Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

The PhishStats CDF is an open-source feed that ingests phishing URLS that have been reported to PhishStats. The feed automatically ingests the URLs, IPs, and relevant context into ThreatQ.

The integration provides the following feed:

• PhishStats - ingests the latest phishing URLs reported to PhishStats.

The integration ingests URL and IP type indicators along with relevant context.  

Installation

Perform the following steps to install the integration:

The same steps can be used to upgrade the integration to a new version.

1. Log into https://marketplace.threatq.com/.
2. Locate and download the integration file.
3. Navigate to the integrations management page on your ThreatQ instance.
4. Click on the Add New Integration button.
5. Upload the integration file using one of the following methods:
   • Drag and drop the file into the dialog box
   • Select Click to Browse to locate the integration file on your local machine

   ThreatQ will inform you if the feed already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the feed contains changes to the user configuration. The new user configurations will overwrite the existing ones for the feed and will require user confirmation before proceeding.

6. The feed will be added to the integrations page. You will still need to configure and then enable the feed.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

1. Navigate to your integrations management page in ThreatQ.
2. Select the OSINT option from the Category dropdown (optional).

   If you are installing the integration for the first time, it will be located under the Disabled tab.

3. Click on the integration entry to open its details page.
4. Enter the following parameters under the Configuration tab:

   Parameter	Description
   Custom Query	Optional - Enter a custom where query to filter the API results.   Example: (score,gt,5)~and(tld,eq,br)~and(countrycode,ne,br)
   Indicator Filter	Select the indicator types to ingest.  Options include: Phishing URL (default) If this option is not enabled, ingested indicators will not be related. IP Address Hostname (FQDN) Domain (FQDN) Vulnerabilities (CVE)
   Context Filter	Select the context to ingest.  Options include: Score (default) Tags (default) Country Code (default) Country Name Region Code (default) Region Name City (default) Zip Code Latitude Longitude ASN TLD ISP Domain Registered Days Ago (default) HTTP Server Ports Abuse Contact Email Operating System Site Title
   Normalize Scores	Enable this parameter to normalize the score to a readable attribute format. Example: Low, Medium, High, Critical.  By default, PhishStats provides a score on a scale of 0 - 10.
   Custom Score Mapping	Enter the mapping criteria to normalize the score. The mapping should contain a line-separated CSV formatted string with the following columns: Minimum, Maximum, Normalized Value. Example 0,2.5,Low 2.6,5,Medium 5.1,7.5,High 7.6,10,Critical This parameter is only accessible if the Normalize Scores parameter is enabled.
   Ignore Domains with Alexa Rank	If enabled, domains and IPs that are Alexa ranked will not be ingested into the ThreatQ platform.  This option is enabled by default.
   Ignore Hostnames with Alexa Rank	If enabled, hostnames and IPs that are Alexa ranked will not be ingested into the ThreatQ platform.  This option is enabled by default.
   Ingest CVEs As	Select the object type to ingest CVEs as.  Options include: Indicators (CVE) Vulnerabilities (default)

   
   
5. Review any additional settings, make any changes if needed, and click on Save.
6. Click on the toggle switch, located above the Additional Information section, to enable it.

ThreatQ Mapping

[
  {
    "id": 9989504,
    "url": "https://business-meta-support-id867469.2254216.com/?content_id=m0QTpkB3B22HWYc/",
    "ip": "104.21.45.160",
    "countrycode": "US",
    "countryname": "United States",
    "regioncode": "",
    "regionname": "",
    "city": "",
    "zipcode": "",
    "latitude": "37.7510",
    "longitude": "-97.8220",
    "asn": "AS13335",
    "bgp": "104.16.0.0/12",
    "isp": "CLOUDFLARENET, US",
    "title": "Meta",
    "date": "2023-06-20T14:47:20.000Z",
    "date_update": "2023-06-20T15:53:19.000Z",
    "hash": "044a09f39c51c70d3e41d9b639e6dd68f1a6cee7aa3fd2387943c67459ac76f3",
    "score": 6,
    "host": "business-meta-support-id867469.2254216.com",
    "domain": "2254216",
    "tld": "com",
    "domain_registered_n_days_ago": 5,
    "screenshot": null,
    "abuse_contact": "abuse@business-meta-support-id867469.2254216.com abuse@2254216.com",
    "ssl_issuer": null,
    "ssl_subject": null,
    "rank_host": null,
    "rank_domain": null,
    "n_times_seen_ip": 2,
    "n_times_seen_host": 1,
    "n_times_seen_domain": 1,
    "http_code": 403,
    "http_server": null,
    "google_safebrowsing": null,
    "virus_total": "Yes",
    "abuse_ch_malware": "No",
    "threat_crowd": null,
    "threat_crowd_subdomain_count": null,
    "threat_crowd_votes": null,
    "vulns": "CVE-2016-20012, CVE-2017-15906, CVE-2018-15473, CVE-2018-15919",
    "ports": "80, 443, 2053, 2082, 2087, 2095, 8080, 8443, 8880",
    "os": null,
    "tags": "cdn",
    "technology": null,
    "page_text": null
  }
]

Average Feed Run

Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.

Known Issues / Limitations

• If the option Phishing URL is not enabled under the Indicator Filter configuration parameter, all the indicators ingested will not be related.
• FQDNs that are brought into the system as IPs are not related to the URL as the URL itself is an IP. This is because ThreatQ will not allow for duplicate objects with the same value.

Change Log

• Version 1.1.0
  • Updated the endpoint utilized by the integration.
  • Added the following configuration parameters:
    • Normalize Scores - normalize the score to a readable attribute format such as Low, Medium, High, Critical.
    • Custom Score Mapping - define mapping criteria for PhishStats scores to normalize scores. 
  • Added a new known issue - FQDNs that are brought into the system as IPs are not related to the URL as the URL itself is an IP. This is because ThreatQ will not allow for duplicate objects with the same value.
• Version 1.0.0
  • Initial release