Description
Question:
AccelOps currently downloads a list of known ransomware sites from https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt to a new folder called "Ransomware" under "Blocked Domains" inside CMDB.
I want to remotely query the "Ransomware" container. I believe there are two options:
1. API. What's the REST location for that folder?
2. Psql. What is the column inside "ph_malware_site" that makes the custom "ransomware" container unique. Ph_malware_site contains all malware domains, regardless of what list it's in (Malware Domain List, SANS Domains, etc.)
I want to run this query so I can update our DNS servers with a list of known Ransomware sites (and sinkhole/block them). But I only want one system (AccelOps) to fetch the list and others to ask AccelOps what that list contains.
Answer:
Blocked%20Domains_Ransomware_0 is the group’s natural id.
To query it in DB:
Use below to query group information:
select * from ph_group where display_name='Ransomware';
Use below to query blocked domains under 'Ransomware'
select * from ph_malware_site ms, ph_group_item gi, ph_group g where ms.id=gi.item_id and gi.group_id=g.id and g.display_name='Ransomware' ;
