This is a Graylog Operations feature and is only available since Graylog v3.3+. A valid Graylog Operations license is required.

URLhaus is a project from that maintains a database of malicious URLs used for malware distribution. When you create the data adapter, URLhaus downloads and stores the appropriate data set in MongoDB. Refresh Interval configuration identifies when to fetch new sets.

Sample Lookup Data

A lookup for the URL might produce the following output:

  "single_value": "malware_download",
  "multi_value": {
    "date_added": "2021-06-22T17:53:07.000+0000",
    "url_status": "online",
    "threat_type": "malware_download",
    "tags": "elf,Mozi",
    "url": "",
    "urlhaus_link": ""
  "string_list_value": null,
  "has_error": false,
  "ttl": 9223372036854776000

Data Adapter Configuration

  • Title

    • A short title for the data adapter.
  • Description

    • A description of the data adapter.
  • Name

    • A unique name to refer to the data adapter.
  • Custom Error TTL

    • Optional custom TTL for caching erroneous results. If no value is specified, the default is 5 seconds.
  • URLhaus Feed Type

    • Determines which URLhaus feed the data adapter will use.

    • Online URLs is the smaller data set and includes only URLs that have been currently detected online.

    • Recently Added URLs is the larger data set and includes all online and offline URLs added in the last 30 days.

  • Refresh Interval - Determines how often new data is fetched. The minimum refresh interval is 300 seconds (5 minutes) because that is how often the source data can be updated.

  • Case Insensitive Lookups - allows the data adapter to perform case-insensitive lookups.