Fortinet Document Library

Version:


Table of Contents

Malware Domain List

1.0.0
Copy Link

About the connector

Malware Domain List (MDL)  is a non-commercial community project and their list can be used for free by anyone.

This document provides information about the Malware Domain List connector, which facilitates automated interactions, with a Malware Domain List server using FortiSOAR™ playbooks. Add the Malware Domain List connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving information for a specified IP address or domain name from MDL.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 5.0.1-098

Authored By: Fortinet

Certified: Yes 

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-malwaredomainlist

Prerequisites to configuring the connector

  • You must have the URL of Malware Domain List server to which you will connect and lookup specified IP addresses and domains.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance. 

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™ , on the Connectors page, click the Malware Domain List connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:  

Parameter Description
URL URL of the Malware Domain List server to which you will connect and lookup specified IP addresses and domains.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:  

Function Description Annotation and Category
IP Lookup Performs a lookup on the IP address that you specified on Malware Domain List and retrieves information for that IP address from Malware Domain List. ip_lookup
Investigation
Domain Lookup Performs a lookup on the domain that you specified on Malware Domain List and retrieves information for that domain name from Malware Domain List. domain_lookup
Investigation

operation: IP Lookup

Input parameters

Parameter Description
IP IP address that you want to lookup and whose information you want to retrieve from Malware Domain List.
Limit (Optional) Maximum number of results that this operation should return.

Output

The output contains the following populated JSON schema:

  {
      "ip": "", 
      "description": "", 
      "asn": "", 
      "domain": "", 
      "dateutc": "", 
      "reverselookup": "" 
  }
]

operation: Domain Lookup

Input parameters

Parameter Description
Domain Name of the domain that you want to lookup and whose information you want to retrieve from Malware Domain List.
Limit (Optional) Maximum number of results that this operation should return.

Output

The output contains the following populated JSON schema:

  {
      "ip": "", 
      "description": "", 
      "asn": "", 
      "domain": "", 
      "dateutc": "", 
      "reverselookup": "" 
  }
]

Included playbooks

The Sample - Malware Domain List - 1.0.0 playbook collection comes bundled with the Malware Domain List connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Malware Domain List connector.

  • Domain Lookup
  • IP Lookup

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

Malware Domain List (MDL)  is a non-commercial community project and their list can be used for free by anyone.

This document provides information about the Malware Domain List connector, which facilitates automated interactions, with a Malware Domain List server using FortiSOAR™ playbooks. Add the Malware Domain List connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving information for a specified IP address or domain name from MDL.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 5.0.1-098

Authored By: Fortinet

Certified: Yes 

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-malwaredomainlist

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™ , on the Connectors page, click the Malware Domain List connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:  

Parameter Description
URL URL of the Malware Domain List server to which you will connect and lookup specified IP addresses and domains.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:  

Function Description Annotation and Category
IP Lookup Performs a lookup on the IP address that you specified on Malware Domain List and retrieves information for that IP address from Malware Domain List. ip_lookup
Investigation
Domain Lookup Performs a lookup on the domain that you specified on Malware Domain List and retrieves information for that domain name from Malware Domain List. domain_lookup
Investigation

operation: IP Lookup

Input parameters

Parameter Description
IP IP address that you want to lookup and whose information you want to retrieve from Malware Domain List.
Limit (Optional) Maximum number of results that this operation should return.

Output

The output contains the following populated JSON schema:

  {
      "ip": "", 
      "description": "", 
      "asn": "", 
      "domain": "", 
      "dateutc": "", 
      "reverselookup": "" 
  }
]

operation: Domain Lookup

Input parameters

Parameter Description
Domain Name of the domain that you want to lookup and whose information you want to retrieve from Malware Domain List.
Limit (Optional) Maximum number of results that this operation should return.

Output

The output contains the following populated JSON schema:

  {
      "ip": "", 
      "description": "", 
      "asn": "", 
      "domain": "", 
      "dateutc": "", 
      "reverselookup": "" 
  }
]

Included playbooks

The Sample - Malware Domain List - 1.0.0 playbook collection comes bundled with the Malware Domain List connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Malware Domain List connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.