Register on abuse.ch to obtain an Auth-Key for ThreatFox API access; URLhaus bulk export does not require authentication but ThreatFox query and submission endpoints do.
Download the URLhaus full URL list or recent additions in CSV or JSON format from https://urlhaus.abuse.ch/downloads/csv_recent/ (no auth required) on a scheduled basis to ingest newly observed malware distribution URLs.
Query ThreatFox for IOCs by type (ip:port, domain, url, md5_hash, sha256_hash) with POST https://threatfox-api.abuse.ch/api/v1/ with body {"query": "search_ioc", "search_term": "VALUE"} and Authorization: Bearer YOUR_AUTH_KEY.
Filter ingested IOCs by first_seen date and confidence_level; since May 2025, abuse.ch expires IOCs older than 6 months from API responses — design your pipeline to handle the shrinking historical window.
Load active IOCs into your SIEM, NGFW, or DNS resolver blocklist; store the abuse.ch malware_family and tags fields as context labels to improve alert quality.
Known gotchas
Since 2025-05-01, abuse.ch expires IOCs older than 6 months from the ThreatFox API and exports; if your pipeline relies on historical IOCs, snapshot and retain them locally before expiry.
URLhaus CSV exports use semicolons as delimiters (not commas) in some download formats; verify the delimiter before parsing to avoid silent field misalignment.
ThreatFox IOC confidence_level ranges from 0-100 and is community-sourced; blindly blocking all IOCs without a confidence threshold can generate significant false positives.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp