Created on 10-17-2016 07:03 AM Edited on 05-26-2022 07:36 AM By Anonymous
Description
Question:
AccelOps currently downloads a list of known ransomware sites from https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt to a new folder called "Ransomware" under "Blocked Domains" inside CMDB.
I want to remotely query the "Ransomware" container. I believe there are two options:
1. API. What's the REST location for that folder?
2. Psql. What is the column inside "ph_malware_site" that makes the custom "ransomware" container unique. Ph_malware_site contains all malware domains, regardless of what list it's in (Malware Domain List, SANS Domains, etc.)
I want to run this query so I can update our DNS servers with a list of known Ransomware sites (and sinkhole/block them). But I only want one system (AccelOps) to fetch the list and others to ask AccelOps what that list contains.
Answer:
Blocked%20Domains_Ransomware_0 is the group’s natural id.
To query it in DB:
Use below to query group information:
select * from ph_group where display_name='Ransomware';
Use below to query blocked domains under 'Ransomware'
select * from ph_malware_site ms, ph_group_item gi, ph_group g where ms.id=gi.item_id and gi.group_id=g.id and g.display_name='Ransomware' ;
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.