APIVoid
Integration version: 9.0
Configure APIVoid to work with Google Security Operations SOAR
How to get API key
To obtain your personal API Key, sign in to your APIVoid account.
Click My API keys to navigate to the page where your API key is stored.
Click Copy to copy over the API key to your clipboard. This will be used later on when configuring this integration in the Google Security Operations SOAR platform.
Network
| Function | Default port | Direction | Protocol |
|---|---|---|---|
| API | Multivalues | Outbound | apikey |
Configure APIVoid integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
| Description | String | N/A | No | Description of the Instance. |
| Api Root | String | https://endpoint.apivoid.com | Yes | Address of the APIVoid instance. |
| Api Key | Password | N/A | Yes | API key generated in APIVoid's console. |
| Verify SSL | Checkbox | Unchecked | No | Use this checkbox, if your APIVoid connection requires an SSL verification. |
| Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Actions
Get Domain Reputation
Description
Get domain reputation checks if a domain is blacklisted by a popular and trusted domain blacklist services such as URLVir, ThreatLog, OpenPhish, Spam404, PhishTank, ZeuS Tracker, and more. The multiple domain blacklist services identify potentially malicious and fraudulent websites involved in malware distribution, phishing incidents, and fake online shops.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Threshold | String | 0 | Yes | Domain risk threshold. The threshold must be a numeric value. Example: 3 |
| Create Insights | Checkbox | Checked | Yes | Specify whether the action should create insights or not. |
Use cases
One of the use cases of Domain Reputation API is to check if the client's websites are blacklisted, check URLs submitted by users on your application, or to identify potentially malicious and unsafe websites.
Run on
This action runs on the following entities:
- Hostname
- URL
Action results
Entity enrichment
Mark entity as suspicious if the number of negative engines is equal or above the given threshold.
| Enrichment field name | Logic - When to apply |
|---|---|
| alexa_top_100k | Returns if it exists in JSON result |
| domain_length | Returns if it exists in JSON result |
| alexa_top_10k | Returns if it exists in JSON result |
| blacklists | Returns if it exists in JSON result |
| server | Returns if it exists in JSON result |
| host | Returns if it exists in JSON result |
| most_abused_tld | Returns if it exists in JSON result |
| alexa_top_250k | Returns if it exists in JSON result |
Insights
| Severity | Description |
|---|---|
| Warn | A warning insight shall be created to inform on the malicious status of the enriched entity. The insight will be created when the number of detected engines equals or exceeds the minimum suspicious Threshold set before scan. |
Script result
| Script result name | Value options | Example |
|---|---|---|
| success | True/False | success:False |
JSON result
[
{
"EntityResult": {
"alexa_top_100k": false,
"domain_length": 17,
"alexa_top_10k": false,
"blacklists": {
"scantime": "0.07",
"detection_rate": "0%",
"detections": 0,
"engines_count": 29,
"engines": [{
"engine": "ThreatLog",
"detected": false,
"confidence": "high",
"reference": "http://www.threatlog.com/"
}, {
"engine": "Threat Sourcing",
"detected": false,
"confidence": "high",
"reference": "https://www.threatsourcing.com/"
}, {
"engine": "URLVir",
"detected": false,
"confidence": "high",
"reference": "http://www.urlvir.com/"
}]},
"server": {
"region_name": null,
"reverse_dns": " ",
"ip": " ",
"isp": null,
"continent_code": null,
"latitude": null,
"city_name": null,
"longitude": null,
"country_code": null,
"country_name": null,
"continent_name": null
},
"host": "qotaerltozres.com",
"most_abused_tld": false,
"alexa_top_250k": false
},
"Entity": "qotaerltozres.com"
}, {
"EntityResult": {
"alexa_top_100k": false,
"domain_length": 9,
"alexa_top_10k": false,
"blacklists": {
"scantime": "0.03",
"detection_rate": "0%",
"detections": 0,
"engines_count": 29,
"engines": [{
"engine": "ThreatLog",
"detected": false,
"confidence": "high",
"reference": "http://www.threatlog.com/"
}, {
"engine": "Threat Sourcing",
"detected": false,
"confidence": "high",
"reference": "https://www.threatsourcing.com/"
}, {
"engine": "URLVir",
"detected": false,
"confidence": "high",
"reference": "http://www.urlvir.com/"
}]},
"server": {
"region_name": null,
"reverse_dns": " ",
"ip": " ",
"isp": null,
"continent_code": null,
"latitude": null,
"city_name": null,
"longitude": null,
"country_code": null,
"country_name": null,
"continent_name": null
},
"host": "1.1.1.1",
"most_abused_tld": false,
"alexa_top_250k": false
},
"Entity": "1.1.1.1"
}
]
Get Ip Reputation
Description
IP Reputation API detects potentially malicious IP addresses which are commonly used for spam, website attacks or fraudulent activity.
Parameters
| Parameter | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Threshold | String | N/A | Yes | IP risk threshold. The threshold must be a numeric value. Example: 3. |
| Create Insights | Checkbox | Checked | Yes | Specify whether the action should create insights or not. |
Run on
This action runs on the IP Address entity.
Action results
Entity enrichment
Mark entity as suspicious if the number of negative engines is equal or above the given threshold.
| Enrichment field name | Logic - When to apply |
|---|---|
| information | Returns if it exists in JSON result |
| blacklists | Returns if it exists in JSON result |
| anonymity | Returns if it exists in JSON result |
| ip | Returns if it exists in JSON result |
Insights
| Severity | Description |
|---|---|
| Warn | A warning insight shall be created to inform on the malicious status of the enriched hash. The insight will be created when the number of detected engines equals or exceeds the minimum suspicious Threshold set before scan. |
Script result
| Script result name | Value options | Example |
|---|---|---|
| success | True/False | success:False |
JSON result
[
{
"EntityResult": {
"information": {
"is_proxy": false,
"is_vpn": false,
"region_name": "Zhejiang",
"is_webproxy": false,
"latitude": 28.680280685424805,
"isp": "ChinaNet Zhejiang Province Network",
"continent_code": "AS",
"is_tor": false,
"reverse_dns": " ",
"detections": 18,
"engines_count": 76,
"longitude": 121.44277954101562,
"city_name": "Jiaojiang",
"country_name": "China",
"continent_name": "Asia",
"detection_rate": "24%",
"country_code": "CN",
"is_hosting": false
},
"blacklists": {
"scantime": "0.57",
"detection_rate":
"24%",
"detections": 18,
"engines_count": 76,
"engines": [{
"engine": "PlonkatronixBL",
"detected": false,
"reference": "http://bl.plonkatronix.com/"
}, {
"engine": "Peter-s NUUG IP BL",
"detected": true,
"reference": "https://home.nuug.no/~peter/"
}, {"engine": "Malc0de",
"detected": false,
"reference": "http://malc0de.com/database/index.php"
}]},
"anonymity": {
"is_tor": false,
"is_proxy": false,
"is_vpn": false,
"is_webproxy": false,
"is_hosting": false
},
"ip": "1.1.1.1"
},
"Entity": "1.1.1.1"
}
]
Get URL Reputation
Description
Get safety reputation and risk score of an URL.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Threshold | Integer | N/A | Yes | URL risk threshold. The threshold must be a numeric value. Example: 3 |
Use cases
An analyst can get URL reputation (similar to get domain/ip reputation).
Run on
This action runs on the URL entity.
