×
APIVoid

Overview

The Security Flow APIVoid Plugin exposes and automates APIVoid functionality. APIVoid is a service that analyzes domains and IPs using multiple online threat intelligence engines to detect malicious domains and IPs.

Functionality

The APIVoid Plugin provides the functionality to gather threat intelligence on domains and IP addresses.

Instance Configuration Parameters

Property
Description

Instance Name

Name for the APIVoid instance.


Unique ID

A system-wide unique identifier for this plugin instance used to locate the service.


API Key

API key used to access the APIVoid services.

Flow Node

Communication node which queries APIVoid according to the specified node configuration.
Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.


Action

Configuration option determining the type of APIVoid API call to make:

  • Search Within: dynamically search in the message and make API requests based on the IoC type found
  • URL Report: Request a report for the specified URL or Domain
  • IP Report: Request a report for the specified IP

Search Within / URL / IP

This field defines the location from the message, flow, global, or JSONata expression to use as the data source for the IoC Threat Intelligence report. The following contexts are supported:

  • msg: This selects part of the incoming message as the source of the data. This is typical choice.
  • flow: This selects part of the flow context’s saved data as the source. This information is shared with only the nodes on a given tab.
  • global: This selects part of the global context’s saved data as the source. This information is shared by all nodes regardless of tab.
  • J: expression: JSONata expression language to perform query and transform operations on the payload.
Analyzes the results from the NL-APIVoid node and sets msg.payload.apivoid.nl_detections to the msg.payload.apivoid.response.data.report.blacklists.detections field found in the report.
Property
Description

Name

The display name of the node within the flows.


Audit Missing Report

If checked, a missing report audit message will be added to the Incident’s timeline.

Learn More

JSON Message Format

The following samples show the JSON content added to the message payload, which conform to Node Messaging Format. The content exists within the apivoid object.

Success

The italicized, green text is inserted into the message payload upon a successful request. The node in the following sample used “google.com” as input:

