Overview
The Security Flow APIVoid Plugin provides Incident enrichment with threat intelligence from the APIVOID API.
Functionality
The APIVoid Plugin provides the functionality to gather threat intelligence on domains and IP addresses.
We recommend that only one APIVoid Plugin is created, since no additional functionality is gained by having multiple instances.
Instance Configuration Parameters
Property
Description
Instance Name
Name for the APIVoid instance.
Unique ID
A system-wide unique identifier for this plugin instance used to locate the service.
API Key
API key used to access the APIVoid services.
Flow Node
Communication node which queries APIVoid according to the specified node configuration.
Property
Description
Name
The display name of the node within the flows.
Unique ID
System-wide unique ID of the plugin instance.
Action
Configuration option determining the type of APIVoid API call to make:
- Search Within: dynamically search in the message and make API requests based on the IoC type found
- URL Report: Request a report for the specified URL or Domain
- IP Report: Request a report for the specified IP
Search Within / URL / IP
This field defines the location from the message, flow, global, or JSONata expression to use as the data source for the IoC Threat Intelligence report. The following contexts are supported:
- msg: This selects part of the incoming message as the source of the data. This is the typical choice.
- flow: This selects part of the flow context’s saved data as the source. This information is shared with only the nodes on a given tab.
- global: This selects part of the global context’s saved data as the source. This information is shared by all nodes regardless of tab.
- J: expression: JSONata expression language to perform query and transform operations on the payload.
This node has been deprecated, but remains usable in existing flows. Use the
NL-Message-Analysis node instead.
Helper node used to classify an Indicator of Compromise (IoC) from an APIVoid report as trusted or malicious based on the response's overall engine detection count. The field is found within the response at data.report.blacklists.detections. This node takes as input the successful response from the NL APIVoid node or the NL Broadcast Gather Threat Intelligence node.
Report analysis nodes have five (5) outputs.
- Malicious: The
Malicious Detectionsmatched the Indicator of Compromise's detection count. - Trusted: The
Trusted Detectionsmatched the Indicator of Compromise's detection count. - No Match: The rules did not match the IoC as either trusted or malicious.
- Report Missing: The incoming message did not include a report for APIVoid.
- Report Error: A report exists with an error message of some type.
Property
Description
Name
The display name of the node within the flows.
Malicious Detections
Any score matching the defined Malicious Detections level is considered a malicious IoC. Malicious detection checks are done against one of the selected ranges.
- >= 1
- >= 2
- >= 3
- >= 4
- >= 5
- >= 10
- >= 15
- >= 20
- >= 25
Trusted Detections
Any detection count matching the defined Trusted Detections level is considered a trusted IoC. This field can be set to Never to never consider an IoC trusted. Trusted detection checks are done against one of the selected ranges.
- Never
- < 1
- < 2
- < 3
- < 4
- < 5
- < 10
Audit Missing Report
If checked, a missing report audit message will be added to the Incident’s timeline.
Learn More
JSON Message Format
The following samples show the JSON content added to the message payload, which conform to Node Messaging Format. The content exists within the apivoid object.
Success
The italicized, green text is inserted into the message payload upon a successful request. The node in the following sample used “google.com” as input:
"payload": {
"apivoid": {
"topic":"/nevelexlabs/service/apivoid/url/report",
"response":{
"data":{
"report":{
"blacklists":{
"engines":{
"0":{
"engine":"Phishing Test",
"detected":false,
"reference":"https://www.novirusthanks.org/",
"confidence":"low",
"elapsed":"0.00"
},
"1":{
"engine":"Scam Test",
"detected":false,
"reference":"https://www.novirusthanks.org/",
"confidence":"low",
"elapsed":"0.00"
},
"2":{
"engine":"Sinkholed Domain",
"detected":false,
"reference":"https://www.novirusthanks.org/",
"confidence":"low",
"elapsed":"0.00"
},
"3":{
"engine":"SpamhausDBL",
"detected":false,