Action results
Entity enrichment
Mark entity as suspicious if the number of negative engines is equal or above the given threshold. if data.get("report", {}).get("risk_score", {}).get("result") > threshold
| Enrichment field name | Logic - When to apply |
|---|---|
| domain_blacklist | Returns if it exists in JSON result |
| html_forms | Returns if it exists in JSON result |
| server_details | Returns if it exists in JSON result |
| response_headers | Returns if it exists in JSON result |
| redirection | Returns if it exists in JSON result |
| file_type | Returns if it exists in JSON result |
| risk_score | Returns if it exists in JSON result |
| security_checks | Returns if it exists in JSON result |
| geo_location | Returns if it exists in JSON result |
| url_parts | Returns if it exists in JSON result |
| site_category | Returns if it exists in JSON result |
| web_page | Returns if it exists in JSON result |
| dns_records | Returns if it exists in JSON result |
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
[
{
"EntityResult": {
"domain_blacklist": {
"detections": 0,
"engines": [{
"detected": false,
"name": "SpamhausDBL", "reference": "https://www.spamhaus.org/lookup/"
}, {
"detected": false,
"name": "ThreatLog",
"reference": "http://www.threatlog.com/"
}, {
"detected": false,
"name": "OpenPhish",
"reference": "http://www.openphish.com/"
}, {
"detected": false,
"name": "PhishTank",
"reference": "http://www.phishtank.com/"
}, {
"detected": false,
"name": "Phishing.Database",
"reference": "https://github.com/mitchellkrogza/Phishing.Database"
}, {
"detected": false,
"name": "PhishStats",
"reference": "https://phishstats.info/"
}, {
"detected": false,
"name": "URLVir",
"reference": "http://www.urlvir.com/"
}, {
"detected": false,
"name": "URLhaus",
"reference": "https://urlhaus.abuse.ch/"
}, {
"detected": false,
"name": "RPiList Not Serious",
"reference": "https://github.com/RPiList/specials"
}, {
"detected": false,
"name": "precisionsec",
"reference": "https://precisionsec.com/"
}, {
"detected": false,
"name": "AntiSocial Blacklist",
"reference": "https://theantisocialengineer.com/"
}, {
"detected": false,
"name": "PhishFeed",
"reference": "https://phishfeed.com/"
}, {
"detected": false,
"name": "Spam404",
"reference": "https://www.spam404.com/"
}]},
"html_forms": {
"number_of_total_input_fields": 0,
"email_field_present": false,
"number_of_total_forms": 0,
"password_field_present": false,
"two_text_inputs_in_a_form": false,
"credit_card_field_present": false
},
"server_details": {
"continent_name": "Asia",
"hostname": "mfwd12.mailplug.co.kr",
"region_name": "Seoul-teukbyeolsi",
"ip": "14.49.36.141",
"isp": "KT Corporation",
"continent_code": "AS",
"country_name": "Korea (Republic of)",
"city_name": "Seoul",
"longitude": 126.97782897949219,
"country_code": "KR",
"latitude": 37.568260192871094
},
"response_headers": {
"status": "HTTP/1.1 404 Not Found",
"content-length": "177",
"code": 404,
"server": "nginx/1.4.6 (Ubuntu)",
"connection": "keep-alive",
"date": "Wed, 15 Jul 2020 08:21:54 GMT",
"content-type": "text/html"
},
"redirection": {
"url": null,
"found": false,
"external": false
},
"file_type": {
"headers": "HTML",
"extension": "HTML",
"signature": " "
},
"risk_score": {
"result": 10
},
"security_checks": {
"is_suspended_page": false,
"is_defaced_heuristic": false,
"is_windows_exe_file": false,
"is_credit_card_field": false,
"is_windows_exe_file_on_free_hosting": false,
"is_masked_linux_elf_file": false,
"is_exe_on_directory_listing": false,
"is_php_on_directory_listing": false,
"is_masked_windows_exe_file": false,
"is_sinkholed_domain": false,
"is_robots_noindex": false,
"is_windows_exe_file_on_free_dynamic_dns": false,
"is_doc_on_directory_listing": false,
"is_non_standard_port": false,
"is_linux_elf_file_on_free_dynamic_dns": false,
"is_suspicious_domain": false, "is_suspicious_url_pattern": false,
"is_china_country": false,
"is_risky_geo_location": false,
"is_pdf_on_directory_listing": false,
"is_valid_https": false,
"is_external_redirect": false, "is_windows_exe_file_on_ipv4": false,
"is_phishing_heuristic": false,
"is_linux_elf_file_on_ipv4": false,
"is_email_address_on_url_query": false,
"is_uncommon_clickable_url": false,
"is_most_abused_tld": false,
"is_domain_blacklisted": false,
"is_host_an_ipv4": false,
"is_linux_elf_file_on_free_hosting": false,
"is_zip_on_directory_listing": false,
"is_password_field": false,
"is_linux_elf_file": false,
"is_empty_page_title": false,
"is_directory_listing": false,
"is_masked_file": false,
"is_suspicious_file_extension": false,
"is_suspicious_content": false
},
"geo_location": {
"countries": ["KR"]
},
"url_parts": {
"host_nowww": "funad.co.kr",
"host": "www.funad.co.kr",
"path": "/dynamic/adv/sb/searchnqpopu.html",
"query": null,
"scheme": "http",
"port": 80},
"site_category": {
"is_vpn_provider": false,
"is_url_shortener": false,
"is_anonymizer": false,
"is_torrent": false,
"is_free_dynamic_dns": false,
"is_free_hosting": false
},
"web_page": {
"keywords": "",
"description": "",
"title": "404 Not Found"
},
"dns_records": {
"ns": {
"records": [{
"country_name": "Korea (Republic of)",
"ip": "211.253.28.95",
"isp": "KT Corporation",
"target": "ns.mailplug.com",
"country_code": "KR"
}, {
"country_name": "Korea (Republic of)",
"ip": "223.26.214.26",
"isp": "LX",
"target": "ns2.mailplug.com",
"country_code": "KR"
}]},
"mx": {
"records": []
}}},
"Entity": "www.funad.co.kr:80/dynamic/adv/sb/searchnqpopu.html"
}
]
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* |
|
General |
| CSV Case wall | If data available create new entity csv table:
|
General |
| Enrichment | If data available add the following as entity enrichment: (don't forget to add prefix "APIVoid")
|
Entity |
Get Screenshot
Description
Capture a high-quality screenshot of any website or URL.
