ESET Online Help

Search
Select the category
Select the topic

APT feed

APT feed consists of information about Advanced Persistent Threats that are outcome from ESET research. This feed is an export from ESET internal MISP server. All the data that are shared are also in more detailed explained in APT reports. APT feed is also part of APT reports offering, however, the feed can also be purchased separately.

 

JSON
Below is a snippet of an APT feed in JSON format.

example

"Attribute": [

{

"Galaxy": [],

"ShadowAttribute": [],

"category": "Network activity", "comment": "",

"deleted": false,

"disable_correlation": false,

"distribution": "5",

"event_id": "282",

"first_seen": "2022-01-28T08:42:57.000000+00:00",

"id": "143094",

"last_seen": null, "object_id": "59977",

"object_relation": "domain", "sharing_group_id": "0",

"timestamp": "1643710782",

"to ids": false,

"type": "domain",

"uuid":

"21b993a3-fd4a-4ab1-8a3f-1f5d45db7577",

"value": "corolain.ru"

}

],

"ObjectReference": [],

"comment": "",

"deleted": false,

"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.", "distribution": "5",

"event_id": "282",

"first_seen": "2022-01-25T14:11:03.000000+00:00",

"id": "59977",

"last_seen": null,

"meta-category": "network",

"name": "domain-ip",

"sharing_group_id": "0",

"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",

"template_version":"10",

"timestamp": "1643730789",

"uuid":"a9e5bc0d-eb8f-455d-8e62-c3930fa2447d"

 

 

STIX 2.0

Standard STIX2 export from MISP.

File is the main IoC and all the other objects are connected to this main IoC. Currently used attributes for this indicator are:

oFilename

oMD5, SHA1 and SHA256 file hash (IDS flag) as main IoCs

oComment

Detected as gives information about what is the object detected as by ESET. In some cases here can be multiple detections. Available attributes are:

oSoftware (always ESET)

oSignature (IDS flag) as main IoC

Includes gives additional information, which however do not have to be always present. Available attributes are:

oPE file or macho file or elf file

oType of file indication

oCompilation date

oImphash

oAnd potentially additional metadata

Connected to objects bring additional information about network and it’s IoCs. Each of the objects (URL, domain, IP) can be available separately, or also all at the same time.

oURL

URL (IDS flag) as main IoC

Scheme

Query string

Resource path

Port

Comment

oDomain

Domain as main IoC

Comment

oIP

IP address as main IoC

Comment

Dropped by file object is available only sometimes. This is available in case the given main file also either drops or downloads an additional file. Available attributes are:

oFilename

oMD5, SHA1 and SHA256 file hash (IDS flag) as main IoCs

oComment

Downloaded from URL object with it’s acompying objects are available only sometimes. This is available in case there is a trace from which URL given file has been downloaded. Available attributes are:

oURL

URL (IDS flag) as main IoC

Scheme

Query string

Resource path

Port

Comment

oDomain

Domain as main IoC

Comment

oIP

IP address as main IoC

Comment