Enricher - PhishTank
Configure PhishTank to submit domains and URIs to PhishTank, and to verify if they are potentially malicious phishing sites.
This article describes the specific configuration options to set up the enricher.
To configure the general options for the enricher, see Configure the general options.
|
Specifications |
Enricher name |
PhishTank |
Input |
domain, uri |
Output |
Indicator and enrichment observables with information retrieved from the PhishTank database to assess if the submitted domains and URIs are flagged as potentially malicious phishing sites. |
API endpoint |
https://checkurl.phishtank.com/checkurl |
Description |
The PhishTank enricher checks if the submitted domains and URIs yield matches in the PhishTank database. Returned information submitted domains and URIs can be:
Enriched domain names and URIs are stored as indicators. |
Requirements
Contact PhishTank to create a PhishTank account granting you an API key to set up this configuration.
If necessary, contact the intelligence provider to subscribe to the service and to obtain this information, along with any required authentication and authorization credentials.
Configure the enricher parameters
Edit the enricher.
In the edit view, from the Observable types drop-down menu, select one or more observable types you want to enrich with related data retrieved through the PhishTank enricher.
Supported observable types:domain
uri
The API URL field is automatically populated with the default domain for the endpoint.
If necessary, you can add a proxy or port configuration.
Default value: https://checkurl.phishtank.com/In the API key field, enter your PhishTank API key.
To check the validity of the server-side SSL certificate when sending requests, select SSL verification.
To validate a self-signed or a privately signed certificate, enter the full path to the CA bundle in Path to SSL certificate file.
Allowed formats:.ca-bundle
.pem
To store your changes, click Save; to discard them, click Cancel.
Enrichment and processing
Based on the input observables, the enricher searches the source database for matches.
Retrieved matches are stored in the platform as indicators and enrichment observables related to the corresponding input domains and URIs.
Input observable |
Enrichment results |
|
|
If the submitted domain or URI exists in the PhishTank database, and if it is flagged as a phishing site:
Confidence is set to High.
The indicator is automatically tagged with Kill chain phase – Delivery.
Analysis is populated with This is a known phishing site that has been validated by PhishTank.
If the submitted domain or URI exists in the PhishTank database, and if it is not flagged as a phishing site:
Confidence is set to High.
The indicator is not automatically tagged .
Analysis is populated with PhishTank has determined that this is not a phishing site.
If the submitted domain or URI has not yet been validated by the PhishTank community:
Confidence is set to Unknown.
The indicator is not automatically tagged .
Analysis is populated with This site has not yet been validated by PhishTank.
The Producer section of the resulting indicator is prepopulated with the following values:
Identity is set to PhishTank.
Roles is set to Initial Author.
References is populated with http://www.phishtank.com/phish_detail.php?phish_id=${PhishTank_submission_ID}
Moreover, the following indicator fields are prepopulated with retrieved enrichment data:
Title takes the input domain name value.
Types is set to URL Watchlist.
Likely impact is set to Unknown.
The Estimated observed time of the resulting indicator is set to the time when the PhishTank community verified the submitted domain or the URI.
The Estimated threat start time of the resulting indicator is set to the time when the PhishTank community verified the submitted domain or the URI.
Before being enriched, an input domain observable in the graph can look like in the following example:
After being enriched through PhishTank, the input domain observable can become related to the indicator and the enrichment observables resulting from the operation:
By default, the enricher timeout value is set to 2 minutes.