EmailRep.IO

Overview

EmailRep is a system of crawlers, scanners, and enrichment services that allow users to collect data on email addresses, domains, and internet personas.

D3 SOAR is providing REST operations to function with EmailRep.IO.

EmailRep.IO is available for use in:

D3 SOAR	V16.1.7.0+
Category	Threat Intelligence
Deployment Options	Option II, Option IV

Known Limitations

Rate-limits are enforced using a rolling 24-hour window, not by calendar day. Exceeding the rate limit will result in an HTTP 429 response.

Please refer to https://emailrep.io/key for detailed information about the limits for each API key plan.

Connection

To connect to EmailRep.IO from D3 SOAR, please follow this part to collect the required information below:

Parameter	Description	Example
Server URL	The server URL of the EmailRep API.	https://emailrep.io
API Key	The API key provisioned by EmailRep to authenticate the connection.	Yh******************************************************mk

Permission Requirements

No permission requirements are configurable for EmailRep's API.

Configuring EmailRep.IO to Work with D3 SOAR

An API key is required to set up the EmailRep integration in D3 SOAR. To request an API key, go to https://emailrep.io/key.

There are three available plans for acquiring an API key:

Community: This is a free plan which gives you up to 250 queries per month with a limit of 10 queries per day.
Commercial: This is a paid plan which gives you up to 1000 queries per month with no daily limit and includes email support.
Enterprise: This is a custom plan for high-volume usage or high throughput needs. It does not have a daily limit and comes with support backed by a Service Level Agreement (SLA).

Once you have chosen a plan and supplied the necessary information and payment details for requesting the API key, the EmailRep team will send you an email containing your API Key.

Configuring D3 SOAR to Work with EmailRep.IO

Log in to D3 SOAR.
Find the EmailRep.IO integration.
1. Navigate to Configuration on the top header menu.
2. Click on the Integration icon on the left sidebar.
3. Type EmailRep.IO in the search box to find the integration, then click it to select it.
4. Click + Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to EmailRep.IO.
1. Connection Name: The desired name for the connection.
2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
5. Description (Optional): Add your desired description for the connection.
6. Configure User Permissions: Defines which users have access to the connection.
7. Active: Check the tick box to ensure the connection is available for use.
8. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
  1. Input the Sever URL. The default value is https://emailrep.io.
  2. Copy the API Key provisioned by EmailRep. Refer to Configuring EmailRep.IO to Work with D3 SOAR for more information.
9. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
10. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
  To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.
Test the connection.
1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
2. Click OK to close the alert window.
3. Click + Add to create and add the configured connection.

Commands

EmailRep.IO includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the EmailRep.IO API, please refer to the EmailRep API reference.

Reader Note

Certain permissions are required for each command. Please refer to the Permission Requirements and Configuring EmailRep.IO to Work with D3 SOAR for details.

Check Email Reputation

Retrieves reputation information for specified email addresses, including the identification of malicious activities and verification for potential data breaches.

Input

Input Parameter	Required /Optional	Description	Example
Emails	Required	The email addresses to retrieve reputation information.	["sample@test.com"]
Human-readable Summary	Optional	The option to include a human-readable summary of the reputation information for the specified email addresses in the response data.	False

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "results": [
        {
            "email": "sample@test.com",
            "reputation": "low",
            "suspicious": false,
            "references": 1,
            "details": {
                "blacklisted": false,
                "malicious_activity": false,
                "malicious_activity_recent": false,
                "credentials_leaked": false,
                "credentials_leaked_recent": false,
                "data_breach": false,
                "first_seen": "never",
                "last_seen": "never",
                "domain_exists": true,
                "domain_reputation": "n/a",
                "new_domain": false,
                "days_since_domain_creation": 10147,
                "suspicious_tld": false,
                "spam": false,
                "free_provider": true,
                "disposable": false,
                "deliverable": true,
                "accept_all": false,
                "valid_mx": true,
                "primary_mx": "***.com",
                "spoofable": true,
                "spf_strict": true,
                "dmarc_enforced": false,
                "profiles": [
                    "twitter"
                ]
            }
        }
    ],
    "D3Errors": []
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "Emails": [
        "sample@test.com"
    ],
    "RiskLevels": [
        3
    ],
    "RiskNames": [
        "Low"
    ]
}

Return Data

In check reputation commands, Return Data converts the risk score from the raw data into D3-defined risk levels as a numerical value (1-5). This will be used to enrich artifacts with reputation information.

SAMPLE DATA

CODE

[
    {
        "email": "example@test.com",
        "riskLevel": 1,
        "RawData": {
            "email": "example@test.com",
            "reputation": "none",
            "suspicious": true,
            "references": 0,
            "details": {
                "blacklisted": false,
                "malicious_activity": false,
                "malicious_activity_recent": false,
                "credentials_leaked": false,
                "credentials_leaked_recent": false,
                "data_breach": false,
                "first_seen": "never",
                "last_seen": "never",
                "domain_exists": true,
                "domain_reputation": "n/a",
                "new_domain": false,
                "days_since_domain_creation": 10162,
                "suspicious_tld": false,
                "spam": false,
                "free_provider": true,
                "disposable": false,
                "deliverable": true,
                "accept_all": false,
                "valid_mx": true,
                "primary_mx": "***.com",
                "spoofable": true,
                "spf_strict": true,
                "dmarc_enforced": false,
                "profiles": []
            },
            "summary": "Suspicious. We have not observed this email address on the internet, it is a free provider, and it has no profiles on major services like LinkedIn, Facebook, and iCloud. A lack of digital presence may simply indicate a new email address, but is typically suspicious. ",
            "riskLevel": 1,
            "riskLevelName": "High"
        },
        "BeautifiedHtml": "  Type  IndicatorReputationMXD3 Risk LevelEmail ***@gmail.***.google.com1",
        "reputation": "none"
    }
]

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE

No Sample Data

D3-defined Risk Levels

The table below lists the possible output risk levels and their corresponding names in Return Data, Raw Data and Key Fields:

Risk Level	Risk Name
1	High
2	Medium
3	Low
4	Default
5	ZeroRisk

Error Handling

If the Return Data is Error, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Check Email Reputation failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Multiple Errors found, please check them in D3Errors list in Raw Data for multiple errors summary.

Error Sample Data

Check Email Reputation failed.

Status Code: 400.

Message: Multiple Errors found, please check them in D3Errors list in Raw Data for multiple errors summary.

Test Connection

Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

SAMPLE DATA

CODE

Successful

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Test Connection failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. Refer to the HTTP Status Code Registry for details.	Status Code: 401.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Reason: Unauthorized

Error Sample Data

Test Connection failed

Status Code: 401.

Message: Reason: Unauthorized