URLhaus Malware URL Data Adapter
  • 24 May 2022
  • 1 Minute to read
  • Dark

URLhaus Malware URL Data Adapter

  • Dark

URLhaus is a project from abuse.ch which maintains a database of malicious URLs being used for malware distribution. When the data adapter is created, the appropriate data set will be downloaded and stored in MongoDB. New data sets will be fetched based on the configured Refresh Interval.


This is a Graylog Operations Integrations feature and is only available since Graylog version 4.1. A valid Graylog Operations license is required.

Sample Lookup Data

A lookup for the URL might produce the following output:

  "single_value": "malware_download",
  "multi_value": {
    "date_added": "2021-06-22T17:53:07.000+0000",
    "url_status": "online",
    "threat_type": "malware_download",
    "tags": "elf,Mozi",
    "url": "",
    "urlhaus_link": "https://urlhaus.abuse.ch/url/1234567/"
  "string_list_value": null,
  "has_error": false,
  "ttl": 9223372036854776000

Data Adapter Configuration

  • Title

    • A short title for the data adapter
  • Description

    • A description of the data adapter
  • Name

    • A unique name which will be used to refer to the data adapter
  • Custom Error TTL

    • Optional custom TTL for caching erroneous results. If no value is specified, the default value of 5 seconds will be used.
  • URLhaus Feed Type

    • This determines which URLhaus feed the data adapter will use

    • Online URLs is the smaller data set and includes only URLs that have been detected to be currently online

    • Recently Added URLs is the larger data set and includes all URLs added in the last 30 days whether online or offline

  • Refresh Interval - Determines how often new data will be fetched. The minimum refresh interval is 300 seconds (5 minutes) because that is how often the source data can be updated

  • Case Insensitive Lookups - When selected, this will allow the data adapter to perform case insensitive lookups

Was this article helpful?

What's Next