Current ThreatQ Version Filter
urlscan.io Action
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.0 |
| Compatible with ThreatQ Versions | >= 5.12.1 |
| ThreatQ TQO License Required | Yes |
| Support Tier | ThreatQ Supported |
Introduction
The URLScan.io Action for ThreatQ enables security teams to leverage URLScan.io’s web sandboxing and analysis capabilities directly within the platform to identify phishing pages, malicious redirects, and other web-based threats. The integration enhances investigations by delivering deeper visibility into web activity and enriching indicators with actionable context. As a result, organizations can more effectively detect, assess, and respond to suspicious or malicious online behavior.
The integration provides the following action:
- URLScan.io - Enrich IOCs - enriches FQDNs, IPs, and URLs type indicators with context from URLScan.io.
The integration is compatible with the following indicator types:
- FQDN
- IP Address
- URL
The integration returns the following enriched indicator types:
- ASN
- FQDN
- IP Address
- SHA-256
- URL
This action is intended for use with ThreatQ TDR Orchestrator (TQO). An active TQO license is required for this feature.
Prerequisites
- An active ThreatQ TDR Orchestrator (TQO) license.
- A URLScan.io API Key.
- A ThreatQ data collection containing at least one of the following indicator types:
- FQDN
- IP Address
- URL
Installation
Perform the following steps to install the integration:
The same steps can be used to upgrade the integration to a new version.
- Log into https://marketplace.threatq.com/.
- Locate and download the action zip file.
- Navigate to the integrations management page on your ThreatQ instance.
- Click on the Add New Integration button.
- Upload the action zip file using one of the following methods:
- Drag and drop the zip file into the dialog box
- Select Click to Browse to locate the zip file on your local machine
ThreatQ will inform you if the action already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the action contains changes to the user configuration. The new user configurations will overwrite the existing ones for the action and will require user confirmation before proceeding.
You will still need to configure the action.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Actions option from the Category dropdown (optional).
- Click on the action entry to open its details page.
- Enter the following parameters under the Configuration tab:
The configurations set on this page will be used as the default settings when inserting this action into a new workflow. Updating the configurations on this page will not update any instances of this action that have already been deployed to a workflow. In that scenario, you must update the action’s configurations within the workflow itself.
Parameter Description API Key Enter your URLScan.io API Key to authenticate with the API. Enable SSL Certificate Verification Enable this parameter if the action should validate the host-provided SSL certificate. Disable Proxies Enable this parameter if the action should not honor proxies set in the ThreatQ UI. Subscription Tier Select the URLScan.io subscription tier to ensure that appropriate submission delays are applied and rate limiting is avoided. Options include: - Free (default)
- Starter
- Advanced
- Professional
- Enterprise
Maintain URL Schemes Enable this parameter to include the URL scheme (http/https) as specified by the IOC value or Scheme attribute when performing the URLScan search. When disabled, the scheme is removed prior to the search, allowing results to return both http and https variations of the URL. This parameter is enabled by default. Fetch Google Safe Browsing Verdicts (+1 API Call) Enable this parameter to have Google Safe Browsing provide information on whether a domain or IP might be dangerous, phishing, malware, or a PUA. This parameter is disabled by default. Enabling this parameter will result in additional API call to fetch the requested information.
Set Indicator Status to Active if Malicious Enable this parameter to have the action set the indicator's status to Active if the enriched IOC has been determined to be malicious by URLScan.io/. This parameter is enabled by default. Verdict Context to Ingest Select which pieces of context about the site's verdict to ingest from the API. Options include: - Threat Score (default)
- Verdict (default)
- Categories (default)
- Tags (default)
- Target Brands (default)
Page Context to Ingest Select which pieces of context about the site's page to ingest from the API. Options include: - ASN
- AS Organization
- Country Code
- City
- Certificate Issuer
- Certificate Valid From
- Server
- Last HTTP Status Code
- Site Title
- MIME Type
Other Context to Ingest Select which pieces of additional context about the site to ingest from the API. Options include: - Task Tags
- Page Screenshot (in Description)
Ingest IOCs for Downloaded Files Enable this parameter to automatically download files identified during the scan for ingestion as indicators. These indicators will inherit the parent URL’s verdict attributes and status. This parameter is enabled by default. Ingest ASNs As Select how you want to ingest ASNs for the enriched IOCs. Options include: - Indicators (default)
- ttributes
If ingesting them as Indicators, the AS Organization will be added to the ASN's attributes rather than the enriched IOCs attributes.This is only visible if
ASNis selected for the Page Context to Ingest parameter.Objects Per Run The number of objects to process per run of the workflow. The default value is 1000.
- Review any additional settings, make any changes if needed, and click on Save.
Actions
The following actions is available:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| URLScan.io - Enrich IOCs | This action will enrich IOCs with context from URLScan.io | Indicator | URL, FQDN, IP Address |
URLScan.io - Enrich IOCs
The URLScan.io - Enrich IOCs action enriches FQDNs, IPs, and URLs type indicators with context from URLScan.io. The action process is as follows:
- Search for Results Related to IOCs
- Find Exact Matches from the Results
- Fetch Google Safe Browsing Verdicts
Due to the structure of the URLScan.io API, when results are returned for a given IOC, an additional API call is required to retrieve the details of the latest task. As a result, two API calls are made for each IOC that produces results. You should be mindful of your rate limits when using this action.
Search for Results Related to IOC
The action will first perform a search for results related to the IOC.
GET https://urlscan.io/api/v1/search?q=task.url:"{{ ioc }}" OR page.url:"{{ ioc }}"
Sample Response:
{
"results": [
{
"task": {
"visibility": "public",
"method": "automatic",
"domain": "www.appleindia.com",
"apexDomain": "appleindia.com",
"time": "2025-10-27T19:00:24.461Z",
"source": "certstream-suspicious",
"uuid": "019a270a-db25-74ff-a30d-03b206b4a184",
"url": "https://www.appleindia.com/"
},
"stats": {
"uniqIPs": 8,
"uniqCountries": 2,
"dataLength": 4144192,
"encodedDataLength": 1213727,
"requests": 58
},
"page": {
"country": "US",
"server": "openresty",
"redirected": "sub-domain",
"ip": "34.120.137.41",
"apexDomainAgeDays": 1987,
"language": "en",
"mimeType": "text/html",
"title": "India Apple Farmer's Market - Fresh Apples from India | India Apple Farmer's Market",
"url": "https://appleindia.com/",
"tlsValidDays": 89,
"tlsAgeDays": 2,
"ptr": "41.137.120.34.bc.googleusercontent.com",
"domainAgeDays": 1987,
"tlsValidFrom": "2025-10-25T16:08:48.000Z",
"domain": "appleindia.com",
"apexDomain": "appleindia.com",
"asnname": "GOOGLE-CLOUD-PLATFORM, US",
"asn": "AS396982",
"tlsIssuer": "E7",
"status": "200"
},
"_id": "019a270a-db25-74ff-a30d-03b206b4a184",
"_score": null,
"sort": [1761591624461, "019a270a-db25-74ff-a30d-03b206b4a184"],
"result": "https://urlscan.io/api/v1/result/019a270a-db25-74ff-a30d-03b206b4a184/",
"screenshot": "https://urlscan.io/screenshots/019a270a-db25-74ff-a30d-03b206b4a184.png"
}
],
"total": 1,
"took": 230,
"has_more": false
}Find an Exact Match from the Results
The action will find an exact match (ignoring scheme if configured) from the results returned and then pull the latest task's details.