"payload": {
   "apivoid": {  
      "topic":"/nevelexlabs/service/apivoid/url/report",
      "response":{  
         "data":{  
            "report":{  
               "blacklists":{  
                  "engines":{  
                     "0":{  
                        "engine":"Phishing Test",
                        "detected":false,
                        "reference":"https://www.novirusthanks.org/",
                        "confidence":"low",
                        "elapsed":"0.00"
                     },
                     "1":{  
                        "engine":"Scam Test",
                        "detected":false,
                        "reference":"https://www.novirusthanks.org/",
                        "confidence":"low",
                        "elapsed":"0.00"
                     },
                     "2":{  
                        "engine":"Sinkholed Domain",
                        "detected":false,
                        "reference":"https://www.novirusthanks.org/",
                        "confidence":"low",
                        "elapsed":"0.00"
                     },
                     "3":{  
                        "engine":"SpamhausDBL",
                        "detected":false,
                        "reference":"https://www.spamhaus.org/lookup/",
                        "confidence":"high",
                        "elapsed":"0.09"
                     },
                     "4":{  
                        "engine":"Badbitcoin",
                        "detected":false,
                        "reference":"https://badbitcoin.org/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "5":{  
                        "engine":"Bambenek Consulting",
                        "detected":false,
                        "reference":"http://www.bambenekconsulting.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "6":{  
                        "engine":"C_APT_ure",
                        "detected":false,
                        "reference":"http://c-apt-ure.blogspot.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "7":{  
                        "engine":"CERT-GIB",
                        "detected":false,
                        "reference":"http://www.cert-gib.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "8":{  
                        "engine":"CERT-PA",
                        "detected":false,
                        "reference":"https://www.cert-pa.it/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "9":{  
                        "engine":"CoinBlockerLists",
                        "detected":false,
                        "reference":"https://gitlab.com/ZeroDot1/CoinBlockerLists/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "10":{  
                        "engine":"CyberCrime",
                        "detected":false,
                        "reference":"http://cybercrime-tracker.net/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "11":{  
                        "engine":"DShield",
                        "detected":false,
                        "reference":"http://www.dshield.org/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "12":{  
                        "engine":"EtherAddressLookup",
                        "detected":false,
                        "reference":"https://github.com/409H/EtherAddressLookup/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "13":{  
                        "engine":"EtherScamDB",
                        "detected":false,
                        "reference":"https://etherscamdb.info/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "14":{  
                        "engine":"HijackedUrls",
                        "detected":false,
                        "reference":"http://www.hijackedurls.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "15":{  
                        "engine":"Malc0de",
                        "detected":false,
                        "reference":"http://malc0de.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "16":{  
                        "engine":"MalwareDomainList",
                        "detected":false,
                        "reference":"http://www.malwaredomainlist.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "17":{  
                        "engine":"MetaMask EthPhishing",
                        "detected":false,
                        "reference":"https://github.com/MetaMask/eth-phishing-detect/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "18":{  
                        "engine":"OpenPhish",
                        "detected":false,
                        "reference":"http://www.openphish.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "19":{  
                        "engine":"PhishTank",
                        "detected":false,
                        "reference":"http://www.phishtank.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "20":{  
                        "engine":"Ransomware Tracker",
                        "detected":false,
                        "reference":"https://ransomwaretracker.abuse.ch/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "21":{  
                        "engine":"Spam404",
                        "detected":false,
                        "reference":"https://www.spam404.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "22":{  
                        "engine":"SquidBlacklist (Malicious)",
                        "detected":false,
                        "reference":"https://www.squidblacklist.org/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "23":{  
                        "engine":"ThreatCrowd",
                        "detected":false,
                        "reference":"https://www.threatcrowd.org/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "24":{  
                        "engine":"ThreatLog",
                        "detected":false,
                        "reference":"http://www.threatlog.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "25":{  
                        "engine":"Threat Sourcing",
                        "detected":false,
                        "reference":"https://www.threatsourcing.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "26":{  
                        "engine":"URLVir",
                        "detected":false,
                        "reference":"http://www.urlvir.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "27":{  
                        "engine":"VXVault",
                        "detected":false,
                        "reference":"http://vxvault.net/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "28":{  
                        "engine":"ZeuS Tracker",
                        "detected":false,
                        "reference":"https://zeustracker.abuse.ch/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     }
                  },
                  "detections":0,
                  "engines_count":29,
                  "detection_rate":"0%",
                  "scantime":"0.10"
               },
               "alexa_top_10k":true,
               "alexa_top_100k":true,
               "alexa_top_250k":true,
               "most_abused_tld":false,
               "domain_length":13
            }
         },
         "credits_remained":9.35,
         "credits_expiration":"Thu, 11 Apr 2019 19:18:56 GMT",
         "estimated_queries":"116",
         "elapsed_time":"0.23",
         "success":true
      },
      "host":"microsoft.com"
   }
}

For “google.com,” there is no report of any issues with the domain. When run with a domain which has potential issues, the detections attribute in the response will be updated. The node in the following sample used “gumblar.cn” as input:

"payload": {
   "apivoid":{
      "topic":"/nevelexlabs/service/apivoid/url/report",
      "response":{  
         "data":{  
            "report":{  
               "blacklists":{  
                  "engines":{  
                     "0":{  
                        "engine":"Phishing Test",
                        "detected":false,
                        "reference":"https://www.novirusthanks.org/",
                        "confidence":"low",
                        "elapsed":"0.01"
                     },
                     "1":{  
                        "engine":"Scam Test",
                        "detected":false,
                        "reference":"https://www.novirusthanks.org/",
                        "confidence":"low",
                        "elapsed":"0.00"
                     },
                     "2":{  
                        "engine":"Sinkholed Domain",
                        "detected":false,
                        "reference":"https://www.novirusthanks.org/",
                        "confidence":"low",
                        "elapsed":"0.00"
                     },
                     "3":{  
                        "engine":"SpamhausDBL",
                        "detected":false,
                        "reference":"https://www.spamhaus.org/lookup/",
                        "confidence":"high",
                        "elapsed":"0.07"
                     },
                     "4":{  
                        "engine":"Badbitcoin",
                        "detected":false,
                        "reference":"https://badbitcoin.org/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "5":{  
                        "engine":"Bambenek Consulting",
                        "detected":false,
                        "reference":"http://www.bambenekconsulting.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "6":{  
                        "engine":"C_APT_ure",
                        "detected":false,
                        "reference":"http://c-apt-ure.blogspot.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "7":{  
                        "engine":"CERT-GIB",
                        "detected":false,
                        "reference":"http://www.cert-gib.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "8":{  
                        "engine":"CERT-PA",
                        "detected":false,
                        "reference":"https://www.cert-pa.it/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "9":{  
                        "engine":"CoinBlockerLists",
                        "detected":false,
                        "reference":"https://gitlab.com/ZeroDot1/CoinBlockerLists/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "10":{  
                        "engine":"CyberCrime",
                        "detected":false,
                        "reference":"http://cybercrime-tracker.net/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "11":{  
                        "engine":"DShield",
                        "detected":false,
                        "reference":"http://www.dshield.org/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "12":{  
                        "engine":"EtherAddressLookup",
                        "detected":false,
                        "reference":"https://github.com/409H/EtherAddressLookup/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "13":{  
                        "engine":"EtherScamDB",
                        "detected":false,
                        "reference":"https://etherscamdb.info/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "14":{  
                        "engine":"HijackedUrls",
                        "detected":false,
                        "reference":"http://www.hijackedurls.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "15":{  
                        "engine":"Malc0de",
                        "detected":false,
                        "reference":"http://malc0de.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "16":{  
                        "engine":"MalwareDomainList",
                        "detected":false,
                        "reference":"http://www.malwaredomainlist.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "17":{  
                        "engine":"MetaMask EthPhishing",
                        "detected":false,
                        "reference":"https://github.com/MetaMask/eth-phishing-detect/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "18":{  
                        "engine":"OpenPhish",
                        "detected":false,
                        "reference":"http://www.openphish.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "19":{  
                        "engine":"PhishTank",
                        "detected":false,
                        "reference":"http://www.phishtank.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "20":{  
                        "engine":"Ransomware Tracker",
                        "detected":false,
                        "reference":"https://ransomwaretracker.abuse.ch/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "21":{  
                        "engine":"Spam404",
                        "detected":false,
                        "reference":"https://www.spam404.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "22":{  
                        "engine":"SquidBlacklist (Malicious)",
                        "detected":true,
                        "reference":"https://www.squidblacklist.org/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "23":{  
                        "engine":"ThreatCrowd",
                        "detected":false,
                        "reference":"https://www.threatcrowd.org/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "24":{  
                        "engine":"ThreatLog",
                        "detected":true,
                        "reference":"http://www.threatlog.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "25":{  
                        "engine":"Threat Sourcing",
                        "detected":false,
                        "reference":"https://www.threatsourcing.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "26":{  
                        "engine":"URLVir",
                        "detected":false,
                        "reference":"http://www.urlvir.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "27":{  
                        "engine":"VXVault",
                        "detected":false,
                        "reference":"http://vxvault.net/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "28":{  
                        "engine":"ZeuS Tracker",
                        "detected":false,
                        "reference":"https://zeustracker.abuse.ch/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     }
                  },
                  "detections":2,
                  "engines_count":29,
                  "detection_rate":"7%",
                  "scantime":"0.15"
               },
               "alexa_top_10k":false,
               "alexa_top_100k":false,
               "alexa_top_250k":false,
               "most_abused_tld":false,
               "domain_length":10
            }
         },
         "credits_remained":9.43,
         "credits_expiration":"Thu, 11 Apr 2019 19:18:56 GMT",
         "estimated_queries":"117",
         "elapsed_time":"0.32",
         "success":true
      },
      "host":"gumblar.cn"
   }
}

Error

The italicized, maroon text is inserted into the message payload upon a failed request.

"payload": {
    "apivoid": {
        "error": {
            "error_code": 5,
            "error_message": "Error text"
        }
    }
}
Nevelex Labs, Main Office

International Plaza
7900 International Drive, Suite 305
Bloomington, MN 55425
Phone: +1 952-500-8921

Nevelex Labs, West

OPEN
360 N. Pacific Coast Highway, Suite 1056
El Segundo, CA 90245

©Nevelex Labs, LLC. 2018-2019, All Rights Reserved.

EULA