Overview
This node provides functionality to "defang" or "refang" Indicators of Compromise (IoCs) within input data. Defanging is a common security practice where potentially dangerous strings such as URLs, IP addresses, or file hashes are altered to prevent accidental execution or clicking, while refanging reverses this process to restore the original values.
Typical use cases include:
- Sanitizing threat intelligence data before sharing or displaying it in reports.
- Preparing IoCs for safe handling in automated workflows.
- Reverting sanitized data back to its original form for further processing or investigation.
For example, a URL like http://malicious.com can be defanged to hxxp://malicious[.]com to prevent accidental access, and later refanged back when needed.
Properties
| Name | Meaning |
|---|---|
| Operation | Choose between "Defang" (sanitize IoCs) or "Refang" (restore original IoCs). |
| Value | The string value that should be defanged or refanged depending on the selected operation. |
| Property Name | The dot-notation path specifying where to write the output in the JSON object (e.g., data.person[0].name). |
Output
The node outputs an array of items with the same structure as the input but with the specified property updated to the defanged or refanged value.
- Each item contains a
jsonfield reflecting the modified data. - Binary data from the input is preserved and passed through unchanged.
- The output property specified by "Property Name" will contain the transformed string.
Dependencies
- Uses the external library
fangerfor defanging and refanging operations. - Uses
lodashfor setting nested properties in the JSON output. - No external API keys or credentials are required.
Troubleshooting
- Common issues:
- Invalid JSON paths in "Property Name" may cause the output to not update as expected.
- Providing empty or malformed input strings in "Value" will result in no meaningful transformation.
- Error messages:
- Errors during defang/refang transformations will throw exceptions unless "Continue On Fail" is enabled.
- If an error occurs, the node either stops execution or returns the error details per item based on configuration.
Links and References
- Fanger GitHub Repository – Library used for defanging and refanging IoCs.
- Indicator of Compromise (IoC) Definition – Background on IoCs and their usage in cybersecurity.