UrlScan.io Operation
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.2 |
| Compatible with ThreatQ Versions | >= 4.0.0 |
| Support Tier | ThreatQ Supported |
Introduction
The URLScan.io Operation for ThreatQuotient enables a ThreatQ user to submit URLs to URLScan.io, as well as query URLScan.io for any results on a URL.
The operation provides the following actions:
- Search - queries URLScan.io for a specific indicator found in any public submission reports.
- Get Report - retrieves a report for any scan IDs found in the indicator's attributes.
- Submit - submits a URL or FQDN to URLScan.io. Once submitted, an attribute called "URLScan.io ID" will be added to the indicator.
The integration is compatible with the following indicator types:
- FQDN
- IP Address
- SHA-256
- URL
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Operation option from the Type dropdown (optional).
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description API Key Your URLScan.io API key. - Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
Actions
The UrlScan.io operation provides the following actions:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| Submit | Submits a URL or FQDN to URLScan.io. Once submitted, an attribute called "URLScan.io ID" will be added to the indicator | Indicator | FQDN, IP Address, URL |
| Get Reports | Retrieves a report for any scan IDs found in the indicator's attributes. | Indicator | FQDN, IP Address, URL |
| Search | Queries URLScan.io for a specific indicator found in any public submission reports. | Indicator | FQDN, IP Address, SHA-256, URL |
Submit
The Submit action will submit a URL or FQDN to URLScan.io. Once submitted, an attribute called "URLScan.io ID" will be added to the indicator.
Parameters
The following parameters are available for the Submit action:
| Parameter | Description |
|---|---|
| Public | Select whether the scan will be publicly visable. This option is not enabled by default. |
| Tags | Enter one or more tags, in line-separated format, to be added to the submission. |
Example
Get Reports
The Get Reports action will retrieve a report for any scan IDs found in the indicator's attributes (see the Submit action).
Example
Search
The Search action queries URLScan.io for a specific indicator found in any public submission reports.
Example - Single Result
Example - Multiple Results
Change Log
- Version 1.0.2
- Corrected version number displayed after installation.
- Fixed an issue where the schema was stripped from URLs.
- Fixed an issue where the integration did not honor customer-set proxy configurations.
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| URLScan.io Operation Guide v1.0.2 | 4.0.0 or Greater |
| ThreatQuotient for URLScan.io Operation Implementation Guide v1.0.0 | 4.20 or Greater |