MxToolbox

Integration version: 11.0

Configure MxToolbox integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Actions

A Record Lookup

Description

A record lookup returns the IP address for a specific domain name.

Parameters

N/A

Run On

This action runs on the following entities:

  • Hostname
  • URL
  • User

Action Results

Entity Enrichment
IP Address Returns if it exists in JSON result
Type Returns if it exists in JSON result
Domain Name Returns if it exists in JSON result
TTL Returns if it exists in JSON result
Insights

N/A

Script Result
Script Result Name Value Options Example
ip_addresses N/A N/A
JSON Result
[{
   "EntityResult":
      [{
        "IP Address": "1.1.1.1",
        "Type": "A",
        "Domain Name": "example.com",
        "TTL": "10 min"
      }],
  "Entity": "example.com"
}]

Blacklist Check

Description

The blacklist check will test a mail server IP address against over 100 DNS based email blacklists. (Commonly called Realtime blacklist, DNSBL or RBL). If your mail server has been blacklisted, some emails you send may not be delivered. Email blacklists are a common way of reducing spam.

Parameters

Parameter Type Default Value Description
Blacklist Threshold String N/A The threshold of the blacklist to determine whether a domain or IP are blacklisted

Run On

This action runs on the following entities:

  • Hostname
  • IP Address

Action Results

Entity Enrichment
Enrichment Field Name Logic - When to apply
Info Returns if it exists in JSON result
Name Returns if it exists in JSON result
PublicDescription Returns if it exists in JSON result
IsExcludedByUser Returns if it exists in JSON result
BlacklistReasonDescription Returns if it exists in JSON result
BlacklistResponseTime Returns if it exists in JSON result
Url Returns if it exists in JSON result
BlacklistReasonCode Returns if it exists in JSON result
BlacklistTTL Returns if it exists in JSON result
ID Returns if it exists in JSON result
Insights

N/A

Script Result
Script Result Name Value Options Example
is_blacklisted True/False is_blacklisted:True
JSON Result
[{
   "EntityResult":
      [{
         "Info": "Blacklisted by SURBL multi",
         "Name": "SURBL multi",
         "PublicDescription": null,
         "IsExcludedByUser": false,
         "BlacklistReasonDescription": "Listed",
         "BlacklistResponseTime": "63",
         "Url": "https://mxtoolbox.com/Problem/blacklist/SURBL-multi?page=prob_blacklist&showlogin=1&hidetoc=1&action=blacklist:chinatlz.com",
         "BlacklistReasonCode": "1.1.1.1",
         "BlacklistTTL": "180",
         "ID": 285
       }],
   "Entity": "chinatlz.com"
}]

HTTPS Information Lookup

Description

The HTTPS Lookup and SSL Certificate Checker will query a website URL and tell you if it responds securely with SSL encryption.

Parameters

N/A

Run On

This action runs on the URL entity

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
https True/False https:False
JSON Result
N/A

MX Record Lookup

Description

MX record lookup returns the mail server address for a specific Domain.

Parameters

N/A

Run On

This action runs on the following entities:

  • Hostname
  • URL
  • User

Action Results

Entity Enrichment
Enrichment Field Name Logic - When to apply
Hostname Returns if it exists in JSON result
Pref Returns if it exists in JSON result
IPAddress Returns if it exists in JSON result
TTL Returns if it exists in JSON result
Insights

N/A

Script Result
Script Result Name Value Options Example
mx_domains N/A N/A
JSON Result
[{
   "EntityResult":
     [{
        "Hostname": "aspmx.l.google.com",
        "Pref": "1",
        "IPAddress": "1.1.1.1",
        "TTL": "60min"
       },{
        "Hostname": "aspmx3.googlemail.com",
        "Pref": "10",
        "IPAddress": "2a00: 1450: 400b: c03: : 1a",
        "TTL": "60min"
      }],
   "Entity": "example.com"
}]

Ping

Description

Test Connectivity.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A

Ping External IP

Description

Ping external IP or Domain using ICMP protocol.

Parameters

N/A

Run On

This action runs on the following entities:

  • IP Address
  • URL
  • User
  • Hostname

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
ping_results N/A N/A
JSON Result
N/A

Reverse DNS Lookup

Description

The Reverse Lookup tool will do a reverse IP lookup. If you type in an IP address, MX ToolBox will attempt to locate a DNS PTR record for that IP address. You can then click on the results to find out more about that IP Address. Please note: in general, your ISP must setup and maintain these Reverse DNS records (i.e. PTR records) for you.

Parameters

N/A

Run On

This action runs on the IP Address entity.

Action Results

Entity Enrichment
Enrichment Field Name Logic - When to apply
IP Address Returns if it exists in JSON result
Type Returns if it exists in JSON result
Domain Name Returns if it exists in JSON result
TTL Returns if it exists in JSON result
Insights

N/A

Script Result
Script Result Name Value Options Example
ptr_domains N/A N/A
JSON Result
[{
   "EntityResult":
      [{
          "IP Address": "1.1.1.1",
          "Type": "PTR",
          "Domain Name": "google-public-dns-a.google.com",
          "TTL": "24 hrs"
       }],
   "Entity": "1.1.1.1"
}]

SPF Lookup

Description

Sender Policy Framework (SPF) records allow domain owners to publish a list of IP addresses or subnets that are authorized to send email on their behalf.

Parameters

Parameter Type Default Value Description
IP Address String N/A The IP address to look for.

Run On

This action runs on the following entities:

  • Hostname
  • User
  • URL

Action Results

Entity Enrichment
Enrichment Field Name Logic - When to apply
1.1.1.1/24 Returns if it exists in JSON result
64.233.160.0/19 Returns if it exists in JSON result
103.237.104.0/22 Returns if it exists in JSON result
Insights

N/A

Script Result
Script Result Name Value Options Example
auth_sender N/A N/A
JSON Result
[{
    "EntityResult":
                  [
                  "1.1.1.1/24",
                  "64.233.160.0/19",
                  "103.237.104.0/22"],
    "Entity": "example.com"
}]

STCP Port Status

Description

Check if a specific TCP port is open.

Parameters

Parameter Type Default Value Description
Port Number String N/A The port number to check.

Run On

This action runs on the following entities:

  • Hostname
  • IP Address
  • User
  • URL

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
port_statuses N/A N/A
JSON Result
N/A