GET https://urlscan.io/api/v1/result/{{ uuid }}
Sample Response:
{
"data": {
"requests": [
{
"request": {}
}
],
"cookies": [
{
"name": "GAPS",
"value": "1:-SXgPX0XaIXTAfpcgbHW2YQoALmK0w:p5ThYFYkJuhNvoGL",
"domain": "accounts.google5.gq",
"path": "/",
"expires": 1632771581.626451,
"size": 53,
"httpOnly": true,
"secure": true,
"session": false
}
],
"console": [],
"links": [
{
"href": "https://support.google.com/chrome/answer/6130773?hl=ru",
"text": "Подробнее…"
}
],
"timing": {
"beginNavigation": "2019-09-28T19:39:40.970Z",
"frameStartedLoading": "2019-09-28T19:39:42.776Z",
"frameNavigated": "2019-09-28T19:39:42.776Z",
"domContentEventFired": "2019-09-28T19:39:42.770Z",
"frameStoppedLoading": "2019-09-28T19:39:42.777Z",
"loadEventFired": "2019-09-28T19:39:42.777Z"
},
"globals": [
{
"prop": "onformdata",
"type": "object"
},
{
"prop": "onpointerrawupdate",
"type": "object"
}
]
},
"stats": {
"resourceStats": [
{
"count": 10,
"size": 79144,
"encodedSize": 80298,
"latency": 0,
"countries": ["DE"],
"ips": ["2a00:1450:4001:80b::2003"],
"type": "Font",
"compression": "1.0",
"percentage": 33
}
],
"protocolStats": [
{
"count": 16,
"size": 102751,
"encodedSize": 88602,
"ips": [
"2a00:1450:4001:80b::2003",
"2a00:1450:4001:824::2003",
"2a00:1450:4001:81e::200e"
],
"countries": ["DE"],
"securityState": {},
"protocol": "h2"
}
],
"tlsStats": [
{
"count": 17,
"size": 1509905,
"encodedSize": 498137,
"ips": [
"194.58.123.10",
"2a00:1450:4001:80b::2003",
"2a00:1450:4001:824::2003",
"2a00:1450:4001:81e::200e"
],
"countries": ["RU", "DE"],
"protocols": {
"TLS 1.2 / ECDHE_RSA / AES_256_GCM": 1,
"TLS 1.3 / / AES_128_GCM": 16
},
"securityState": "secure"
}
],
"serverStats": [
{
"count": 15,
"size": 102751,
"encodedSize": 88602,
"ips": ["2a00:1450:4001:80b::2003", "2a00:1450:4001:824::2003"],
"countries": ["DE"],
"server": "sffe"
}
],
"domainStats": [
{
"count": 10,
"ips": ["2a00:1450:4001:80b::2003"],
"domain": "fonts.gstatic.com",
"size": 79144,
"encodedSize": 80298,
"countries": ["DE"],
"index": 4,
"initiators": ["accounts.google5.gq"],
"redirects": 0
}
],
"regDomainStats": [
{
"count": 15,
"ips": ["2a00:1450:4001:80b::2003", "2a00:1450:4001:824::2003"],
"regDomain": "gstatic.com",
"size": 102751,
"encodedSize": 88602,
"countries": [],
"index": 4,
"subDomains": [
{
"domain": "fonts",
"country": "DE"
},
{
"domain": "ssl",
"country": "DE"
}
],
"redirects": 0
}
],
"secureRequests": 17,
"securePercentage": 59,
"IPv6Percentage": 75,
"uniqCountries": 2,
"totalLinks": 2,
"malicious": 0,
"adBlocked": 0,
"ipStats": [
{
"requests": 3,
"domains": ["www.accounts.google5.gq", "accounts.google5.gq"],
"ip": "194.58.123.10",
"asn": {
"ip": "194.58.123.10",
"asn": "197695",
"country": "RU",
"registrar": "ripencc",
"date": "2011-03-28",
"description": "AS-REG, RU",
"route": "194.58.123.0/24",
"name": "AS-REG"
},
"dns": {},
"geoip": {
"range": [3258605568, 3258613759],
"country": "RU",
"region": "",
"eu": "0",
"timezone": "Europe/Moscow",
"city": "",
"ll": [55.7386, 37.6068],
"metro": 0,
"area": 1000,
"country_name": "Russian Federation"
},
