ESET Online Help

Search
Select the category
Select the topic

Domain feed

The domain feed consists of domains that are considered malicious. This feed recognizes and shares the following specifications about the domains:

DomainName

oThe name of the domain (un-stop.org)

oThe type of maliciousness of the domain. Following are the possible types:

Block—A malicious link is blocked in the domain

Phishing—A phishing link is blocked in the domain

Unwanted—A potentially unwanted application link is blocked in the domain

Blocked Object—The domain hosts downloadable malware but should not be blocked as a whole

oThe number of times the domain is identified as malicious in a given type

AddressObj—The IP address of the malicious domain (192.3.136.10)

Downloaded_detection—The detection of a file downloaded from a given blocked link (Application.JS/Adware.Imali.A)

Parent_detection—The detection of a file that was trying to access the given blocked link (Application.Win32/Adware.ICLoader.ME)

JSON

Below is a snippet of a domain feed in JSON format.

example

<taxii_11:Content_Block>

    <taxii_11:Content_Binding binding_id="urn:eset.com:json:1.0.0"/>

    <taxii_11:Content>[

    {

        "confidence": "Low",

        "count": 16054,

        "count_24h": 12,

        "countries": [

            {

                "code": "UNKNOWN",

                "count_24h": 12,

                "unique_users_count_24h": 1

            }

        ],

        "domain": "tgory.pl",

        "downloaded_detection": null,

        "first_seen": "2018-07-31 23:00:00 UTC",

        "ip": null,

        "last_seen": "2020-10-22 11:17:59 UTC",

        "location": null,

        "opener_detection": null,

        "reason": "Host actively distributes high-severity threat in the form of executable code.",

        "state": "BlockedObject",

        "valid_to": "2020-10-24 11:41:26 UTC"

    }

 ]</taxii_11:Content>

    <taxii_11:Timestamp_Label>2020-10-22T11:41:30+00:00</taxii_11:Timestamp_Label>

</taxii_11:Content_Block>

STIX 2.0

Below is a snippet of a domain feed in STIX 2.0 format.

example

{

 "type": "observed-data",

 "id": "observed-data--491ae041-7454-42e9-a7ee-8f3b25d7d035",

 "created": "2020-10-22T11:41:26.000Z",

 "modified": "2020-10-22T11:41:26.000Z",

 "first_observed": "2018-07-31T23:00:00Z",

 "last_observed": "2020-10-22T11:17:59Z",

 "number_observed": 16054,

 "objects": {

         "0": {

                 "type": "domain-name",

                 "value": "tgory.pl"

         }

 }

}

 

The following STIX domain objects are available for the Domain feed:

Indicator—An Indicator of Comprise (IoC) to use for further blocking or investigation

Observed data—Extra information about the given domain that is intended for manual investigation

Malware—An optional object shared with every domain IoC only if a malicious file downloaded from the given domain is detected and blocked

Relationship:
 

stix_relationships_domain_feed