urlscan.io Integration

urlscan.io is a service to scan and analyze websites. When a URL is submitted to urlscan.io, an automated process will browse to the URL like a regular user and record the activity that this page navigation creates. This includes the domains and IPs contacted, the resources (JavaScript, CSS, etc) requested from those domains, as well as additional information about the page itself. urlscan.io will take a screenshot of the page, record the DOM content, JavaScript global variables, cookies created by the page, and a myriad of other observations.

Finally, urlscan.io will try to make a verdict whether the scanned website is considered malicious or suspicious. If the site is targeting the users one of the almost 400 brands tracked by urlscan.io, this will be shown in the scan results.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Third-Party tab and navigate to the urlscan.io integration.

  3. Click the plus sign (+) in the lower-right corner of the card. The urlscan.io integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the urlscan.io integration in Cisco XDR.

You can perform the following tasks after you integrate urlscan.io with Cisco XDR:

  • Investigations - Start a new investigation into any combination of IP addresses, IPv6 addresses, domains, URLs, and the results will include any records of them found in your urlscan.io. To verify that this integration is working, and to see what kind of data is returned, investigate one of more observables about which you know urlscan.io has recent information. For details, see Investigate.

  • Pivot Menu - Use the Pivot menu to access actions in urlscan.io. Available actions include browsing and searching for domains.