Abuse URLhaus

the abuse urlhaus connector facilitates automated access to a comprehensive database of urls known to distribute malware, enabling enhanced threat intelligence and incident response abuse urlhaus is a threat intelligence service that tracks and shares data on malicious urls the abuse urlhaus connector for swimlane turbine enables users to query and retrieve detailed information about malware samples, malicious urls, and associated threats directly within their security workflows by integrating with abuse urlhaus, swimlane turbine users can enhance their incident response and threat hunting capabilities with real time data, streamline their security operations, and rapidly identify and mitigate cyber threats prerequisites to effectively utilize the abuse urlhaus connector with swimlane, ensure you have the following prerequisites host url authentication with the following parameters url the endpoint for the abuse urlhaus api service auth key your personal authentication key for accessing abuse urlhaus api capabilities the abuse ch urlhaus integration provides the following capabilities query url host ip md5 sha256 notes https //urlhaus api abuse ch/ this connector was last tested against product version v1 api configurations abuse urlhaus authentication authenticates using host url configuration parameters parameter description type required url a url to the target host string required auth key the authentication key for accessing the api string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions lookup hash retrieve details for a specified md5 or sha256 hash from abuse urlhaus, including associated urls and malware samples endpoint url v1/payload method post input argument name type required description data body object required response data data body md5 hash string optional response data data body sha256 hash string optional response data input example {"data body" {"md5 hash" "12c8aec5766ac3e6f26f2505e2f4a8f2","sha256 hash" "01fa56184fcaa42b6ee1882787a34098c79898c182814774fd81dc18a6af0b00"}} output parameter type description status code number http status code of the response reason string response reason phrase query status string status value md5 hash string output field md5 hash sha256 hash string output field sha256 hash file type string type of the resource file size string output field file size signature string output field signature firstseen string output field firstseen lastseen string output field lastseen url count string url endpoint for the request urlhaus download string url endpoint for the request virustotal object output field virustotal imphash object output field imphash ssdeep object output field ssdeep tlsh object output field tlsh urls array url endpoint for the request urls url id string url endpoint for the request urls url string url endpoint for the request urls url status string url endpoint for the request urls urlhaus reference string url endpoint for the request urls filename string url endpoint for the request urls firstseen string url endpoint for the request urls lastseen object url endpoint for the request output example {"status code" 200,"response headers" {"date" "thu, 08 dec 2022 18 15 26 gmt","server" "apache","strict transport security" "max age=15768000 ; includesubdomains","permissions policy" "accelerometer=(), ambient light sensor=(), autoplay=(), camera=(), encrypted med ","referrer policy" "strict origin when cross origin","content security policy" "default src 'self'; script src 'self' 'unsafe inline' https //www googletagmanag ","expect ct" "enforce, max age=86400","cross origin embedder policy lookup ip, host or domain retrieve detailed threat analysis for an ip, host, or domain from abuse urlhaus, requiring a data body input endpoint url v1/host method post input argument name type required description data body object required response data data body host string required response data input example {"data body" {"host" "185 141 25 242"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 200,"response headers" {"date" "thu, 08 dec 2022 14 44 53 gmt","server" "apache","strict transport security" "max age=15768000 ; includesubdomains","permissions policy" "accelerometer=(), ambient light sensor=(), autoplay=(), camera=(), encrypted med ","referrer policy" "strict origin when cross origin","content security policy" "default src 'self'; script src 'self' 'unsafe inline' https //www googletagmanag ","expect ct" "enforce, max age=86400","cross origin embedder policy lookup url retrieve detailed information, status, and related data for a specific url from abuse urlhaus endpoint url v1/url method post input argument name type required description data body object required response data data body url string required response data input example {"data body" {"url" "http //sskymedia com/vmyb ht jaqo gi/inv/99401forpo/20673114777/us/outstanding invoices/"}} output parameter type description status code number http status code of the response reason string response reason phrase query status string status value id string unique identifier urlhaus reference string url endpoint for the request url string url endpoint for the request url status string url endpoint for the request host string output field host date added string output field date added last online string output field last online threat string output field threat blacklists object output field blacklists blacklists spamhaus dbl string output field blacklists spamhaus dbl blacklists surbl string output field blacklists surbl reporter string output field reporter larted string output field larted takedown time seconds string output field takedown time seconds tags array output field tags payloads array output field payloads payloads firstseen string output field payloads firstseen payloads filename string name of the resource payloads file type string type of the resource payloads response size string output field payloads response size payloads response md5 string output field payloads response md5 payloads response sha256 string output field payloads response sha256 output example {"status code" 200,"response headers" {"date" "thu, 08 dec 2022 18 12 24 gmt","server" "apache","strict transport security" "max age=15768000 ; includesubdomains","permissions policy" "accelerometer=(), ambient light sensor=(), autoplay=(), camera=(), encrypted med ","referrer policy" "strict origin when cross origin","content security policy" "default src 'self'; script src 'self' 'unsafe inline' https //www googletagmanag ","expect ct" "enforce, max age=86400","cross origin embedder policy response headers header description example connection http response header connection keep alive content length the length of the response body in bytes 0 content security policy http response header content security policy default src 'self'; script src 'self' 'unsafe inline' https //www googletagmanager com 443 ; img src 'self' data https //www google analytics com 443 ; style src 'self'; object src 'none' content type the media type of the resource application/json cross origin embedder policy http response header cross origin embedder policy require corp; report to="default" cross origin opener policy http response header cross origin opener policy same origin; report to="default" cross origin resource policy http response header cross origin resource policy same site date the date and time at which the message was originated thu, 08 dec 2022 14 44 53 gmt expect ct http response header expect ct enforce, max age=86400 keep alive http response header keep alive timeout=5, max=100 permissions policy http response header permissions policy accelerometer=(), ambient light sensor=(), autoplay=(), camera=(), encrypted media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture in picture=(), speaker=(), usb=(), vr=() referrer policy http response header referrer policy strict origin when cross origin server information about the software used by the origin server apache strict transport security http response header strict transport security max age=15768000 ; includesubdomains transfer encoding http response header transfer encoding chunked x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin x xss protection http response header x xss protection 1; mode=block