-
Notifications
You must be signed in to change notification settings - Fork 16
/
playbook.json
472 lines (472 loc) · 26.6 KB
/
playbook.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
[
{
"description": "Query Timesketch for threat intelligence and report sightings in MISP and Mattermost",
"tags": [
"misp",
"playbook",
"Threat Intel",
"IOC",
"timesketch",
"forensic",
"monitoring",
"detection",
"sighting"
],
"link": "https://github.com/MISP/misp-playbooks/blob/main//misp-playbooks/pb_timesketch_search_query_sightings.ipynb",
"authors": [
"Koen Van Impe"
],
"uuid": "f4a7ccf3-6ca0-4707-bb1a-bd5f61610efc",
"issue": "https://github.com/MISP/misp-playbooks/issues/6",
"purpose": "This playbook queries Timesketch for matches based on MISP search results (indicators). The MISP search is configured by the analyst with mandatory tags, exclusion tags, and optional attribute type filters. The resulting attributes are then used to query Timesketch. You can limit the results and save the search in Timesketch. The results are summarised in the playbook, added as sightings in MISP, and sent as a notification to Mattermost. As an extra, there's a sample Bash script for importing EVTX files (e.g., from https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES)"
},
{
"description": "Create a custom MISP warninglist",
"tags": [
"misp",
"playbook",
"Threat Intel",
"IOC",
"warninglist",
"hunting"
],
"link": "https://github.com/MISP/misp-playbooks/blob/main//misp-playbooks/pb_create_custom_MISP_warninglist.ipynb",
"authors": [
"Koen Van Impe"
],
"uuid": "1c946ff3-0798-4c59-a19e-fc0b622e75e3",
"issue": "https://github.com/MISP/misp-playbooks/issues/7",
"purpose": "This playbook creates a custom MISP warninglist with a set of entries provided by the analyst as input. A check is done if the warninglist already exists. If the warninglist already exists then the entries are added to the existing warninglist. When the warninglist is created the MISP events are queried for matches ('retro-search'). The playbook also queries Shodan and VirusTotal for matches with entries in the warninglist. The result of the creation of the warninglist as well as the matches is summarised at the end of the playbook and sent to Mattermost or Slack or added as an alert in TheHive."
},
{
"description": "Using timestamps in MISP",
"tags": [
"misp",
"playbook",
"Threat Intel",
"IOC",
"timestamp",
"export"
],
"link": "https://github.com/MISP/misp-playbooks/blob/main//misp-playbooks/pb_using_timestamps_in_MISP.ipynb",
"authors": [
"Koen Van Impe"
],
"uuid": "7b498d8f-d1a3-4576-b894-58f908fff82c",
"issue": "https://github.com/MISP/misp-playbooks/issues/42",
"purpose": "A playbook that documents the different timestamps that are used in MISP. Go through the timestamp for publishing and last changes as well as how these can be used in search queries. Document what changes a timestamp in a MISP event."
},
{
"description": "Curation: disable decayed indicators",
"tags": [
"misp",
"playbook",
"Threat Intel",
"IOC",
"curation",
"workflow",
"todo",
"qa",
"quality",
"audit",
"decaying",
"indicators",
"lifecycle"
],
"link": "https://github.com/MISP/misp-playbooks/blob/main//misp-playbooks/pb_curate_disable_decayed_indicators.ipynb",
"authors": [
"Koen Van Impe"
],
"uuid": "4676fe7c-6811-4df6-b591-b3f494846a52",
"issue": "https://github.com/MISP/misp-playbooks/issues/30",
"purpose": "This playbook disables decayed indicators. It uses a custom decaying model defined in this playbook but can also rely on the MISP build-in models. When an indicator is considered decayed, the `to_ids` flag is set to False and the attribute is tagged. The build-in decaying feature of MISP adds a (decay) score to an indicator but does not automatically disable it. This playbook allows you to do just that. The playbook can exclude or include attributes that are tagged with specific labels. Use this MISP playbook together with the (https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_curate_misp_events.ipynb) and (https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_query_for_inconsistencies_misp_events.ipynb) playbook for optimal threat intelligence curation result. The results are summarised at the end of the playbook and shared with Mattermost."
},
{
"description": "Retroscan with a MISP warninglist",
"tags": [
"misp",
"playbook",
"Threat Intel",
"IOC",
"warninglist",
"hunting",
"false-positives",
"indicator-quality",
"curation"
],
"link": "https://github.com/MISP/misp-playbooks/blob/main//misp-playbooks/pb_retroscan_with_MISP_warninglist.ipynb",
"authors": [
"Koen Van Impe"
],
"uuid": "9469c0d5-2d79-4c2e-8727-fa9321411e92",
"issue": "https://github.com/MISP/misp-playbooks/issues/8",
"purpose": "This playbook does a retroscan to check for attributes matching the values in a warninglist. You can then disable the to_ids flag or add a tag or comment. This playbook acts as a retroscan for threat intelligence curation when you add for example a new warninglist to MISP. The results are summarised and sent to Mattermost and TheHive. Also have a look at \"(https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_create_custom_MISP_warninglist.ipynb)\" for ways to create or edit warninglists via MISP playbooks."
},
{
"description": "Query CVE information",
"tags": [
"misp",
"playbook",
"Threat Intel",
"IOC",
"cve",
"vulnerability",
"exploits"
],
"link": "https://github.com/MISP/misp-playbooks/blob/main//misp-playbooks/pb_query_cve_information.ipynb",
"authors": [
"Koen Van Impe"
],
"uuid": "efda7766-78f6-4444-8072-beac92eaae97",
"issue": "https://github.com/MISP/misp-playbooks/issues/25",
"purpose": "This playbook queries the MISP events for the use of specific CVEs. It lists the events with the context (galaxies) that are attached to the event. The playbook queries public sources (CVE search, vulners, XForceExchange, exploitdb) for additional CVE information. The results are stored in the playbook, in a MISP event and sent to Mattermost and TheHive."
},
{
"description": "Create a MISP event from Microsoft Sentinel security incidents",
"tags": [
"misp",
"playbook",
"Threat Intel",
"IOC",
"sentinel",
"siem",
"monitoring",
"detection",
"microsoft"
],
"link": "https://github.com/MISP/misp-playbooks/blob/main//misp-playbooks/pb_event_from_sentinel_incidents.ipynb",
"authors": [
"Koen Van Impe"
],
"uuid": "00ba33ee-1402-4669-ad0b-fef256a36870",
"issue": "https://github.com/MISP/misp-playbooks/issues/34",
"purpose": "This playbook extracts information from Microsoft Sentinel security incidents, parses the associated alerts and entities, and extracts useful indicators. A new MISP event is created with the incident summary, and the indicators are added to the MISP event. Sightings are also added to the indicators. At the end of the playbook, a summary is displayed and shared via Mattermost. The playbook uses credentials (tokens) obtained through an Azure App. Additionally, it includes a section on uploading custom logs to Sentinel, which was used during development and can be relevant for other purposes."
},
{
"description": "Malware triage with MISP",
"tags": [
"misp",
"playbook",
"Threat Intel",
"IOC",
"malware",
"triage",
"incidentresponse",
"ir",
"dfir"
],
"link": "https://github.com/MISP/misp-playbooks/blob/main//misp-playbooks/pb_malware_triage.ipynb",
"authors": [
"Koen Van Impe"
],
"uuid": "68b42f4d-8d5e-46c4-97f8-b87b9df210a3",
"issue": "https://github.com/MISP/misp-playbooks/issues/2",
"purpose": "A playbook to provide an analyst sufficient information to do basic malware triage on one or more samples. This playbook creates a MISP event for malware triage. Samples are attached to a MISP event (with file object relations). VirusTotal and MalwareBazaar are used to get the detection rate, threat classification and sandbox information. Hashlookup is used to check for known hashes. PEfile analysis is done for imports and exports. The results are stored in MISP reports and as MISP objects where relevant. Correlations with MISP events or data feeds are added to a summary. The sample is shared with a local instance of MWDBcore. The summary is then sent to Mattermost."
},
{
"description": "Query hash information",
"tags": [
"misp",
"playbook",
"Threat Intel",
"IOC",
"hash",
"reputation",
"abuse",
"sample",
"file",
"malware"
],
"link": "https://github.com/MISP/misp-playbooks/blob/main//misp-playbooks/pb_query_hash_information.ipynb",
"authors": [
"Koen Van Impe"
],
"uuid": "9b9f655d-100d-490e-b3b3-ec24cf5526bd",
"issue": "https://github.com/MISP/misp-playbooks/issues/15",
"purpose": "This playbook is complementary to the playbooks for (https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_malware_triage.ipynb) and (https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_malware_triage_upload_sample.ipynb) and investigates file hashes. It checks if the hashes are found on MISP warninglists, in MISP events or in MISP feeds. Uses the information from VirusTotal, Hashlookup and MalwareBazaar to provide context information on hashes. It creates a MISP report for each hash. Run this playbook if you do not have the sample and have to work with only the hash."
