From b0be965e576a1fb8e02d36bc4a34ecde5d967e4b Mon Sep 17 00:00:00 2001
From: SuRb0 <1809870+surbo@users.noreply.github.com>
Date: Thu, 30 Aug 2018 19:41:34 -0500
Subject: [PATCH] Update urlscan.py

Added hash to the search so you can take advantage of the new file down load function on urlscan.io.  You can use this to pivot on file hashes and find out domains that hosting the same malicious file.
---
 misp_modules/modules/expansion/urlscan.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/misp_modules/modules/expansion/urlscan.py b/misp_modules/modules/expansion/urlscan.py
index a0adc25..ecd1a50 100644
--- a/misp_modules/modules/expansion/urlscan.py
+++ b/misp_modules/modules/expansion/urlscan.py
@@ -22,8 +22,8 @@ moduleinfo = {
 moduleconfig = ['apikey']
 misperrors = {'error': 'Error'}
 mispattributes = {
-    'input': ['hostname', 'domain', 'url'],
-    'output': ['hostname', 'domain', 'ip-src', 'ip-dst', 'url', 'text', 'link']
+    'input': ['hostname', 'domain', 'url', 'hash'],
+    'output': ['hostname', 'domain', 'ip-src', 'ip-dst', 'url', 'text', 'link', 'hash']
 }
 
 
@@ -49,6 +49,8 @@ def handler(q=False):
         r['results'] += lookup_indicator(client, request['hostname'])
     if 'url' in request:
         r['results'] += lookup_indicator(client, request['url'])
+    f 'hash' in request:
+        r['results'] += lookup_indicator(client, request['hash'])
 
     # Return any errors generated from lookup to the UI and remove duplicates