricher, configure it to add your Urlscan credentials:

  1. Go to Data configuration Data configuration icon > Enrichers.

  2. Select the enricher from the displayed list.

  3. Edit the enricher by selecting from the top right More More > Edit.

  4. In the Edit enricher task view, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field

    Description

    API key*

    Set this to your Urlscan API key.

    API URL*

    Set this to the API Url

  5. Click Save to store your changes.

Default configuration#

These are the default configuration parameters for the Urlscan enricher:

Note

Required fields are marked with an asterisk (*).

Field

Description

Name

Leave this as “Urlscan Enricher”. Set by default.

Override TLP

Forces all entities and observables produced by this extension to inherit this TLP value.

Description*

Enter a description for this enricher.

Cache validity (sec)*

Set to 2592000 seconds (30 days) by default.

Rate limit (per sec)*

Set to 1000 seconds by default.

Monthly execution cap (runs)*

Set to 1000000 runs by default.

Source reliability*

Assign a reliability level to entities and observables produced by this extension. The values here are based on the Admiralty System.

Observable types*

Observable types to enrich. By default, this is set to the observables supported by the Urlscan enricher: ipv4, domain, asn and hash-sha256

Enabled

Select to enable this enricher.

API URL*

Set to https://urlscan.io/api/v1/search/ by default.

API key*

Set this to your Urlscan API key.

SSL verification

Selected by default. Select to enable SSL verification.

Path to SSL certificate file

Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

Enrichment result#

When the Urlscan enricher is applied to an observable, it attaches a Indicator entity to the enriched observable.

Attached to the Indicator entity are associated observables.