About the connector
Malware Domain List (MDL) is a non-commercial community project and their list can be used for free by anyone.
This document provides information about the Malware Domain List connector, which facilitates automated interactions, with a Malware Domain List server using FortiSOAR™ playbooks. Add the Malware Domain List connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving information for a specified IP address or domain name from MDL.
Version information
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 5.0.1-098
Authored By: Fortinet
Certified: Yes
Installing the connector
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-malwaredomainlist
Prerequisites to configuring the connector
- You must have the URL of Malware Domain List server to which you will connect and lookup specified IP addresses and domains.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here
Configuration parameters
In FortiSOAR™ , on the Connectors page, click the Malware Domain List connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter |
Description |
| URL |
URL of the Malware Domain List server to which you will connect and lookup specified IP addresses and domains. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
| Function |
Description |
Annotation and Category |
| IP Lookup |
Performs a lookup on the IP address that you specified on Malware Domain List and retrieves information for that IP address from Malware Domain List. |
ip_lookup
Investigation |
| Domain Lookup |
Performs a lookup on the domain that you specified on Malware Domain List and retrieves information for that domain name from Malware Domain List. |
domain_lookup
Investigation |
operation: IP Lookup
Input parameters
| Parameter |
Description |
| IP |
IP address that you want to lookup and whose information you want to retrieve from Malware Domain List. |
| Limit |
(Optional) Maximum number of results that this operation should return. |
Output
The output contains the following populated JSON schema:
[
{
"ip": "",
"description": "",
"asn": "",
"domain": "",
"dateutc": "",
"reverselookup": ""
}
]
operation: Domain Lookup
Input parameters
| Parameter |
Description |
| Domain |
Name of the domain that you want to lookup and whose information you want to retrieve from Malware Domain List. |
| Limit |
(Optional) Maximum number of results that this operation should return. |
Output
The output contains the following populated JSON schema:
[
{
"ip": "",
"description": "",
"asn": "",
"domain": "",
"dateutc": "",
"reverselookup": ""
}
]
Included playbooks
The Sample - Malware Domain List - 1.0.0 playbook collection comes bundled with the Malware Domain List connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Malware Domain List connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