},
{
"description": "Query IP reputation",
"tags": [
"misp",
"playbook",
"Threat Intel",
"IOC",
"ip",
"reputation",
"abuse",
"whois"
],
"link": "https://github.com/MISP/misp-playbooks/blob/main//misp-playbooks/pb_query_ip_reputation.ipynb",
"authors": [
"Koen Van Impe"
],
"uuid": "39a029be-e4d7-40da-88b2-1d0bf9417ad0",
"issue": "https://github.com/MISP/misp-playbooks/issues/12",
"purpose": "A playbook to query for the reputation of one or more IPs. It combines the reputation scores from VirusTotal, Shodan, Greynoise and AbuseIPDB into one MISP report. The playbook adds the known associated domains, the abuse contacts and the geo information from MMDB. All information is added to a MISP event, summarised and send to Mattermost and TheHive."
},
{
"description": "Malware triage with MISP - Dynamic malware analysis",
"tags": [
"misp",
"playbook",
"Threat Intel",
"IOC",
"malware",
"triage",
"sandbox",
"incidentresponse",
"ir",
"dfir"
],
"link": "https://github.com/MISP/misp-playbooks/blob/main//misp-playbooks/pb_malware_triage_upload_sample.ipynb",
"authors": [
"Koen Van Impe"
],
"uuid": "8bada769-763a-46c3-a9b2-6b4808a47d36",
"issue": "https://github.com/MISP/misp-playbooks/issues/3",
"purpose": "This playbook extends the results retrieved with static malware analysis in the (https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_malware_triage.ipynb) playbook and does the dynamic malware analysis with one or more malware sandboxes. The results are stored in a MISP report and sent to Mattermost."
},
{
"description": "Query for inconsistencies in MISP events",
"tags": [
"misp",
"playbook",
"Threat Intel",
"IOC",
"distribution",
"data protection",
"curation",
"inconsistencies",
"qa",
"quality",
"audit"
],
"link": "https://github.com/MISP/misp-playbooks/blob/main//misp-playbooks/pb_query_for_inconsistencies_misp_events.ipynb",
"authors": [
"Koen Van Impe"
],
"uuid": "83e49ad8-6a8e-4317-b689-4154084dfe82",
"issue": "https://github.com/MISP/misp-playbooks/issues/22",
"purpose": "This playbook checks for inconsistencies in the event distribution, the TLP designation and the PAP marking. The playbook also verifies if events contain sufficient attributes, objects, tags or galaxies. There are also checks for inconsistencies with the workflow tags, a taxonomy that is often used during threat intelligence curation. The results are listed in the playbook and sent to Mattermost. Note that MISP has also built-in checks encoded in (https://github.com/MISP/MISP/blob/2.4/app/Lib/EventWarning/DefaultWarning.php)"
},
{
"description": "Threat Actor profiling",
"tags": [
"misp",
"playbook",
"Threat Intel",
"IOC",
"mitre",
"actor",
"intrusion-set",
"galaxies",
"clusters",
"contextualisation"
],
"link": "https://github.com/MISP/misp-playbooks/blob/main//misp-playbooks/pb_threat_actor_profiling.ipynb",
"authors": [
"Koen Van Impe"
],
"uuid": "bf0d86c4-b795-48a7-a3a9-e625620d1726",
"issue": "https://github.com/MISP/misp-playbooks/issues/26",
"purpose": "This playbook queries MISP events associated with a specific threat actor. The playbook summaries the galaxies, clusters and tags from the MISP events, lists the vulnerabilities (CVE) and the actionable indicators. Optionally the playbook queries the MITRE TAXII server to get a list of associated techniques and software. The result of the playbook is a profile on a threat actor based on the MISP events. The results are stored in the playbook and sent to Mattermost and as an alert in TheHive."
},
{
"description": "Curate MISP events",
"tags": [
"misp",
"playbook",
"Threat Intel",
"IOC",
"curation",
"workflow",
"todo",
"qa",
"quality",
"audit"
],
"link": "https://github.com/MISP/misp-playbooks/blob/main//misp-playbooks/pb_curate_misp_events.ipynb",
"authors": [
"Koen Van Impe"
],
"uuid": "4c4d34f7-8628-410e-b41d-712061020e0c",
"issue": "https://github.com/MISP/misp-playbooks/issues/21",
"purpose": "This playbook queries for MISP events that require curation and addresses the remaining curation tasks. In general you run this playbook after your automatic or manual curation process has highlighted the events that require a review but you can also force the playbook to curate all events. This playbook uses the hashlookup and mmdb_lookup MISP modules. This playbook searches for events with `workflow:state=incomplete`. If you force curation (`curation_always_do_curation_tasks`) then all curation tasks are executed. Otherwise, The playbook processes only the curation tasks (`workflow:todo`) attached ('tagged') to an event. After curation the state is changed to `workflow:state=complete` and the event is published. The curation includes Disable to_ids for attributes matching a warninglist, except for URLs or hostnames where a manual review is necessary Disable to_ids for attributes matching known software (via hashlookup) Add a GalaxyCluster with the location of an IP (via mmdb_lookup) Add TTPs based on string matches in the event title Tag attributes that are in MISP feeds (for easyr filtering afterwards) Use this MISP playbook together with the (https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_query_for_inconsistencies_misp_events.ipynb) playbook for optimal threat intelligence curation result. The results are summarised at the end of the playbook and shared with Mattermost."
},
{
"description": "Provision users and organisations",
"tags": [
"misp",
"playbook",
"Threat Intel",
"IOC",
"users",
"organisations",
"training",
"provisioning"
],
"link": "https://github.com/MISP/misp-playbooks/blob/main//misp-playbooks/pb_provision_users_organisations.ipynb",
"authors": [
"Koen Van Impe"
],
"uuid": "078ac11a-d0d9-4beb-aec7-067735ce6bed",
"issue": "https://github.com/MISP/misp-playbooks/issues/43",
"purpose": "This playbook creates users and organisations with PyMISP. It also shows how to reset a password and delete or disable users. It includes an example how to get the user logs and how to create large number of users at once. For this playbook your MISP API key needs to be associated with a user that is a site admin."
},
{
"description": "Create MISP objects and relationships",
"tags": [
"misp",
"playbook",
"Threat Intel",
"IOC",
"objects",
"context"
],
"link": "https://github.com/MISP/misp-playbooks/blob/main//misp-playbooks/pb_create_MISP_objects_and_relationship.ipynb",
"authors": [
"Koen Van Impe"
],
"uuid": "c0f920a6-37e1-47bb-92b8-1491dc710d39",
"issue": "https://github.com/MISP/misp-playbooks/issues/11",
"purpose": "This playbook walks the analyst through the phases of creating MISP objects and adding a relationship between these objects. The playbook is typically triggered when an an analyst wants to add related, contextually linked, attributes to a MISP event.The objects are added to a new or an existing MISP event. The playbook prints out a summary that can be used to notify colleagues via Mattermost or other channels.The playbook uses an Emotet sample to demonstrate the functionality, with links from a file object to URL and HTTP request objects. It also creates the victim objects."
},
{
"description": "Bulk delete MISP events",
"tags": [
"misp",
"playbook",
"Threat Intel",
"IOC",
"delete",
"clean",
"curation"
],
"link": "https://github.com/MISP/misp-playbooks/blob/main//misp-playbooks/pb_bulk_delete_events.ipynb",
"authors": [
"Koen Van Impe"
],
"uuid": "7d3fd7fe-fe4b-48a3-8e7e-8bd4e4bf2f0d",
"issue": "https://github.com/MISP/misp-playbooks/issues/29",
"purpose": "A playbook to assist MISP users in doing bulk deletes of MISP events. Deletes are done for events created by organisations, for events before or after specific dates, published or unpublished events or for events with specific tags. A summary of the actions is printed and published on Mattermost."
},
{
"description": "JARM fingerprint investigations with Censys, Shodan and MISP",
"tags": [
"misp",
"playbook",
"Threat Intel",
"IOC",
"jarm",
"fingerprint",
"tls",
"certificate",
"censys",
"shodan",
"investigation",
"infrastructure"
],
"link": "https://github.com/MISP/misp-playbooks/blob/main//misp-playbooks/pb_jarm_verification.ipynb",
"authors": [
"Koen Van Impe"
],
"uuid": "2e8acabf-c0a8-4d7c-803b-5d2aa0ea4359",
"issue": "https://github.com/MISP/misp-playbooks/issues/19",
"purpose": "This playbook enables the investigation of JARM fingerprints which you can then use for threat actor infrastructure tracking. It verifies the existence of these fingerprints in MISP events and active OSINT feeds. The playbook then queries Censys and Shodan to identify hosts with services that match the fingerprints. The results are added to a MISP event as MISP objects and event reports. At the conclusion of the playbook, a summary is displayed and shared via Mattermost."
