PhishTank CDF
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 2.1.0 |
| Compatible with ThreatQ Versions | >= 4.56.0 |
| Support Tier | ThreatQ Supported |
Introduction
PhishTank returns to ThreatQ a collection of Indicators which we normalize and relate to their associated structures. Within this document details how the data is normalized and constructed in the platform. Mainly, URLs form relationships to IPs, and IPs relate to the reported CIDR Blocks. Attributes are only attributed to the URLs in which they are assigned.
The integration provides the following feed:
- PhishTank - ingests URLs and related IP Addresses, CIDR Blocks.
The integration ingests the following Indicator types:
- CIDR Block
- IP Address
- URL - this may be normalized to FQDN.
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the OSINT option from the Category dropdown (optional).
If you are installing the integration for the first time, it will be located under the Disabled tab.
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description Application Key Optional - your PhishTank Application Key. Feed URL Display Only - update the name that will display in the ThreatQ UI. Verify SSL If enabled, the integration will verify SSL connections with the provider. Context Filter Multi-select yielding control of attribute selection to the user. - Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
ThreatQ Mapping
PhishTank
The PhishTank feed returns a compressed file online-valid.json.gz. The sample response below shows the file in a uncompressed format.
GET https://data.phishtank.com/data/{{user_fields.app_key}}/online-valid.json.gz
Sample Response:
[
{
"details": [
{
"announcing_network": "44476",
"cidr_block": "185.176.43.0/24",
"country": "BG",
"detail_time": "2022-10-03T15:13:50+00:00",
"ip_address": "185.176.43.98",
"rir": "ripencc"
}
],
"online": "yes",
"phish_detail_url": "http://www.phishtank.com/phish_detail.php?phish_id=7809274",
"phish_id": "7809274",
"submission_time": "2022-10-03T15:02:29+00:00",
"target": "Other",
"url": "http://movilappitau3hgm.c1.biz/",
"verification_time": "2022-10-03T15:13:36+00:00",
"verified": "yes"
},
{
"details": [
{
"announcing_network": "44476",
"cidr_block": "185.176.43.0/24",
"country": "BG",
"detail_time": "2022-10-03T15:13:50+00:00",
"ip_address": "185.176.43.98",
"rir": "ripencc"
}
],
"online": "yes",
"phish_detail_url": "http://www.phishtank.com/phish_detail.php?phish_id=7809269",
"phish_id": "7809269",
"submission_time": "2022-10-03T15:02:25+00:00",
"target": "HSBC Group",
"url": "http://itau--000000.royalwebhosting.net/",
"verification_time": "2022-10-03T15:13:36+00:00",
"verified": "yes"
}
]ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
| url | URL | Indicator | N/A | http://itau--000000.royal webhosting.net |
Main URL reported by PhishTank, draws a relationships to the IP and CIDR Block. |
| details.ip_address | IP Address | Related Indicator | N/A | 1.2.3.4 | IP which the URL is related to |
| details.cidr_block | CIDR Block | Related Indicator | N/A | 198.23.171.0/20 | CIDR Block of related IP |
| phish_id | PhishTank ID | Indicator.Attribute | N/A | 7809269 | If 'Phishtank ID' Context Filter is selected |
| phish_detail_url | PhishTank URL | Indicator.Attribute | N/A | http://www.phishtank.com/ phish_detail.php?phish_id=7809269 |
If 'Phishtank Details URL' Context Filter is selected |
| target | Target | Indicator.Attribute | N/A | HSBC Group | If 'Target' Context Filter is selected |
| details.announcing_network | Announcing Network | Indicator.Attribute | N/A | 44476 | If 'Announcing Network' Context Filter is selected |
| details.country | Country | Indicator.Attribute | N/A | BG | If 'Country' Context Filter is selected |
| details.rir | RIR | Indicator.Attribute | N/A | ripencc | If 'RIR' Context Filter is selected |
Average Feed Run
Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.
| Metric | Result |
|---|---|
| Run Time | 80 Minutes |
| Indicators | 72,761 |
| Indicator Attributes | 440,297 |
Change Log
- Version 2.1.0
- Updated the Report Structure to provide better organization of relational data and attributes.
- Version 2.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| PhishTank CDF Guide v2.1.0 | 4.56.0 or Greater |