Phishlabs Global CDF
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.0 |
| Compatible with ThreatQ Versions | >= 4.24.0 |
| Support Tier | ThreatQ Supported |
Introduction
The Phishlabs Global CDF ingests indicators of compromise from directly-observed phishing attacks around the world.
The integration provides the following feed:
- Phishlabs Global -
https://ioc.phishlabs.com/api/v1/globalfeed
The integration ingests the following indicator types:
- URL
- FQDN
- MD5
- Email Address
- Filename
- File Type
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Commercial option from the Category dropdown (optional).
If you are installing the integration for the first time, it will be located under the Disabled tab.
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description API ID Your Phishlabs account API ID. API Key Your Phishlabs account API Key. - Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
ThreatQ Mapping
Phishlabs Global
GET https://ioc.phishlabs.com/api/v1/globalfeed
Sample Response:
{
"data": [
{
"id": "45cfc6ec-c525-4372-b25f-53365dc39a8f",
"createdAt": "2020-03-20T17:58:00Z",
"value": "ca8322bf26ff997c39c1d568d931d7d8",
"type": "Attachment",
"attributes": [
{
"id": "2b2f0e9e-1d18-4cbb-aa29-e01ade0e1c34",
"createdAt": "2020-03-20T17:58:00Z",
"value": "ca8322bf26ff997c39c1d568d931d7d8",
"name": "md5"
},
{
"id": "a390c924-8b66-425d-89b5-58fcc0ac665a",
"createdAt": "2020-03-20T17:58:00Z",
"value": "application/zip",
"name": "filetype"
},
{
"id": "d678a22f-0f07-4397-995a-6d330e4f5a5e",
"createdAt": "2020-03-20T17:58:00Z",
"value": "covid37_form.zip",
"name": "name"
}
],
"falsePositive": false
},
{
"id": "508b322f-5cb9-41f7-bc52-f1806a83d84f",
"createdAt": "2020-03-20T17:55:17Z",
"value": "https://firebasestorage.googleapis.com/?obfuscated",
"type": "URL",
"falsePositive": false
}
],
"meta": {
"count": 2,
"statusCode": 0,
"statusMessage": ""
}
}ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
| .data[].type | Indicator.Type | N/A | N/A | Attachment | |
| .data[].value | Indicator.Value | See Phishlabs Indicator Type to ThreatQ Indicator Type mapping |
.data[].createdAt | ca8322bf26ff997c39 c1d568d931d7d8 |
|
| .data[].falsePositive | Indicator.Attribute | False Positive | .data[].createdAt | False | Attributed to all indicators created from a given object |
| .data[].attributes[].value | Indicator.Value | Filename | .data[].createdAt | covid37_form.zip | Created if .data[].type is Attachment and .data[].attributes[].name is name; related to the top-level indicator |
| .data[].attributes[].value | Indicator.Attribute | File Type | .data[].createdAt | application/zip | Created if .data[].type is Attachment and .data[].attributes[].name is filetype; attributed to all indicators created from a given object |
Indicator Type Mapping
ThreatQuotient provides the following indicator type mapping:
| Phishlabs Indicator Type | ThreatQ Indicator Type |
|---|---|
| URL | URL |
| Domain | FQDN |
| Sender | Email Address |
| ReturnPath | Email Address |
| ReplyTo | Email Address |
| HeaderReplyTo | Email Address |
| Attachment | MD5 |
Average Feed Run
Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.
| Metric | Result |
|---|---|
| Run Time | < 1 minute |
| Indicators | 90 |
| Indicator Attributes | 86 |
Change Log
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| Phishlabs Global CDF Guide v1.0.0 | 4.24.0 or Greater |