Abuse URLhaus

the abuse urlhaus connector facilitates automated access to a comprehensive database of urls known to distribute malware, enabling enhanced threat intelligence and incident response abuse urlhaus is a threat intelligence service that tracks and shares data on malicious urls the abuse urlhaus connector for swimlane turbine enables users to query and retrieve detailed information about malware samples, malicious urls, and associated threats directly within their security workflows by integrating with abuse urlhaus, swimlane turbine users can enhance their incident response and threat hunting capabilities with real time data, streamline their security operations, and rapidly identify and mitigate cyber threats prerequisites to effectively utilize the abuse urlhaus connector with swimlane, ensure you have the following prerequisites host url authentication with the following parameters url the endpoint for the abuse urlhaus api service auth key your personal authentication key for accessing abuse urlhaus api capabilities the abuse ch urlhaus integration provides the following capabilities query url host ip md5 sha256 configurations abuse urlhaus authentication authenticates using host url configuration parameters parameter description type required url a url to the target host string required auth key the authentication key for accessing the api string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions lookup hash retrieve details for a specified md5 or sha256 hash from abuse urlhaus, including associated urls and malware samples endpoint url v1/payload method post input argument name type required description data body object required response data md5 hash string optional parameter for lookup hash sha256 hash string optional parameter for lookup hash output parameter type description status code number http status code of the response reason string response reason phrase query status string status value md5 hash string output field md5 hash sha256 hash string output field sha256 hash file type string type of the resource file size string output field file size signature string output field signature firstseen string output field firstseen lastseen string output field lastseen url count string url endpoint for the request urlhaus download string url endpoint for the request virustotal object output field virustotal imphash object output field imphash ssdeep object output field ssdeep tlsh object output field tlsh urls array url endpoint for the request url id string url endpoint for the request url string url endpoint for the request url status string url endpoint for the request urlhaus reference string url endpoint for the request filename string name of the resource firstseen string output field firstseen lastseen object output field lastseen example \[ { "status code" 200, "response headers" { "date" "thu, 08 dec 2022 18 15 26 gmt", "server" "apache", "strict transport security" "max age=15768000 ; includesubdomains", "permissions policy" "accelerometer=(), ambient light sensor=(), autoplay=(), camera=(), encrypted med ", "referrer policy" "strict origin when cross origin", "content security policy" "default src 'self'; script src 'self' 'unsafe inline' https //www googletagmanag ", "expect ct" "enforce, max age=86400", "cross origin embedder policy" "require corp; report to=\\"default\\"", "cross origin opener policy" "same origin; report to=\\"default\\"", "cross origin resource policy" "same site", "x content type options" "nosniff", "x frame options" "sameorigin", "x xss protection" "1; mode=block", "content type" "application/json", "keep alive" "timeout=5, max=100" }, "reason" "ok", "json body" { "query status" "ok", "md5 hash" "12c8aec5766ac3e6f26f2505e2f4a8f2", "sha256 hash" "01fa56184fcaa42b6ee1882787a34098c79898c182814774fd81dc18a6af0b00", "file type" "doc", "file size" "174928", "signature" "heodo", "firstseen" "2019 01 19 01 27 04", "lastseen" "2019 01 19 02 11 26", "url count" "138", "urlhaus download" "https //urlhaus api abuse ch/v1/download/01fa56184fcaa42b6ee1882787a34098c79898c ", "virustotal" null, "imphash" null, "ssdeep" null, "tlsh" null, "urls" \[] } } ] lookup ip, host or domain retrieve detailed threat analysis for an ip, host, or domain from abuse urlhaus, requiring a data body input endpoint url v1/host method post input argument name type required description data body object required response data host string required parameter for lookup ip, host or domain output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text example \[ { "status code" 200, "response headers" { "date" "thu, 08 dec 2022 14 44 53 gmt", "server" "apache", "strict transport security" "max age=15768000 ; includesubdomains", "permissions policy" "accelerometer=(), ambient light sensor=(), autoplay=(), camera=(), encrypted med ", "referrer policy" "strict origin when cross origin", "content security policy" "default src 'self'; script src 'self' 'unsafe inline' https //www googletagmanag ", "expect ct" "enforce, max age=86400", "cross origin embedder policy" "require corp; report to=\\"default\\"", "cross origin opener policy" "same origin; report to=\\"default\\"", "cross origin resource policy" "same site", "x content type options" "nosniff", "x frame options" "sameorigin", "x xss protection" "1; mode=block", "content length" "0", "content type" "application/json" }, "reason" "ok", "response text" "" } ] lookup url retrieve detailed information, status, and related data for a specific url from abuse urlhaus endpoint url v1/url method post input argument name type required description data body object required response data url string required url endpoint for the request output parameter type description status code number http status code of the response reason string response reason phrase query status string status value id string unique identifier urlhaus reference string url endpoint for the request url string url endpoint for the request url status string url endpoint for the request host string output field host date added string output field date added last online string output field last online threat string output field threat blacklists object output field blacklists spamhaus dbl string output field spamhaus dbl surbl string output field surbl reporter string output field reporter larted string output field larted takedown time seconds string output field takedown time seconds tags array output field tags payloads array output field payloads firstseen string output field firstseen filename string name of the resource file type string type of the resource response size string output field response size response md5 string output field response md5 response sha256 string output field response sha256 example \[ { "status code" 200, "response headers" { "date" "thu, 08 dec 2022 18 12 24 gmt", "server" "apache", "strict transport security" "max age=15768000 ; includesubdomains", "permissions policy" "accelerometer=(), ambient light sensor=(), autoplay=(), camera=(), encrypted med ", "referrer policy" "strict origin when cross origin", "content security policy" "default src 'self'; script src 'self' 'unsafe inline' https //www googletagmanag ", "expect ct" "enforce, max age=86400", "cross origin embedder policy" "require corp; report to=\\"default\\"", "cross origin opener policy" "same origin; report to=\\"default\\"", "cross origin resource policy" "same site", "x content type options" "nosniff", "x frame options" "sameorigin", "x xss protection" "1; mode=block", "content type" "application/json", "keep alive" "timeout=5, max=100" }, "reason" "ok", "json body" { "query status" "ok", "id" "105821", "urlhaus reference" "https //urlhaus abuse ch/url/105821/", "url" "http //sskymedia com/vmyb ht jaqo gi/inv/99401forpo/20673114777/us/outstanding i ", "url status" "offline", "host" "sskymedia com", "date added" "2019 01 19 01 33 26 utc", "last online" "2019 01 21 16\ xx\ xx utc", "threat" "malware download", "blacklists" {}, "reporter" "cryptolaemus1", "larted" "true", "takedown time seconds" "225385", "tags" \[], "payloads" \[] } } ] response headers header description example connection http response header connection keep alive content length the length of the response body in bytes 0 content security policy http response header content security policy default src 'self'; script src 'self' 'unsafe inline' https //www googletagmanager com 443 https //www googletagmanager com 443 ; img src 'self' data https //www google analytics com 443 https //www google analytics com 443 ; style src 'self'; object src 'none' content type the media type of the resource application/json cross origin embedder policy http response header cross origin embedder policy require corp; report to="default" cross origin opener policy http response header cross origin opener policy same origin; report to="default" cross origin resource policy http response header cross origin resource policy same site date the date and time at which the message was originated thu, 08 dec 2022 18 15 26 gmt expect ct http response header expect ct enforce, max age=86400 keep alive http response header keep alive timeout=5, max=100 permissions policy http response header permissions policy accelerometer=(), ambient light sensor=(), autoplay=(), camera=(), encrypted media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture in picture=(), speaker=(), usb=(), vr=() referrer policy http response header referrer policy strict origin when cross origin server information about the software used by the origin server apache strict transport security http response header strict transport security max age=15768000 ; includesubdomains transfer encoding http response header transfer encoding chunked x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin x xss protection http response header x xss protection 1; mode=block notes urlhaus api https //urlhaus api abuse ch/ this connector was last tested against product version v1 api