Updated excavate to include the url_string in the description in orde…

…r to unique identify when a yara rule hits a URL.
blacklanternsecurity · Nov 8, 2024 · a32d759 · a32d759
1 parent 4a9a6f7
commit a32d759
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/bbot/modules/internal/excavate.py b/bbot/modules/internal/excavate.py
@@ -274,8 +274,12 @@ async def process(self, yara_results, event, yara_rule_settings, discovery_conte
                 description_string = (
                     f" with description: [{yara_rule_settings.description}]" if yara_rule_settings.description else ""
                 )
+                # Get URL from event if available
+                url = event.data.get("url", "") if hasattr(event, "data") else ""
+                url_string = f" on @{url}" if url else ""
+
                 event_data["description"] = (
-                    f"Custom Yara Rule [{self.name}]{description_string} Matched via identifier [{identifier}]"
+                    f"Custom Yara Rule [{self.name}]{description_string} Matched via identifier [{identifier}]{url_string}"
                 )
                 if yara_rule_settings.emit_match:
                     event_data["description"] += f" and extracted [{result}]"