URL remediation #16
Assignees
Labels
needs triage
This issue has been automatically labelled and needs further triage
playbook:activity=5
Playbooks for activity 5
playbook:state=proposal
A 'proposal' for a new playbook
Comments
cudeso
added
playbook:state=proposal
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The title of the playbook
URL remediation
Purpose of the playbook
This playbook uses a domain as input information from the analysts. It queries the domain reputation feeds, verifies with URLscan and Lookyloo. The analyst can then add the URL (as attribute and as an object) to a new or existing MISP event. The playbook then sends the URL to external providers such as Google, Microsoft and Phishtank. The URL is added to a Watchlist in Azure Sentinel and added to an Elasticsearch index. It then provides a summary of results and shares the results via Mattermost or Slack or as an alert in TheHive or DFIR-IRIS (to be discussed for implementation). This playbook is similar to the playbook on creating a MISP event for a phishing case (#1) , except that the focus is here only on a URL.
External resources used by this playbook
URLscan, Lookyloo, Mattermost (or Slack), TheHive (optional), DFIR-IRIS (optional), Google Safe Browsing, Microsoft Security Intelligence, Phishtank
Target audience
SOC, CSIRT, CTI
Breefly list the execution steps or workflow
No response
The text was updated successfully, but these errors were encountered: