With the Urlscan integration analysts in the security operations center can quickly understand the footprint of a website by seeing if it is malicious, see a screenshot and understand any other referred to information. Allowing SOC analysts to quickly triage domains and IPs in phishing attacks, logs etc. Analysts can then copy the information to the necessary tickets, allowing them to triage information much faster.
While threat hunting analysts are combing through data, the Urlscan integration can easily provide scan information on an indicator allowing the analyst to triage data faster. Analysts can even submit a domain or url to be scanned by Urlscan, with a simple on-demand shortcut key.
By default the Urlscan integration does not require any configuration before the integration will work. The integration does require an API Key for analysts that wish to submit a url or domain for scanning, as well as to increase the daily lookup limit to 1000 queries.
Due to new changes, Urlscan does have a lookup limit of 500 queries per day without an API Key.
An API key is needed for analysts to submit a domain or url to be scanned by Urlscan. To obtain an API Key from Urlscan, navigate to https://urlscan.io/user/signup and create an account. Once you have an account created, navigate to Settings/API and create an API Key.
Allow for manual submission - This toggle option enables the submission of urls or domains. This option is off by default.
View Malicious Indicators Only - This toggle option enables the integration to only return information on urls that are malicious. This option is off by default.
Ignore List or Ignore Regex - Urlscan Integration enables the ability to set a regex to match domains or ips to be ignored or add in a comma separated list, so the integration will never look them up in Urlscan. This is typically used for sensitive information or company domains.