Spamhaus Lookup¶

Release Notes¶

Look up IP Addresses + Domain Name in Spamhaus Datasets

screenshot: main

If a given artifact appears in one of Spamhaus Datasets, then the artifact’s description is updated with additional enrichment information.

Resilient platform >= v35.0.0
An Integration Server running resilient_circuits>=33.0.0
- To set up an Integration Server see: ibm.biz/res-int-server-guide
- If using API Keys, minimum required permissions are:
  - Org Data: Read, Edit
  - Function: Read

With App Host, all the run-time components are pre-built. Perform the following steps to install and configure:

Download the app-fn_spamhaus_query-x.x.x.zip.
In Resilient navigate to Adiminstrator Settings > Apps
Click the Install button and select the downloaded app-fn_spamhaus_query-x.x.x.zip. This will install the associated customizations.
Once installed, navigate to the app’s Configuration tab and edit the app.config file updating the [resilient] section as necessary and updating the [fn_spamhaus_query] section as necessary.

Unzip the package:

$ unzip app-fn_spamhaus_query-x.x.x.zip

Change Directory into the unzipped directory:
```
$ cd fn_spamhaus_query-x.x.x
```

Install the package:

$ pip install fn_spamhaus_query-x.x.x.tar.gz

Import the configurations into your app.config file:

$ resilient-circuits config -u -l fn-spamhaus-query

Import the fn_spamhaus_query customizations into the Resilient platform:
```
$ resilient-circuits customize -y -l fn-spamhaus-query
```

Open the config file, scroll to the bottom and edit your fn_spamhaus_query configurations:

$ nano ~/.resilient/app.config

Config	Required	Example	Description
spamhaus_wqs_url	Yes	`https://apibl.spamhaus.net/lookup/v1/`	The endpoint for Spamhaus API
spamhaus_dqs_key	Yes	``	The API Key
http_proxy	Yes	``	A HTTP proxy
https_proxy	Yes	``	A HTTPS Proxy

Save and Close the app.config file.
[Optional]: Run selftest to test the Integration you configured:
```
$ resilient-circuits selftest -l fn-spamhaus-query
```
Run resilient-circuits or restart the Service on Windows/Linux:
```
$ resilient-circuits run
```

SSH into your Integration Server.
Uninstall the package:
```
$ pip uninstall fn-spamhaus-query
```
Open the config file, scroll to the [fn_spamhaus_query] section and remove the section or prefix # to comment out the section.
Save and Close the app.config file.

There are several ways to verify the successful operation of a function.

When viewing an incident, use the Actions menu to view Action Status.
By default, pending and errors are displayed.
Modify the filter for actions to also show Completed actions.
Clicking on an action displays additional information on the progress made or what error occurred.

A separate log file is available to review scripting errors.
This is useful when issues occur in the pre-processing or post-processing scripts.
The default location for this log file is: /var/log/resilient-scripting/resilient-scripting.log.

By default, Resilient logs are retained at /usr/share/co3/logs.
The client.log may contain additional information regarding the execution of functions.

The log is controlled in the .resilient/app.config file under the section [resilient] and the property logdir.
The default file name is app.log.
Each function will create progress information.
Failures will show up as errors and may contain python trace statements.

Name	Version	Author	Support URL
fn_spamhaus_query	1.0.1	Resilient Labs	https://ibm.biz/resilientcommunity