},
{
"description": "Query domain reputation",
"tags": [
"misp",
"playbook",
"Threat Intel",
"IOC",
"domain",
"reputation"
],
"link": "https://github.com/MISP/misp-playbooks/blob/main//misp-playbooks/pb_query_domain_reputation.ipynb",
"authors": [
"Koen Van Impe"
],
"uuid": "e0af39c0-095b-4c31-9e42-2a731928c2a1",
"issue": "https://github.com/MISP/misp-playbooks/issues/13",
"purpose": "This playbook queries the enabled OSINT feeds and the local MISP events for matches with one or more domain name(s). The playbook also queries URLscan for historical scans related to the domains and extracts the screenshots from URLscan. The playbook then uses the MISP modules to look up the DNS resolutions and queries VirusTotal, Shodan and URLhaus for information related to the domains. You can also specify additional entries (indicators or elements to be used for querying these sources). The playbook also looks up the known abuse contacts via abuse_finder. All this information is then included in a summary and send to Mattermost and TheHive."
},
{
"description": "Query Elasticsearch for threat intelligence and report sightings in MISP and Mattermost",
"tags": [
"misp",
"playbook",
"Threat Intel",
"IOC",
"elastic",
"elasticsearch",
"monitoring",
"detection",
"sighting"
],
"link": "https://github.com/MISP/misp-playbooks/blob/main//misp-playbooks/pb_elasticsearch_matches_sightings.ipynb",
"authors": [
"Koen Van Impe"
],
"uuid": "168e0485-7fde-431a-ba7a-b8a215e4d394",
"issue": "https://github.com/MISP/misp-playbooks/issues/",
"purpose": "This playbook queries Elasticsearch for matches with the results of a MISP search (indicators). The MISP search is configured by the analyst with a set of tags, mandatory tags and exclusion tags. Additional filtering can be done on attribute type. The search result is then a list of attributes which is used as a query to Elasticsearch. The query in Elasticsearch can be limited in time and capped on a maximum number of results. The results are then summarised in the playbook, added as sightings in MISP and a notification is sent to Mattermost."
},
{
"description": "Geolocate IP addresses and calculate distance",
"tags": [
"misp",
"playbook",
"Threat Intel",
"IOC",
"geolocation",
"fingerprint",
"geoint",
"mmdb",
"infrastructure"
],
"link": "https://github.com/MISP/misp-playbooks/blob/main//misp-playbooks/pb_geolocate_ip_and_calc_distance.ipynb",
"authors": [
"Koen Van Impe"
],
"uuid": "81ba2210-5052-49f4-9d6a-41d42d28ca45",
"issue": "https://github.com/MISP/misp-playbooks/issues/20",
"purpose": "This playbook gets the IP addresess in a MISP event (ip-src and ip-dst). It then queries for the geolocation of these addresses via MMDB, puts them on a map and calculates the distance between coordinates with the help of Geopy. The map is attached as a screenshot to the MISP event, the findings are added as a MISP report, stored in the playbook and sent to Mattermost."
},
{
"description": "Playbook title",
"tags": [
"misp",
"playbook",
"Threat Intel",
"IOC",
"tags"
],
"link": "https://github.com/MISP/misp-playbooks/blob/main//misp-playbooks/pb_skeleton.ipynb",
"authors": [
"Koen Van Impe"
],
"uuid": "UUID",
"issue": "https://github.com/MISP/misp-playbooks/issues/20",
"purpose": "PurposePurpose details"
},
{
"description": "Create or update a MISP event with information from a phishing incident with a link",
"tags": [
"misp",
"playbook",
"Threat Intel",
"IOC",
"phishing"
],
"link": "https://github.com/MISP/misp-playbooks/blob/main//misp-playbooks/pb_create_or_update_a_MISP_event_with_information_from_a_phishing_incident_with_a_link.ipynb",
"authors": [
"Koen Van Impe"
],
"uuid": "48674c0e-1c31-4f4a-bfaa-86b9511081ac",
"issue": "https://github.com/MISP/misp-playbooks/issues/1",
"purpose": "This playbook creates a new MISP event or completes an existing MISP event with details of a phishing incident.The playbook is triggered during the investigation of a phishing security incident. The playbook requires the phishing indicators such as the links, e-mail body, e-mail headers, e-mail subject and senders as input. It will then encode these values as attributes and objects in a MISP event. The playbook creates relationships between the objects and sets default tags (PAP, course-of-action matrix) and MISP clusters on event and attributes (contextualisation).The playbook queries (local) MISP events and OSINT feeds for matches with the indicators. You can use this information for correlation. URLscan is queried for the links included in the e-mail. The historical scan results and screenshots are imported in the playbook and MISP. Next to the enrichment via the scan results, the query at URLscan also provides IP and ASN information of the location where the URL is hosted. The URLs are submitted to Lookyloo for further analysis. The phishing URLs are also reported (manually) to Google, Microsoft and Phishtank. A final report with a list of indicators is summarised in the playbook and sent via chat to Mattermost. The results can also be added as an alert to TheHive."
}
]