Catalyst / admin/SAynapse-Horizon 14.8 GB / 57.8 GB 40.0 GB free
Help Sign in

admin / SAynapse-Horizon

public

Self Hosted Cyber Threat Intelligence Hub

Code Issues Pull requests Pipelines Packages Security Insights Wiki Settings
SAynapse-Horizon / Synapse-Horizon / backend / src / sources / urlhaus.js 1981 B · main
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
import { makeIoc, fetchWithTimeout, ok, unconfigured, SEVERITY } from '../normalize.js'

// URLhaus (abuse.ch) — recent malware-distribution URLs.
// abuse.ch requires an Auth-Key header on all feed/API access.
const URL = 'https://urlhaus.abuse.ch/downloads/json_recent/'
const LIMIT = 25

export const meta = { key: 'urlhaus', requiresKey: true }

export function configured() {
  return Boolean(process.env.ABUSE_CH_AUTH_KEY)
}

export async function fetchSource() {
  const key = process.env.ABUSE_CH_AUTH_KEY
  if (!key) return unconfigured('Set ABUSE_CH_AUTH_KEY (free abuse.ch account) to enable URLhaus.')

  const res = await fetchWithTimeout(URL, { headers: { 'Auth-Key': key } })
  const data = await res.json()

  // json_recent is an object keyed by id; each value is an array with one entry.
  const entries = Object.values(data || {})
    .flat()
    .filter((e) => e && e.url)
    .sort((a, b) => new Date(b.date_added) - new Date(a.date_added))
    .slice(0, LIMIT)

  const iocs = entries.map((e) => {
    const online = /online/i.test(e.url_status || '')
    const payload = (Array.isArray(e.tags) && e.tags[0]) || e.threat || 'malware'
    const defanged = String(e.url).replace(/^https?/i, (m) => m.replace('t', 'x'))
    return makeIoc('urlhaus', {
      detectedAt: e.date_added,
      severity: online ? SEVERITY.HIGH : SEVERITY.MEDIUM,
      category: 'Malware Distribution',
      indicator: defanged,
      indicatorType: 'url',
      target: payload,
      confidence: online ? 85 : 65,
      mitre: [
        { id: 'T1105', name: 'Ingress Tool Transfer' },
        { id: 'T1204.002', name: 'User Execution: Malicious File' },
      ],
      headline: `Malware Distribution: Payload URL ${defanged} serving ${payload} flagged by URLhaus`,
      raw: e,
      stix: {
        type: 'indicator',
        pattern: `[url:value = '${e.url}']`,
        pattern_type: 'stix',
        labels: ['malicious-activity'],
      },
    })
  })

  return ok(iocs)
}