ESET Online Help

Search
Select the category
Select the topic

URL feed

The URL feed contains domains that are considered malicious. Compared to the Domain feed, the URL feed can show different results due to different filter options. For example, there are objects blocked on the URL level only and not at the domain level. The feed recognizes and shares the same specifications as the Domain feed. However, there is a URL address instead of a domain name due to identifying the exact location of malicious content.

JSON
Below is a snippet of an URL feed in JSON format.


example

<taxii_11:Content>[

{

 "confidence": "High",

 "count_24h": 1,

 "countries": [

         {

                 "code": "UNKNOWN",

                 "count_24h": 1,

                 "unique_users_count_24h": 1

         }

 ],

 "domain": "bejnz.com",

 "domain_count": 1065,

 "domain_first_seen": "2018-07-31 23:00:00 UTC",

 "domain_last_seen": "2020-10-22 11:04:55 UTC",

 "downloaded_detection": null,

 "ip": null,

 "location": null,

 "opener_detection": "Trojan.MSIL/Kryptik.MSS",

 "reason": "Host is used as command and control server of MSIL/Kryptik.MSS trojan malware family.",

 "state": "Blocked",

 "url": "http://bejnz.com/IP.php",

 "valid_to": "2020-10-24 11:56:16 UTC"

}

]</taxii_11:Content>

STIX 2.0
Below is a snippet of an URL feed in JSON format.


example

{

 "type": "indicator",

 "id": "indicator--d0a27e9b-7f72-4587-95a0-173634a27a25",

 "created": "2020-10-22T11:56:16.000Z",

 "modified": "2020-10-22T11:56:16.000Z",

 "name": "Blocked",

 "description": "Host is used as command and control server of MSIL/Kryptik.MSS trojan malware family.",

 "pattern": "[url:value='http://bejnz.com/IP.php']",

 "valid_from": "2020-10-22T11:56:16Z",

 "valid_until": "2020-10-24T11:56:16Z",

 "labels": [

         "malicious-activity"

 ]

}

 

The following types of STIX domain objects available for the URL feed:

Indicator—An Indicator of Comprise (IoC) to use for further blocking or investigation.

Observed data—Extra information about the given domain.

Malware—An optional object shared with every domain IoC if a malicious file downloaded from the given domain is detected and blocked.

Sighting—Additional data about the domain hosting the URL. This object is always associated with Observed data, which provides more information about the domain.

Relationship:
 

stix_relationships_url_feed