From a32d759e62f8bc16b325ec08b7908d1c0aab3acb Mon Sep 17 00:00:00 2001
From: Aconite33 <micheal.reski@gmail.com>
Date: Fri, 8 Nov 2024 11:34:55 -0700
Subject: [PATCH] Updated excavate to include the url_string in the description
 in order to unique identify when a yara rule hits a URL.

---
 bbot/modules/internal/excavate.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/bbot/modules/internal/excavate.py b/bbot/modules/internal/excavate.py
index bc777e66c..2c2ff6ef2 100644
--- a/bbot/modules/internal/excavate.py
+++ b/bbot/modules/internal/excavate.py
@@ -274,8 +274,12 @@ async def process(self, yara_results, event, yara_rule_settings, discovery_conte
                 description_string = (
                     f" with description: [{yara_rule_settings.description}]" if yara_rule_settings.description else ""
                 )
+                # Get URL from event if available
+                url = event.data.get("url", "") if hasattr(event, "data") else ""
+                url_string = f" on @{url}" if url else ""
+                
                 event_data["description"] = (
-                    f"Custom Yara Rule [{self.name}]{description_string} Matched via identifier [{identifier}]"
+                    f"Custom Yara Rule [{self.name}]{description_string} Matched via identifier [{identifier}]{url_string}"
                 )
                 if yara_rule_settings.emit_match:
                     event_data["description"] += f" and extracted [{result}]"