APT feed
APT feed consists of information about Advanced Persistent Threats that are outcome from ESET research. This feed is an export from ESET internal MISP server. All the data that are shared are also in more detailed explained in APT reports. APT feed is also part of APT reports offering, however, the feed can also be purchased separately.
JSON
Below is a snippet of an APT feed in JSON format.
"Attribute": [ { "Galaxy": [], "ShadowAttribute": [], "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "distribution": "5", "event_id": "282", "first_seen": "2022-01-28T08:42:57.000000+00:00", "id": "143094", "last_seen": null, "object_id": "59977", "object_relation": "domain", "sharing_group_id": "0", "timestamp": "1643710782", "to ids": false, "type": "domain", "uuid": "21b993a3-fd4a-4ab1-8a3f-1f5d45db7577", "value": "corolain.ru" } ], "ObjectReference": [], "comment": "", "deleted": false, "description": "A domain/hostname and IP address seen as a tuple in a specific time frame.", "distribution": "5", "event_id": "282", "first_seen": "2022-01-25T14:11:03.000000+00:00", "id": "59977", "last_seen": null, "meta-category": "network", "name": "domain-ip", "sharing_group_id": "0", "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", "template_version":"10", "timestamp": "1643730789", "uuid":"a9e5bc0d-eb8f-455d-8e62-c3930fa2447d"
|
STIX 2.0
Standard STIX2 export from MISP.
•File is the main IoC and all the other objects are connected to this main IoC. Currently used attributes for this indicator are:
oFilename
oMD5, SHA1 and SHA256 file hash (IDS flag) as main IoCs
oComment
•Detected as gives information about what is the object detected as by ESET. In some cases here can be multiple detections. Available attributes are:
oSoftware (always ESET)
oSignature (IDS flag) as main IoC
•Includes gives additional information, which however do not have to be always present. Available attributes are:
oPE file or macho file or elf file
oType of file indication
oCompilation date
oImphash
oAnd potentially additional metadata
•Connected to objects bring additional information about network and it’s IoCs. Each of the objects (URL, domain, IP) can be available separately, or also all at the same time.
oURL
▪URL (IDS flag) as main IoC
▪Scheme
▪Query string
▪Resource path
▪Port
▪Comment
oDomain
▪Domain as main IoC
▪Comment
oIP
▪IP address as main IoC
▪Comment
•Dropped by file object is available only sometimes. This is available in case the given main file also either drops or downloads an additional file. Available attributes are:
oFilename
oMD5, SHA1 and SHA256 file hash (IDS flag) as main IoCs
oComment
•Downloaded from URL object with it’s acompying objects are available only sometimes. This is available in case there is a trace from which URL given file has been downloaded. Available attributes are:
oURL
▪URL (IDS flag) as main IoC
▪Scheme
▪Query string
▪Resource path
▪Port
▪Comment
oDomain
▪Domain as main IoC
▪Comment
oIP
▪IP address as main IoC
▪Comment