Skip to content

ForcepointWebsensePing#

README

Categorize domain names, URL, fqdn, IP addresses using the popular Forcepoint Master Database service .

Requirements#

You need a valid Forcepoint license to use the analyzer:

  • Install WebsensePing on instance where you will run this analyzer
  • Provide hostname of remote Filtering Service as a value for the hostname parameter and timeout as a value for the timeout parameter.

ForcepointWebsensePing#

Author: Andrea Garavaglia, Davide Arcuri - LDO-CERT
License: AGPL-V3
Version: 1.0
Supported observables types:
- url
- ip
- domain
- fqdn
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.forcepoint.com

Description#

Use ForcepointWebsensePing to determine which category a certain URL is assigned to.

Configuration#

hostname Forcepoint remote Filtering Service
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
timeout WebsensePing timeout-secs
Default value if not configured 10
Type of the configuration item number
The configuration item can contain multiple values False
Is required True
path WebsensePing path
Default value if not configured /opt/Websense/bin
Type of the configuration item string
The configuration item can contain multiple values False
Is required True
malicious_categories List of Forcepoint categories to be considered as malicious
Default value if not configured ['Dynamic DNS', 'Elevated Exposure', 'Emerging Exploits', 'Extended Protection', 'Newly Registered Websites', 'Suspicious Content', 'Advanced Malware Command and Control', 'Advanced Malware Payloads', 'Botnets', 'Bot Networks', 'Compromised Websites', 'Malicious Web Sites', 'Custom-Encrypted Uploads', 'Files Containing Passwords', 'Keyloggers', 'Malicious Embedded Link', 'Malicious Embedded Iframe', 'Malicious Websites', 'Mobile Malware', 'Phishing and Other Frauds', 'Potentially Exploited Documents', 'Potentially Unwanted Software', 'Spyware', 'Suspicious Embedded Link', 'Elevated Exposure Newly Registered Websites', 'Unauthorized Mobile Marketplaces', 'User-Defined']
Type of the configuration item string
The configuration item can contain multiple values True
Is required True
suspicious_categories List of Forcepoint categories you would consider as suspicious
Default value if not configured ['Uncategorized', 'Parked Domain', 'Hacking', 'Proxy Avoidance', 'Intolerance', 'Abused Drugs', 'Adult Content', 'Adult Material', 'Advertisements', 'Computer Security', 'Drugs', 'Dynamic Content', 'Illegal or Questionable', 'Marijuana', 'Militancy and Extremist', 'Network Errors', 'Peer-to-Peer File Sharing', 'Personal Network Storage and Backup', 'Private IP Addresses', 'Sex', 'Tastelesstopics or to improper language', 'Violence', 'Web and Email Spam', 'Security']
Type of the configuration item string
The configuration item can contain multiple values True
Is required True
safe_categories List of Forcepoint categories you would consider as safe
Default value if not configured ['Business and Economy', 'Bandwidth', 'Education', 'Government', 'News and Media', 'Productivity', 'Religion', 'Society and Lifestyles', 'Special Events', 'Information Technology', 'Abortion', 'Advocacy Groups', 'Entertainment', 'Facebook Apps ', 'Facebook Chat', 'Facebook Commenting', 'Facebook Events', 'Facebook Friends', 'Facebook Games', 'Facebook Groups', 'Facebook Mail', 'Facebook Photo Upload', 'Facebook Posting', 'Facebook Questions', 'Facebook Video Upload', 'File Download Servers', 'LinkedIn Connections', 'LinkedIn Jobs', 'LinkedIn Mail', 'LinkedIn Updates', 'Twitter Follow', 'Twitter Mail', 'Twitter Posting', 'YouTube Commenting', 'YouTube Sharing', 'YouTube Video Upload', 'Alternative Journals', 'Application and Software Download', 'Blog Commenting', 'Blog Posting', 'Blogs and Personal Sites', 'Classified Posting', 'Social and Affiliation Organizations', 'Social Networking', 'Social Organizations', 'Social Web - Facebook', 'Social Web - LinkedIn', 'Social Web - Twitter', 'Social Web - YouTube', 'Social Web Controls - Various', 'Sports', 'Entertainment Video', 'Financial Data and Services', 'Instant Messaging', 'Job Search', 'Shopping', 'Travel', 'Vehicles', 'Search Engines and Portals', 'Alcohol and Tobacco', 'Collaboration – Office', 'Content Delivery Networks', 'Cultural Institutions', 'Educational Institutions', 'Educational Materials', 'Educational Video', 'General Email', 'Health', 'Hobbies', 'Gay or Lesbian or Bisexual Interest', 'Gambling', 'Games', 'Hosted Business Applications', 'Internet Auctions', 'Internet Communication', 'Internet Radio and TV', 'Internet Telephony', 'Media File Download', 'Message Boards and Forums', 'Non-Traditional Religion', 'Nudity', 'Nutrition', 'Office - Apps', 'Office - Documents', 'Office - Drive', 'Office - Mail', 'Office Category used to manage the Office domain', 'Online Brokerage and Trading', 'Organizational Email', 'Personals and Dating', 'Pay-to-Surf', 'Political Organizations', 'Prescribed Medications', 'Pro-Choice', 'Pro-Life', 'Professional and Worker Organizations', 'Real Estate', 'Reference Materials', 'Restaurants and Dining', 'Service and Philanthropic Organizations', 'Sex Education', 'Lingerie and Swimsuit', 'Sport Hunting and Gun Clubs', 'Streaming Media', 'Surveillance', 'Text and Media Messaging', 'Traditional Religions', 'Viral Video', 'Weapons', 'Web Analytics', 'Web and Email Marketing', 'Web Chat', 'Web Collaboration', 'Web Hosting', 'Web Images', 'Web Infrastructure', 'Website Translation']
Type of the configuration item string
The configuration item can contain multiple values True
Is required True

Templates samples for TheHive#


Last update: November 15, 2021 06:39:12