DBotUpdateLogoURLPhishing Script - Administrator Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.6
Creation date
2022-09-29
Last date published
2024-03-21
End_of_Life
EoL
Category
Administrator Guide
Abstract

A script that enables you to add, remove, or modify logos within the URL Phishing model.

The following describes how to add, remove, or modify logos within the URL Phishing model.

Phishing pages often use logos of well known companies to disguise themselves as legitimate websites. This model searches for these logos within the URL page to detect false usage of these logos. If a logo is found and the domain of the page is not associated with the logo, the model will trigger an alert.

To better customize the model, you can add a logo that URL phishing attempt may use to target you. The predefined list of logos is: Paypal, Instagram, Gmail, Outlook, Linkedin, Facebook, Ebay, Amazon, Google, and Microsoft.

This script provides you with the ability to add or remove custom logos and associate legitimate domains to the custom logos. You can also print all the logos that are currently loaded inside the model.

We recommend not adding more than 5 custom logos to ensure good model performance.

The command to use is DBotUpdateLogoURLPhishing.

Arguments

  • Action: Action to execute on the model. This is a mandatory argument. Values can be:

    • AddLogo: Add a custom logo to the model. This action requires the logoImageId and logoName arguments. The new logo can be directly associated with domains using the associatedDomains argument. You can add domains at a later time using the ModifiedDomainForLogo argument.

    • RemoveLogo: Remove a custom logo from the model given the logo name. Only custom logos can be removed. This action requires the logoName argument. Logo names can be retrieved by displaying all the logos using the DisplayAllLogos argument.

    • ModifiedDomainForLogo: Modify the list of domains associated with a custom logo. This action requires the associatedDomains and logoName arguments.

    • DisplayAllLogos: Return a graphic with the names of all the logos used. For the custom logos, also returns the associated domains.

  • logoImageId: Entry ID in Cortex XSOAR of the uploaded logo.

  • logoName: Unique name of the logo. It is used to modify or remove a logo after it has been added.

  • associatedDomains: Comma-separated list of domains that are associated to the logo defined in the logoName argument. It will only be used if the action argument is AddLogo or ModifiedDomainForLogo. The format of the domains should be:

    [domain].[tld]

    For example: paloaltonetworks.com

    Note

    The domain name should not contain https, http, or www.

Example

Display the Logos in the Model

Let’s start by displaying all the logos in the model. There are no custom logos yet, so only the default logos in the original model appear.

!DBotUpdateLogoURLPhishing action=DisplayAllLogos

dbot-updatelogo-all.png

Add a Custom Logo

Let’s add a new logo and associate some domains to the logo.

1. Drop the image into the Playground and upload it.

dbot-updatelogo-upload-file.png

2. Get the Entry ID in Cortex XSOAR of the uploaded logo.

dbot-updatelogo-entryid.png

3. Run the following command using the Entry ID.

!DBotUpdateLogoURLPhishing logoImageId="4463@ec8a82a9-4c32-4ce8-85e3-6ec360fed132" logoName="palo_alto" action="AddLogo"

We can associate domains to this logo by using the associatedDomains argument in this query, but let’s do it in a separate action.

dbot-updatelogo-success.png

If we display the logos inside the model now, we can see that our logo (Palo Alto) was added to the model.

dbot-updatelog-all2.png

Associate Domains to Our Custom Logo

We can associate some domains to our custom logo. Let’s associate paloaltonetworks.com to our logo, so in case the logo is found in a webpage from this domain it won’t be detected as malicious.

To do this, run the following command:

!DBotUpdateLogoURLPhishing logoName="palo_alto" associatedDomains="paloaltonetworks.com" action="ModifiedDomainForLogo"

dbot-updatelogo-success.png

Remove a Custom Logo

In case we want to remove a custom logo from the model we can run the following command:

!DBotUpdateLogoURLPhishing action=RemoveLogo logoName=palo_alto

dbot-updatelogo-remove.png