"reference":"https://www.spamhaus.org/lookup/",
"confidence":"high",
"elapsed":"0.09"
},
"4":{
"engine":"Badbitcoin",
"detected":false,
"reference":"https://badbitcoin.org/",
"confidence":"high",
"elapsed":"0.00"
},
"5":{
"engine":"Bambenek Consulting",
"detected":false,
"reference":"http://www.bambenekconsulting.com/",
"confidence":"high",
"elapsed":"0.00"
},
"6":{
"engine":"C_APT_ure",
"detected":false,
"reference":"http://c-apt-ure.blogspot.com/",
"confidence":"high",
"elapsed":"0.00"
},
"7":{
"engine":"CERT-GIB",
"detected":false,
"reference":"http://www.cert-gib.com/",
"confidence":"high",
"elapsed":"0.00"
},
"8":{
"engine":"CERT-PA",
"detected":false,
"reference":"https://www.cert-pa.it/",
"confidence":"high",
"elapsed":"0.00"
},
"9":{
"engine":"CoinBlockerLists",
"detected":false,
"reference":"https://gitlab.com/ZeroDot1/CoinBlockerLists/",
"confidence":"high",
"elapsed":"0.00"
},
"10":{
"engine":"CyberCrime",
"detected":false,
"reference":"http://cybercrime-tracker.net/",
"confidence":"high",
"elapsed":"0.00"
},
"11":{
"engine":"DShield",
"detected":false,
"reference":"http://www.dshield.org/",
"confidence":"high",
"elapsed":"0.00"
},
"12":{
"engine":"EtherAddressLookup",
"detected":false,
"reference":"https://github.com/409H/EtherAddressLookup/",
"confidence":"high",
"elapsed":"0.00"
},
"13":{
"engine":"EtherScamDB",
"detected":false,
"reference":"https://etherscamdb.info/",
"confidence":"high",
"elapsed":"0.00"
},
"14":{
"engine":"HijackedUrls",
"detected":false,
"reference":"http://www.hijackedurls.com/",
"confidence":"high",
"elapsed":"0.00"
},
"15":{
"engine":"Malc0de",
"detected":false,
"reference":"http://malc0de.com/",
"confidence":"high",
"elapsed":"0.00"
},
"16":{
"engine":"MalwareDomainList",
"detected":false,
"reference":"http://www.malwaredomainlist.com/",
"confidence":"high",
"elapsed":"0.00"
},
"17":{
"engine":"MetaMask EthPhishing",
"detected":false,
"reference":"https://github.com/MetaMask/eth-phishing-detect/",
"confidence":"high",
"elapsed":"0.00"
},
"18":{
"engine":"OpenPhish",
"detected":false,
"reference":"http://www.openphish.com/",
"confidence":"high",
"elapsed":"0.00"
},
"19":{
"engine":"PhishTank",
"detected":false,
"reference":"http://www.phishtank.com/",
"confidence":"high",
"elapsed":"0.00"
},
"20":{
"engine":"Ransomware Tracker",
"detected":false,
"reference":"https://ransomwaretracker.abuse.ch/",
"confidence":"high",
"elapsed":"0.00"
},
"21":{
"engine":"Spam404",
"detected":false,
"reference":"https://www.spam404.com/",
"confidence":"high",
"elapsed":"0.00"
},
"22":{
"engine":"SquidBlacklist (Malicious)",
"detected":false,
"reference":"https://www.squidblacklist.org/",
"confidence":"high",
"elapsed":"0.00"
},
"23":{
"engine":"ThreatCrowd",
"detected":false,
"reference":"https://www.threatcrowd.org/",
"confidence":"high",
"elapsed":"0.00"
},
"24":{
"engine":"ThreatLog",
"detected":false,
"reference":"http://www.threatlog.com/",
"confidence":"high",
"elapsed":"0.00"
},
"25":{
"engine":"Threat Sourcing",
"detected":false,
"reference":"https://www.threatsourcing.com/",
"confidence":"high",
"elapsed":"0.00"
},
"26":{
"engine":"URLVir",
"detected":false,
"reference":"http://www.urlvir.com/",
"confidence":"high",
"elapsed":"0.00"
},
"27":{
"engine":"VXVault",
"detected":false,
"reference":"http://vxvault.net/",
"confidence":"high",
"elapsed":"0.00"
},
"28":{
"engine":"ZeuS Tracker",
"detected":false,
"reference":"https://zeustracker.abuse.ch/",
"confidence":"high",
"elapsed":"0.00"
}
},
"detections":0,
"engines_count":29,
"detection_rate":"0%",
"scantime":"0.10"
},
"alexa_top_10k":true,
"alexa_top_100k":true,
"alexa_top_250k":true,
"most_abused_tld":false,
"domain_length":13
}
},
"credits_remained":9.35,
"credits_expiration":"Thu, 11 Apr 2019 19:18:56 GMT",
"estimated_queries":"116",
"elapsed_time":"0.23",
"success":true
},
"host":"microsoft.com"
}
}
For “google.com,” there is no report of any issues with the domain. When run with a domain which has potential issues, the detections attribute in the response will be updated. The node in the following sample used “gumblar.cn” as input:
"payload": {
"apivoid":{
"topic":"/nevelexlabs/service/apivoid/url/report",
"response":{
"data":{
"report":{
"blacklists":{
"engines":{
"0":{
"engine":"Phishing Test",
"detected":false,
"reference":"https://www.novirusthanks.org/",
"confidence":"low",
"elapsed":"0.01"
},
"1":{
"engine":"Scam Test",
"detected":false,
"reference":"https://www.novirusthanks.org/",
"confidence":"low",
"elapsed":"0.00"
},
"2":{
"engine":"Sinkholed Domain",
"detected":false,
"reference":"https://www.novirusthanks.org/",
"confidence":"low",
"elapsed":"0.00"
},
"3":{
"engine":"SpamhausDBL",
"detected":false,
"reference":"https://www.spamhaus.org/lookup/",
"confidence":"high",
"elapsed":"0.07"
},
"4":{
"engine":"Badbitcoin",
"detected":false,
"reference":"https://badbitcoin.org/",
"confidence":"high",
"elapsed":"0.00"
},
"5":{
"engine":"Bambenek Consulting",
"detected":false,
"reference":"http://www.bambenekconsulting.com/",
"confidence":"high",
"elapsed":"0.00"
},
"6":{
"engine":"C_APT_ure",
"detected":false,
"reference":"http://c-apt-ure.blogspot.com/",
"confidence":"high",
"elapsed":"0.00"
},
"7":{
"engine":"CERT-GIB",
"detected":false,
"reference":"http://www.cert-gib.com/",
"confidence":"high",
"elapsed":"0.00"
},
"8":{
"engine":"CERT-PA",
"detected":false,
"reference":"https://www.cert-pa.it/",
"confidence":"high",
"elapsed":"0.00"
},
"9":{
"engine":"CoinBlockerLists",
"detected":false,
"reference":"https://gitlab.com/ZeroDot1/CoinBlockerLists/",
"confidence":"high",
"elapsed":"0.00"
},
"10":{
"engine":"CyberCrime",
"detected":false,
"reference":"http://cybercrime-tracker.net/",
"confidence":"high",
"elapsed":"0.00"
},
"11":{
"engine":"DShield",
"detected":false,
"reference":"http://www.dshield.org/",
"confidence":"high",
"elapsed":"0.00"
},
"12":{
"engine":"EtherAddressLookup",
"detected":false,
"reference":"https://github.com/409H/EtherAddressLookup/",
"confidence":"high",
"elapsed":"0.00"
},
"13":{
"engine":"EtherScamDB",
"detected":false,
"reference":"https://etherscamdb.info/",
"confidence":"high",
"elapsed":"0.00"
},
"14":{
"engine":"HijackedUrls",
"detected":false,
"reference":"http://www.hijackedurls.com/",
"confidence":"high",
"elapsed":"0.00"
},
"15":{
"engine":"Malc0de",
"detected":false,
"reference":"http://malc0de.com/",
"confidence":"high",
"elapsed":"0.00"
},
"16":{
"engine":"MalwareDomainList",
"detected":false,
"reference":"http://www.malwaredomainlist.com/",
"confidence":"high",
"elapsed":"0.00"
},
"17":{
"engine":"MetaMask EthPhishing",
"detected":false,
"reference":"https://github.com/MetaMask/eth-phishing-detect/",
"confidence":"high",
"elapsed":"0.00"
},
"18":{
"engine":"OpenPhish",
"detected":false,
"reference":"http://www.openphish.com/",
"confidence":"high",
"elapsed":"0.00"
},
"19":{
"engine":"PhishTank",
"detected":false,
"reference":"http://www.phishtank.com/",
"confidence":"high",
"elapsed":"0.00"
},
"20":{
"engine":"Ransomware Tracker",
"detected":false,
"reference":"https://ransomwaretracker.abuse.ch/",
"confidence":"high",
"elapsed":"0.00"
},
"21":{
"engine":"Spam404",
"detected":false,
"reference":"https://www.spam404.com/",
"confidence":"high",
"elapsed":"0.00"
},
"22":{
"engine":"SquidBlacklist (Malicious)",
"detected":true,
"reference":"https://www.squidblacklist.org/",
"confidence":"high",
"elapsed":"0.00"
},
"23":{
"engine":"ThreatCrowd",
"detected":false,
"reference":"https://www.threatcrowd.org/",
"confidence":"high",
"elapsed":"0.00"
},
"24":{
"engine":"ThreatLog",
"detected":true,
"reference":"http://www.threatlog.com/",
"confidence":"high",
"elapsed":"0.00"
},
"25":{
"engine":"Threat Sourcing",
"detected":false,
"reference":"https://www.threatsourcing.com/",
"confidence":"high",
"elapsed":"0.00"
},
"26":{
"engine":"URLVir",
"detected":false,
"reference":"http://www.urlvir.com/",
"confidence":"high",
"elapsed":"0.00"
},
"27":{
"engine":"VXVault",
"detected":false,
"reference":"http://vxvault.net/",
"confidence":"high",
"elapsed":"0.00"
},
"28":{
"engine":"ZeuS Tracker",
"detected":false,
"reference":"https://zeustracker.abuse.ch/",
"confidence":"high",
"elapsed":"0.00"
}
},
"detections":2,
"engines_count":29,
"detection_rate":"7%",
"scantime":"0.15"
},
"alexa_top_10k":false,
"alexa_top_100k":false,
"alexa_top_250k":false,
"most_abused_tld":false,
"domain_length":10
}
},
"credits_remained":9.43,
"credits_expiration":"Thu, 11 Apr 2019 19:18:56 GMT",
"estimated_queries":"117",
"elapsed_time":"0.32",
"success":true
},
"host":"gumblar.cn"
}
}
Error
The italicized, maroon text is inserted into the message payload upon a failed request.
"payload": {
"apivoid": {
"error": {
"error_code": 5,
"error_message": "Error text"
}
}
}
Nevelex Labs, Main Office
Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921
©Nevelex Labs, LLC. 2018-2024, All Rights Reserved.
EULA