×
APIVoid

Overview

The Security Flow APIVoid Plugin exposes and automates APIVoid functionality. APIVoid is a service that analyzes domains and IPs using multiple online threat intelligence engines to detect malicious domains and IPs.

Functionality

The APIVoid Plugin provides the functionality to gather threat intelligence on domains and IP addresses.

Instance Configuration Parameters

Property
Description

Instance Name

Name for the APIVoid instance.


Unique ID

A system-wide unique identifier for this plugin instance used to locate the service.


API Key

API key used to access the APIVoid services.

Flow Node

Communication node which queries APIVoid according to the specified node configuration.
Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.


Action

Configuration option determining the type of APIVoid API call to make:

  • Search Within: dynamically search in the message and make API requests based on the IoC type found
  • URL Report: Request a report for the specified URL or Domain
  • IP Report: Request a report for the specified IP

Search Within / URL / IP

This field defines the location from the message, flow, global, or JSONata expression to use as the data source for the IoC Threat Intelligence report. The following contexts are supported:

  • msg: This selects part of the incoming message as the source of the data. This is the typical choice.
  • flow: This selects part of the flow context’s saved data as the source. This information is shared with only the nodes on a given tab.
  • global: This selects part of the global context’s saved data as the source. This information is shared by all nodes regardless of tab.
  • J: expression: JSONata expression language to perform query and transform operations on the payload.

Helper node used to classify an Indicator of Compromise (IoC) from an APIVoid report as trusted or malicious based on the response's overall engine detection count. The field is found within the response at data.report.blacklists.detections. This node takes as input the successful response from the NL APIVoid node or the NL Broadcast Gather Threat Intelligence node.

Report analysis nodes have five (5) outputs.

  1. Malicious: The Malicious Detections matched the Indicator of Compromise's detection count.
  2. Trusted: The Trusted Detections matched the Indicator of Compromise's detection count.
  3. No Match: The rules did not match the IoC as either trusted or malicious.
  4. Report Missing: The incoming message did not include a report for APIVoid.
  5. Report Error: A report exists with an error message of some type.

Property
Description

Name

The display name of the node within the flows.


Malicious Detections

Any score matching the defined Malicious Detections level is considered a malicious IoC. Malicious detection checks are done against one of the selected ranges.

  • >= 1
  • >= 2
  • >= 3
  • >= 4
  • >= 5
  • >= 10
  • >= 15
  • >= 20
  • >= 25

Trusted Detections

Any detection count matching the defined Trusted Detections level is considered a trusted IoC. This field can be set to Never to never consider an IoC trusted. Trusted detection checks are done against one of the selected ranges.

  • Never
  • < 1
  • < 2
  • < 3
  • < 4
  • < 5
  • < 10

Audit Missing Report

If checked, a missing report audit message will be added to the Incident’s timeline.

Learn More

JSON Message Format

The following samples show the JSON content added to the message payload, which conform to Node Messaging Format. The content exists within the apivoid object.

Success

The italicized, green text is inserted into the message payload upon a successful request. The node in the following sample used “google.com” as input:

"payload": {
   "apivoid": {  
      "topic":"/nevelexlabs/service/apivoid/url/report",
      "response":{  
         "data":{  
            "report":{  
               "blacklists":{  
                  "engines":{  
                     "0":{  
                        "engine":"Phishing Test",
                        "detected":false,
                        "reference":"https://www.novirusthanks.org/",
                        "confidence":"low",
                        "elapsed":"0.00"
                     },
                     "1":{  
                        "engine":"Scam Test",
                        "detected":false,
                        "reference":"https://www.novirusthanks.org/",
                        "confidence":"low",
                        "elapsed":"0.00"
                     },
                     "2":{  
                        "engine":"Sinkholed Domain",
                        "detected":false,
                        "reference":"https://www.novirusthanks.org/",
                        "confidence":"low",
                        "elapsed":"0.00"
                     },
                     "3":{  
                        "engine":"SpamhausDBL",
                        "detected":false,
                        "reference":"https://www.spamhaus.org/lookup/",
                        "confidence":"high",
                        "elapsed":"0.09"
                     },
                     "4":{  
                        "engine":"Badbitcoin",
                        "detected":false,
                        "reference":"https://badbitcoin.org/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "5":{  
                        "engine":"Bambenek Consulting",
                        "detected":false,
                        "reference":"http://www.bambenekconsulting.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "6":{  
                        "engine":"C_APT_ure",
                        "detected":false,
                        "reference":"http://c-apt-ure.blogspot.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "7":{  
                        "engine":"CERT-GIB",
                        "detected":false,
                        "reference":"http://www.cert-gib.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "8":{  
                        "engine":"CERT-PA",
                        "detected":false,
                        "reference":"https://www.cert-pa.it/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "9":{  
                        "engine":"CoinBlockerLists",
                        "detected":false,
                        "reference":"https://gitlab.com/ZeroDot1/CoinBlockerLists/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "10":{  
                        "engine":"CyberCrime",
                        "detected":false,
                        "reference":"http://cybercrime-tracker.net/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "11":{  
                        "engine":"DShield",
                        "detected":false,
                        "reference":"http://www.dshield.org/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "12":{  
                        "engine":"EtherAddressLookup",
                        "detected":false,
                        "reference":"https://github.com/409H/EtherAddressLookup/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "13":{  
                        "engine":"EtherScamDB",
                        "detected":false,
                        "reference":"https://etherscamdb.info/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "14":{  
                        "engine":"HijackedUrls",
                        "detected":false,
                        "reference":"http://www.hijackedurls.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "15":{  
                        "engine":"Malc0de",
                        "detected":false,
                        "reference":"http://malc0de.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "16":{  
                        "engine":"MalwareDomainList",
                        "detected":false,
                        "reference":"http://www.malwaredomainlist.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "17":{  
                        "engine":"MetaMask EthPhishing",
                        "detected":false,
                        "reference":"https://github.com/MetaMask/eth-phishing-detect/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "18":{  
                        "engine":"OpenPhish",
                        "detected":false,
                        "reference":"http://www.openphish.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "19":{  
                        "engine":"PhishTank",
                        "detected":false,
                        "reference":"http://www.phishtank.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "20":{  
                        "engine":"Ransomware Tracker",
                        "detected":false,
                        "reference":"https://ransomwaretracker.abuse.ch/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "21":{  
                        "engine":"Spam404",
                        "detected":false,
                        "reference":"https://www.spam404.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "22":{  
                        "engine":"SquidBlacklist (Malicious)",
                        "detected":false,
                        "reference":"https://www.squidblacklist.org/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "23":{  
                        "engine":"ThreatCrowd",
                        "detected":false,
                        "reference":"https://www.threatcrowd.org/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "24":{  
                        "engine":"ThreatLog",
                        "detected":false,
                        "reference":"http://www.threatlog.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "25":{  
                        "engine":"Threat Sourcing",
                        "detected":false,
                        "reference":"https://www.threatsourcing.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "26":{  
                        "engine":"URLVir",
                        "detected":false,
                        "reference":"http://www.urlvir.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "27":{  
                        "engine":"VXVault",
                        "detected":false,
                        "reference":"http://vxvault.net/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "28":{  
                        "engine":"ZeuS Tracker",
                        "detected":false,
                        "reference":"https://zeustracker.abuse.ch/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     }
                  },
                  "detections":0,
                  "engines_count":29,
                  "detection_rate":"0%",
                  "scantime":"0.10"
               },
               "alexa_top_10k":true,
               "alexa_top_100k":true,
               "alexa_top_250k":true,
               "most_abused_tld":false,
               "domain_length":13
            }
         },
         "credits_remained":9.35,
         "credits_expiration":"Thu, 11 Apr 2019 19:18:56 GMT",
         "estimated_queries":"116",
         "elapsed_time":"0.23",
         "success":true
      },
      "host":"microsoft.com"
   }
}

For “google.com,” there is no report of any issues with the domain. When run with a domain which has potential issues, the detections attribute in the response will be updated. The node in the following sample used “gumblar.cn” as input:

"payload": {
   "apivoid":{
      "topic":"/nevelexlabs/service/apivoid/url/report",
      "response":{  
         "data":{  
            "report":{  
               "blacklists":{  
                  "engines":{  
                     "0":{  
                        "engine":"Phishing Test",
                        "detected":false,
                        "reference":"https://www.novirusthanks.org/",
                        "confidence":"low",
                        "elapsed":"0.01"
                     },
                     "1":{  
                        "engine":"Scam Test",
                        "detected":false,
                        "reference":"https://www.novirusthanks.org/",
                        "confidence":"low",
                        "elapsed":"0.00"
                     },
                     "2":{  
                        "engine":"Sinkholed Domain",
                        "detected":false,
                        "reference":"https://www.novirusthanks.org/",
                        "confidence":"low",
                        "elapsed":"0.00"
                     },
                     "3":{  
                        "engine":"SpamhausDBL",
                        "detected":false,
                        "reference":"https://www.spamhaus.org/lookup/",
                        "confidence":"high",
                        "elapsed":"0.07"
                     },
                     "4":{  
                        "engine":"Badbitcoin",
                        "detected":false,
                        "reference":"https://badbitcoin.org/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "5":{  
                        "engine":"Bambenek Consulting",
                        "detected":false,
                        "reference":"http://www.bambenekconsulting.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "6":{  
                        "engine":"C_APT_ure",
                        "detected":false,
                        "reference":"http://c-apt-ure.blogspot.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "7":{  
                        "engine":"CERT-GIB",
                        "detected":false,
                        "reference":"http://www.cert-gib.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "8":{  
                        "engine":"CERT-PA",
                        "detected":false,
                        "reference":"https://www.cert-pa.it/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "9":{  
                        "engine":"CoinBlockerLists",
                        "detected":false,
                        "reference":"https://gitlab.com/ZeroDot1/CoinBlockerLists/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "10":{  
                        "engine":"CyberCrime",
                        "detected":false,
                        "reference":"http://cybercrime-tracker.net/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "11":{  
                        "engine":"DShield",
                        "detected":false,
                        "reference":"http://www.dshield.org/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "12":{  
                        "engine":"EtherAddressLookup",
                        "detected":false,
                        "reference":"https://github.com/409H/EtherAddressLookup/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "13":{  
                        "engine":"EtherScamDB",
                        "detected":false,
                        "reference":"https://etherscamdb.info/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "14":{  
                        "engine":"HijackedUrls",
                        "detected":false,
                        "reference":"http://www.hijackedurls.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "15":{  
                        "engine":"Malc0de",
                        "detected":false,
                        "reference":"http://malc0de.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "16":{  
                        "engine":"MalwareDomainList",
                        "detected":false,
                        "reference":"http://www.malwaredomainlist.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "17":{  
                        "engine":"MetaMask EthPhishing",
                        "detected":false,
                        "reference":"https://github.com/MetaMask/eth-phishing-detect/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "18":{  
                        "engine":"OpenPhish",
                        "detected":false,
                        "reference":"http://www.openphish.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "19":{  
                        "engine":"PhishTank",
                        "detected":false,
                        "reference":"http://www.phishtank.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "20":{  
                        "engine":"Ransomware Tracker",
                        "detected":false,
                        "reference":"https://ransomwaretracker.abuse.ch/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "21":{  
                        "engine":"Spam404",
                        "detected":false,
                        "reference":"https://www.spam404.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "22":{  
                        "engine":"SquidBlacklist (Malicious)",
                        "detected":true,
                        "reference":"https://www.squidblacklist.org/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "23":{  
                        "engine":"ThreatCrowd",
                        "detected":false,
                        "reference":"https://www.threatcrowd.org/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "24":{  
                        "engine":"ThreatLog",
                        "detected":true,
                        "reference":"http://www.threatlog.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "25":{  
                        "engine":"Threat Sourcing",
                        "detected":false,
                        "reference":"https://www.threatsourcing.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "26":{  
                        "engine":"URLVir",
                        "detected":false,
                        "reference":"http://www.urlvir.com/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "27":{  
                        "engine":"VXVault",
                        "detected":false,
                        "reference":"http://vxvault.net/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     },
                     "28":{  
                        "engine":"ZeuS Tracker",
                        "detected":false,
                        "reference":"https://zeustracker.abuse.ch/",
                        "confidence":"high",
                        "elapsed":"0.00"
                     }
                  },
                  "detections":2,
                  "engines_count":29,
                  "detection_rate":"7%",
                  "scantime":"0.15"
               },
               "alexa_top_10k":false,
               "alexa_top_100k":false,
               "alexa_top_250k":false,
               "most_abused_tld":false,
               "domain_length":10
            }
         },
         "credits_remained":9.43,
         "credits_expiration":"Thu, 11 Apr 2019 19:18:56 GMT",
         "estimated_queries":"117",
         "elapsed_time":"0.32",
         "success":true
      },
      "host":"gumblar.cn"
   }
}

Error

The italicized, maroon text is inserted into the message payload upon a failed request.

"payload": {
    "apivoid": {
        "error": {
            "error_code": 5,
            "error_message": "Error text"
        }
    }
}
Nevelex Labs, Main Office

Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921

©Nevelex Labs, LLC. 2018-2020, All Rights Reserved.

EULA