"size": 1407154,
"encodedSize": 411315,
"countries": ["RU"],
"index": 0,
"ipv6": false,
"redirects": 2,
"count": null,
"rdns": {
"ip": "194.58.123.10",
"ptr": "194-58-123-10.cloudvps.regruhosting.ru"
}
}
]
},
"meta": {
"processors": {
"download": {
"data": [
{
"filename": "driveridentifier_setup.exe",
"filesize": 5670573,
"receivedBytes": 5670573,
"url": "https://www.driveridentifier.com/files/driveridentifier_setup.exe",
"startedAt": "2025-08-28T10:57:03.443Z",
"state": "completed",
"mimeType": "application/x-dosexec",
"mimeDescription": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "07bb70c93cf1886213c4d89a00c0b88a2fba8dd86e248765831ec7866ce6f67c",
"finishedAt": "2025-08-28T10:57:04.553Z"
}
]
},
"gsb": {
"state": "done",
"data": {}
},
"geoip": {
"state": "done",
"data": [
{
"ip": "194.58.123.10",
"geoip": {
"range": [3258605568, 3258613759],
"country": "RU",
"region": "",
"eu": "0",
"timezone": "Europe/Moscow",
"city": "",
"ll": [55.7386, 37.6068],
"metro": 0,
"area": 1000,
"country_name": "Russian Federation"
}
}
]
},
"wappa": {
"state": "done",
"data": [
{
"app": "Nginx",
"confidence": [
{
"pattern": "headers server /nginx(?:\\/([\\d.]+))?/i",
"confidence": 100
}
],
"confidenceTotal": 100,
"icon": "Nginx.svg",
"website": "http://nginx.org/en",
"categories": [
{
"name": "Web Servers",
"priority": 8
},
{
"name": "Reverse Proxy",
"priority": 7
}
]
}
]
},
"rdns": {
"state": "done",
"data": [
{
"ip": "194.58.123.10",
"ptr": "194-58-123-10.cloudvps.regruhosting.ru"
}
]
},
"asn": {
"state": "done",
"data": [
{
"ip": "194.58.123.10",
"asn": "197695",
"country": "RU",
"registrar": "ripencc",
"date": "2011-03-28",
"description": "AS-REG, RU",
"route": "194.58.123.0/24",
"name": "AS-REG"
}
]
},
"done": {
"state": "done",
"data": {
"state": "done"
}
}
}
},
"task": {
"uuid": "95fa97bd-3465-40a5-a0cd-e0dab3cdc592",
"time": "2019-09-28T19:39:40.772Z",
"url": "https://www.accounts.google5.gq",
"visibility": "public",
"options": {
"useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
},
"method": "automatic",
"source": "certstream-suspicious",
"tags": [],
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",
"reportURL": "https://urlscan.io/result/95fa97bd-3465-40a5-a0cd-e0dab3cdc592/",
"screenshotURL": "https://urlscan.io/screenshots/95fa97bd-3465-40a5-a0cd-e0dab3cdc592.png",
"domURL": "https://urlscan.io/dom/95fa97bd-3465-40a5-a0cd-e0dab3cdc592/"
},
"page": {
"url": "https://accounts.google5.gq/ServiceLogin?passive=1209600continue=https%3A%2F%2Faccounts.google.com%2FManageAccountfollowup=https%3A%2F%2Faccounts.google.com%2FManageAccount",
"domain": "accounts.google5.gq",
"country": "RU",
"city": "",
"server": "nginx",
"ip": "194.58.123.10",
"asn": "AS197695",
"asnname": "AS-REG, RU",
"mimeType": "Test mimetype"
},
"lists": {
"ips": [
"2a00:1450:4001:81e::200e",
"2a00:1450:4001:824::2003",
"2a00:1450:4001:80b::2003",
"194.58.123.10"
],
"countries": ["DE", "RU"],
"asns": ["15169", "15169", "15169", "197695"],
"domains": [
"fonts.gstatic.com",
"ssl.gstatic.com",
"accounts.google5.gq",
"accounts.youtube.com",
"www.accounts.google5.gq",
"play.google5.gq"
],
"servers": ["sffe", "ESF", "nginx"],
"urls": [
"https://accounts.google5.gq/ServiceLogin?passive=1209600continue=https%3A%2F%2Faccounts.google.com%2FManageAccountfollowup=https%3A%2F%2Faccounts.google.com%2FManageAccount",
"https://www.accounts.google5.gq/"
],
"linkDomains": ["support.google.com"],
"certificates": [
{
"subjectName": "accounts.google5.gq",
"issuer": "Let's Encrypt Authority X3",
"validFrom": 1569694738,
"validTo": 1577470738
}
],
"hashes": [
"9a414c04360bc7a0538b8521ed8aeb0977581873ae18f2b8824345a8a0383654",
"abfe5b27310a016303a0ede1f41a67d4adb8886b7c0ade3474cd44f60be50548"
]
},
"verdicts": {
"overall": {
"score": 100,
"categories": ["phishing"],
"brands": [
{
"key": "google",
"name": "Google",
"country": ["us"],
"vertical": ["Online"]
}
],
"tags": ["phishing"],
"malicious": true,
"hasVerdicts": true
},
"urlscan": {
"score": 100,
"categories": ["phishing"],
"brands": [
{
"key": "google",
"name": "Google",
"country": ["us"],
"vertical": ["Online"]
}
],
"tags": ["phishing"],
"malicious": true,
"hasVerdicts": true
},
"engines": {
"score": 0,
"categories": [],
"enginesTotal": 0,
"maliciousTotal": 0,
"benignTotal": 0,
"maliciousVerdicts": [],
"benignVerdicts": [],
"malicious": false,
"hasVerdicts": false
},
"community": {
"score": 0,
"categories": [],
"brands": [],
"votesTotal": 0,
"votesMalicious": 0,
"votesBenign": 0,
"malicious": false,
"hasVerdicts": false
}
},
"submitter": {}
}Fetch Google Safe Browsing Verdicts
The action will also make an additional API call to fetch Google Safe Browsing verdicts for the domain or IP if the Fetch Google Safe Browsing Verdicts configuration parameter is enabled, .
GET https://urlscan.io/api/verdict/{{ domain or ip }}
Sample Response:
{
"country_info": {
"alpha2": "RU",
"alpha3": "RUS",
"countryCallingCodes": ["+7", "+7 3", "+7 4", "+7 8"],
"currencies": ["RUB"],
"emoji": "🇷🇺",
"ioc": "RUS",
"languages": ["rus"],
"name": "Russian Federation",
"status": "assigned"
},
"geoip": {
"range": [92392704, 92392959],
"country": "RU",
"region": "",
"eu": "0",
"timezone": "Europe/Moscow",
"city": "",
"ll": [55.7487, 37.6187],
"metro": 0,
"area": 1000
},
"asn": {
"ip": "5.129.205.47",
"asn": "9123",
"country": "RU",
"description": "TimeWeb-AS JSC \"TIMEWEB\", RU",
"name": "TimeWeb-AS JSC \"TIMEWEB\"",
"route": "5.129.204.0/23"
},
"title": "5.129.205.47",
"term": "5.129.205.47",
"whois_json": {
"error": "201: access denied for 138.201.103.155"
},
"rip4": [],
"rip6": [],
"nameserver": [],
"fieldname": "IP",
"headline": "5.129.205.47",
"gsb": {
"verdict": {
"dangerous": false,
"phishing": false,
"malware": false,
"pua": false
},
"raw": [
"sb.ssr",
6,
false,
false,
false,
false,
false,
0,
"http://5.129.205.47/"
]
}
}Table Mapping
ThreatQuotient provides the following default mapping for this action.
Mappings from the result endpoint are prefixed with data. to denote they are from the detailed result pull. Mappings from the verdict endpoint are prefixed with gsb. to denote they are from the Google Safe Browsing option.
