Analyze Domains Through Multiple Sources

Investigate suspicious domains and identify false positives by leveraging threat intelligence tools, including URLhaus, VirusTotal, and URLScan, to gather more context and respond faster.

Installation

Download and install Flowpipe (https://flowpipe.io/downloads). Or use Brew:

brew tap turbot/tap
brew install flowpipe

Clone:

git clone https://github.com/turbot/flowpipe-samples.git
cd security/domains_review_through_multiple_sources

Install mod dependencies:

flowpipe mod install

Connections

By default, the following environment variables will be used for authentication:

• VTCLI_APIKEY
• URLSCAN_API_KEY
• IP2LOCATIONIO_API_KEY

You can also create connection resources in configuration files:

vi conns.fpc

connection "virustotal" "my_virustotal" {
  api_key = "AG.U7..."
}

connection "urlscan" "my_urlscan" {
  api_key = "AKIA...2"
}

connection "ip2locationio" "my_ip2locationio" {
  token = "00B630jSCGU4jV4o5Yh4KQMAdqizwE2OgVcS7N9UHb"
}

For more information on connections in Flowpipe, please see Managing Connections.

Usage

Run the pipeline to analyze domains through multiple sources:

flowpipe pipeline run domains_review_through_multiple_sources --arg 'domain=example.com'

Configuration

To avoid entering variable values when running the pipeline or starting the server, you can set variable values:

cp flowpipe.fpvars.example flowpipe.fpvars
vi flowpipe.fpvars

# Required
apivoid_api_key="Your_APIVoid_API_Key"