Parameters
N/A
Use cases
An analyst can capture high-quality screenshots of any website or URL, in PNG or JPG image format.
Run on
This action runs on the User entity.
Action results
Entity enrichment
Mark entity as suspicious if the number of negative engines is equal or above the given threshold. is_suspicious: if data.get("score") > threshold
| Enrichment field name | Logic - When to apply |
|---|---|
| domain | Returns if it exists in JSON result |
| should_block | Returns if it exists in JSON result |
| score | Returns if it exists in JSON result |
| disposable | Returns if it exists in JSON result |
| has_mx_records | Returns if it exists in JSON result |
| has_spf_records | Returns if it exists in JSON result |
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
[
{
"EntityResult": {
"domain": "siemplify.co ",
"valid_tld": true,
"email": "vickie.b@siemplify.co",
"role_address": false,
"should_block": false,
"risky_tld": false,
"dirty_words_username": false,
"suspicious_domain": false,
"score": 100,
"educational_domain": false,
"dirty_words_domain": false,
"did_you_mean": " ",
"username": "vickie.b",
"valid_format": true,
"is_spoofable ": false,
"disposable": false,
"government_domain": false,
"has_spf_records": true,
"domain_popular": false,
"has_mx_records": true,
"china_free_email": false,
"free_email": false,
"russian_free_email": false,
"police_domain": false,
"dmarc_enforced": false,
"suspicious_username": false
},
"Entity": "VICKIE.B@SIEMPLIFY.CO"
}
]
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* |
|
General |
| Attachments | If data available create new file obj
|
General |
Ping
Description
Test connectivity.
Parameters
N/A
Run on
This action runs on all entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| success | True/False | success:False |
Verify Email
Description
Check if an email is disposable, has MX records, and more.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Threshold | Integer | N/A | Yes | Email risk threshold. The threshold must be a numeric value. Example: 3 |
Use cases
An analyst can check if an email is disposable, get MX records, and more.
Run on
This action runs on the User entity.
Action results
Entity enrichment
Mark entity as suspicious if the number of negative engines is equal or above the given threshold. is_suspicious: if data.get("score") > threshold
| Enrichment field name | Logic - When to apply |
|---|---|
| domain | Returns if it exists in JSON result |
| should_block | Returns if it exists in JSON result |
| score | Returns if it exists in JSON result |
| disposable | Returns if it exists in JSON result |
| has_mx_records | Returns if it exists in JSON result |
| has_spf_records | Returns if it exists in JSON result |
Insights
N/A
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
[
{
"EntityResult": {
"domain": "siemplify.co ",
"valid_tld": true,
"email": "vickie.b@siemplify.co",
"role_address": false,
"should_block": false,
"risky_tld": false,
"dirty_words_username": false,
"suspicious_domain": false,
"score": 100,
"educational_domain": false,
"dirty_words_domain": false,
"did_you_mean": " ",
"username": "vickie.b",
"valid_format": true,
"is_spoofable ": false,
"disposable": false,
"government_domain": false,
"has_spf_records": true,
"domain_popular": false,
"has_mx_records": true,
"china_free_email": false,
"free_email": false,
"russian_free_email": false,
"police_domain": false,
"dmarc_enforced": false,
"suspicious_username": false
},
"Entity": "VICKIE.B@SIEMPLIFY.CO"
}
]
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* |
|
General |
| CSV Case wall | CSV content: entity data(example below) | General |
| Enrichment | If data available add the following as entity enrichment: (don't forget to add prefix "APIVoid")
|
Entity |