Overview
This node performs "defanging" and "refanging" of Indicators of Compromise (IoCs). Defanging is the process of altering potentially malicious URLs, IPs, or other indicators to prevent accidental activation or execution, typically by replacing certain characters. Refanging reverses this process, restoring the original form of the IoC.
Common scenarios include:
- Safely sharing suspicious URLs or IP addresses in reports or communications without risk of accidental clicks.
- Preparing data for automated processing by converting defanged IoCs back to their usable form.
For example, a URL like http://malicious.com might be defanged to hxxp://malicious[.]com to prevent accidental navigation, and later refanged back when needed for analysis or blocking.
Properties
| Name | Meaning |
|---|---|
| Operation | Choose between "Defang" (convert IoCs to safe format) or "Refang" (restore original IoCs). |
| Value | The string value containing the IoC to be defanged or refanged. |
| Property Name | The JSON property path where the output will be written. Supports dot-notation (e.g., data.person[0].name). |
Output
The node outputs an array of items with the same structure as the input but with the specified property updated to the defanged or refanged value.
- Each item contains a
jsonfield where the transformed value is set at the user-defined property path. - If the input item contains binary data, it is preserved and copied to the output unchanged.
- No additional fields are added beyond the modified JSON and preserved binary data.
Dependencies
- Uses an external library specialized in defanging and refanging IoCs.
- Utilizes a utility library for safely setting nested properties within JSON objects.
- No external API keys or credentials are required.
Troubleshooting
- Invalid JSON Path: If the provided property name uses incorrect dot-notation or points to a non-existent path, the node may fail to set the output property correctly.
- Malformed Input Value: Passing an empty or malformed string as the value to defang/refang may result in unexpected output or errors.
- Error Handling: If an error occurs during transformation, the node either throws an error or continues processing based on the workflow's "Continue On Fail" setting.
- Common Error Messages:
- Errors related to invalid input strings or unsupported formats from the defang/refang library.
- JSON parsing or property setting errors if the property path is invalid.
To resolve these issues:
- Ensure the "Value" property contains a valid string representing the IoC.
- Verify the "Property Name" uses correct dot-notation syntax.
- Use the "Continue On Fail" option to handle problematic items gracefully.