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
data.page.url |
Indicator.Value | URL | data.task.time |
N/A | The URL of the final page after redirects |
data.task.url |
Indicator.Value | URL | data.task.time |
N/A | The URL of the original task |
data.page.asn |
Indicator.Value, Indicator.Attribute | ASN | data.task.time |
396982 |
For ASNs, if ASN Organization enabled in Page Context to Ingest. User-configurable. |
data.meta.processors.download.data[].sha256 |
Indicator.Value | SHA-256 | data.meta.processors.download.data[].startedAt |
N/A | Hashes downloaded from the URL. User-configurable. |
data.meta.processors.download.data[].url |
Indicator.Value | URL | data.meta.processors.download.data[].startedAt |
N/A | Download URLs. User-configurable. |
data.page.domain |
Indicator.Value | FQDN | data.task.time |
appleindia.com |
The primary FQDN resolved via DNS for the enriched IP address. |
data.meta.processors.download.data[].mimeType |
Indicator.Attribute | MIME Type | Varies | N/A | Comes only for indicators ingested from the download.data (e.g., SHA-256/URL). User-configurable. |
data.meta.processors.download.data[].filename |
Indicator.Attribute | Filename | data.meta.processors.download.data[].startedAt |
N/A | Filename of the downloaded file. Comes only for indicators ingested from the download.data (e.g., SHA-256/URL). |
data.meta.processors.download.data[].filesize |
Indicator.Attribute | File Size | data.meta.processors.download.data[].startedAt |
N/A | Size of the downloaded file (in bytes). Comes only for indicators ingested from the download.data (e.g., SHA-256/URL). |
data.verdicts.overall.tags |
Indicator.Tag | N/A | N/A | N/A | Tags added by the scanning engine. User-configurable. |
data.task.tags |
Indicator.Tag | N/A | N/A | N/A | User-configurable. |
gsb.gsb.verdict.{key} |
Indicator.Tag | N/A | N/A | phishing |
Boolean key flags are converted to tags based on what is true. |
data.verdicts.overall.categories[] |
Indicator.Attribute | Category | data.task.time |
Phishing |
User-Configurable. |
data.verdicts.overall.score |
Indicator.Attribute | Threat Score | data.task.time |
100 |
User-Configurable. Updatable. |
data.verdicts.overall.malicious |
Indicator.Attribute | Verdict | data.task.time |
Malicious |
Malicious if true, otherwise, Indeterminate. User-Configurable. Updatable. |
data.verdicts.overall.brands[] |
Indicator.Attribute | Target Brand | data.task.time |
Google |
User-Configurable. |
gsb.gsb.verdict.{key} |
Indicator.Attribute | Google Safe Browsing Verdict | data.task.time |
Suspicious |
Set based on which verdict flags are true.Malicious if true, otherwise, Indeterminate. User-Configurable. Updatable. |
gsb.gsb.verdict.{key} |
Indicator.Attribute | Threat Type | data.task.time |
Phishing |
Set based on which verdict flags are true |
data.page.asnname |
Indicator.Attribute | AS Organization | data.task.time |
GOOGLE-CLOUD-PLATFORM, US |
For ASNs, if ASN Organization enabled in Page Context to Ingest. User-configurable. |
data.page.country |
Indicator.Attribute | Country Code | data.task.time |
US |
if Country code enbled in userfields. User-configurable. |
data.page.city |
Indicator.Attribute | City | data.task.time |
Los Angeles |
if City enbled in userfields. User-configurable. |
data.page.tlsIssuer |
Indicator.Attribute | Certificate Issuer | data.task.time |
N/A | if Certificate Issuer enbled in userfields. User-configurable. |
data.page.tlsValidFrom |
Indicator.Attribute | Certificate Valid From | data.task.time |
N/A | if Certificate Valid From enbled in userfields. User-configurable. Updatable. |
data.page.server |
Indicator.Attribute | Server | data.task.time |
nginx |
if Server enbled in userfields. User-configurable. |
data.page.status |
Indicator.Attribute | Last HTTP Status Code | data.task.time |
200 |
if Last HTTP Status Code enbled in userfields. User-configurable. Updatable. |
data.page.title |
Indicator.Attribute | Site Title | data.task.time |
N/A | if Site Title enbled in userfields. User-configurable. Updatable. |
data.page.mimeType |
Indicator.Attribute | MIME Type | data.task.time |
text/html |
if MIME Type enbled in userfields.Comes only for the indicators from the collection. User-configurable. |
The MIME Type attribute comes from data.meta.processors.download.data[].mimeType only for the related objects and comes from another path page.mimeType for the parent object.
Enriched Data
Object counts and action runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and action runtime may vary based on system resources and load.
| Metric | Result |
|---|---|
| Run Time | 1 minute |
| Indicators | 10 |
| Indicator Attributes | 43 |
Known Issues / Limitations
- URL indicators enriched by this action are ingested with URL Normalization enabled, regardless of the system’s configured settings. This may result in duplicate URLs if the original indicator was not normalized at the time of ingestion.
Change Log
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| URLScan.io Action Guide v1.0.0 | 5.12.1 or Greater |