Spamhaus ZEN Operation
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.0 |
| Compatible with ThreatQ Versions | >= 4.9.0 |
| Support Tier | ThreatQ Supported |
Introduction
The Spamhaus ZEN Operation queries IP addresses and domains against the ZEN blocklist.
The operation provides the following action:
- DNS Lookup - queries one of two Spamhaus DNS servers, based on the object's Indicator type, and maps DNS responses to attributes.
The operation is compatible with IP Address and FQDN type Indicators.
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Operation option from the Type dropdown (optional).
- Click on the integration entry to open its details page.
- Enter the following parameter under the Configuration tab:
Parameter Description API Key Your Spamhaus API Key. - Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
Actions
The operation provides the following action:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| DNS Lookup | Queries one of two Spamhaus DNS servers, based on the object's Indicator type, and maps DNS responses to attributes. | Indicator | IP Address, FQDN |
IP Address
The operation uses the following server to query for IP Addresses.
{ DOMAIN }}.{{ KEY }}.dbl.dq.spamhaus.net
ThreatQuotient provides the following response map to the following attributes:
| Return COde (Address) | Attribute Key | Attribute Value |
|---|---|---|
| 127.0.0.2 | Spamhaus List | SBL |
| 127.0.0.3 | Spamhaus List | SBL (CSS) |
| 127.0.0.4 | Spamhaus List | XBL |
| 127.0.0.9 | Spamhaus List | SBL (DROP/EDROP) |
| 127.0.0.10 | Spamhaus List | PBL (ISP Maintained) |
| 127.0.0.11 | Spamhaus List | PBL (Spamhaus Maintained) |
FQDN
The operation uses the following server to query for FQDNs.
{{ REVERSE IP }}.{{ KEY }}.zen.dq.spamhaus.net
ThreatQuotient provides the following response map to the following attributes:
| Return COde (Address) | Attribute Key | Attribute Value |
|---|---|---|
| 127.0.1.2 | Spamhaus List | Spam Domain |
| 127.0.1.4 | Spamhaus List | Phish Domain |
| 127.0.1.5 | Spamhaus List | Malware Domain |
| 127.0.1.6 | Spamhaus List | Botnet C&C Domain |
| 127.0.1.102 | Spamhaus List | Abuse Legit Spam |
| 127.0.1.103 | Spamhaus List | Abuse Spammed Redirector Domain |
| 127.0.1.104 | Spamhaus List | Abused Legit Phish |
| 127.0.1.105 | Spamhaus List | Abused Legit Malware |
| 127.0.1.106 | Spamhaus List | Abuse Legit Botnet C&C |
Change Log
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| Spamhaus ZEN Operation Guide v1.0.0 | 4.9.0 or Greater |