Set URL Threat Score

Set URL Threat Score analyzes the URL using ThreatIntel and VirusTotal Analysis to give a verdict to the URL and set its severity.

1. Trigger - retrieves URLs from the For Each action block from the User-Reported Phishing Investigation parent playbook to continue the investigation.

2. Script - runs a Python script to reformat the URL to get rid of extra characters that it may have.

3. API - uploads the URL into the ThreatIntel API for Investigation.

4. Status - gets the case severity and forwards it to the next action block.

5. If Then - checks if the URL is successfully uploaded to the ThreatIntel.

5.1. If it passes, the investigation is continued.

5.2. If it fails, No Verdict is given on the URL.

6. Script [Get ID]: It uses a Python script to extract the ID returned by the ThreatIntel.

7. API - uses the VirusTotal API to analyze the URL using the ID provided by the previous action block.

8. If Then - checks if the Analysis is successful or not.

8.1. If it passes, the investigation is continued.

8.2. If it fails, No Verdict is given on the URL.

9. Script [Python] - uses a Python script to extract the result from the URL Analysis API.

10. Parameters [Analysis Failed] - sets the global parameter Verdict as No Verdict.

11. Format - formats the URL, Verdict, and VirusTotal Analysis in a specific syntax.

12. Parameters [Set Score] - sets the global parameter Verdict to the result given by the VirusTotal Analysis.

13. Case Item - writers the formatted output to the case created in the Logpoint.

14. If Then [Suspicious] - checks if the Verdict Score is greater than 0.

15. If Then [Malicious] - checks if the Verdict Score is greater than 3.

16. If Then [Severity] - checks if the severity is greater than 0.

17. Status [Set High Severity] - sets the severity to High.

18. Status [Set Medium Severity] - sets the severity to Medium.

19. Format - formats the Verdict to a specific syntax.

20. End - returns the URL and its Verdict to the parent playbook.