URLhaus Malware Distribution URL Lookup Data Adapter

The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

URLhaus is a project operated by abuse.ch that collects, tracks, and shares URLs associated with malware distribution. Creating a URLhaus Malware Distribution URL Lookup data adapter in Graylog allows you to enrich log messages with information about URLs known to distribute malware as listed by URLhaus.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • You must have a valid Graylog Enterprise license.

Configure the Data Adapter

You can create a data adapter during the lookup table creation workflow, or they can be created separately on the Data Adapters tab. The following configuration options are available for this data adapter:

Configuration

The following configuration options are available for this data adapter:

Title

A short and unique title for this data adapter.

Description

Data adapter description.

Name

The name used to refer to this data adapter. This should be something unique and recognizable within your Graylog environment.

Custom Error TTL

Time-to-live for custom error messages in seconds. This controls how long custom error responses are cached. If no value is specified, the default is 5 seconds.

URLhaus Feed Type

  • URLhaus provides different types of feeds, typically in CSV format, that contain URLs associated with malware distribution. For example, URLhaus offers feeds like:

    You will need to specify the exact URL or endpoint from URLhaus from which Graylog can fetch this data or select from the drop-down menu options.

    • Online URLs refer to the smaller data set and includes only URLs that have been currently detected online.

    • Recently Added URLs refer to the larger data set and includes all online and offline URLs added in the last 30 days.

  • Choose the appropriate feed type based on your preference or the format that best integrates with your Graylog setup.

Refresh Interval (seconds)

This parameter specifies how frequently Graylog should fetch the URLhaus feed to update its lookup table data. For example, setting this to 86400 seconds (which is 24 hours) means Graylog will fetch the feed once every day. Adjust this interval based on how frequently the URLhaus feed updates and how quickly you need the data refreshed in Graylog. The minimum refresh interval is 300 seconds (5 minutes).

Case Insensitive Lookup

Enable this option if you want Graylog to perform case-insensitive lookups when matching URLs against the URLhaus feed. This can be useful if URLs in your logs vary in case (e.g. https://example.com/Page vs https://example.com/page).

Example URLhaus Malware Distribution URL Lookup Output

The example below shows the kind of data returned when a URL in your log message matches an entry in the URLhaus Malware Distribution URL Lookup Data Adapter. This output represents a successful lookup of a known malware distribution URL as listed by the URLhaus threat intelligence feed.

{

"single_value": "2024-07-12 20:44:07",

"multi_value": {

"date_added": "2024-07-12T20:44:07.000+0000",

"url_status": "online",

"threat_type": "2024-07-12 20:44:07",

"tags": [

"malware_download"

],

"url": "<url>",

"urlhaus_link": "32-bit,elf,mips,Mozi"

},

"string_list_value": null,

"has_error": false,

"ttl": 9223372036854776000

}

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: