Domain feed
This feed blocks malicious domains to prevent users from visiting the sites and, therefore, stay protected against infections and data breaches. Such domains are usually part of phishing campaigns, malware distribution, or a larger cyber attack. The feed covers the domain name, the data associated with it, and respective malicious activity. The feed ranks the domains based on their severity, which enables you to adjust the response accordingly, for example, to only block high-severity domains. The feed also provides information on the level of confidence in the form of an assessment of which domain to block.
ESET ensures compatibility through using standards like TAXII 2.1 and STIX 2.1, which make the ESET threat intelligence data easily consumable across various TIP, XDR/EDR, SIEM, SOAR, and firewalls. Each of these feeds is created in near real time, and deduplication happens every 24 hours.
Domain feed mainly utilizes the following STIX 2.1 SDO, SRO and SCO objects and related metadata:
Example data is directly available inside the ESET Threat Intelligence portal. To use the portal without the license in Demo mode, follow the steps in the Get started guide to create an account. Additionally, see the Demo mode topic.
ESET STIX 2.1 SDO Names and Labels
Indicator
•Name:
o"Blocked"—domain has shown malicious activity—High severity threat, High confidence
o"Phishing"—domain has shown phishing activity—High severity threat, High confidence
o"Unwanted"—domain was considered a PUA or scam—Medium severity threat, High confidence
o"BlockedObject"—domain has, for example, hosted malicious object—Any severity, Low confidence (We propose not to block this confidence level as it could potentially cause an increased number of FPs.)
•Label:
o"malicious-activity"
o"phishing-activity"
o"unwanted-activity"
o"benign"
Malware
•Name: name of the detection
•Labels:
o"trojan"
o"worm"
o"virus"
o"dropper"
o"adware"
o"rogue security software"
o"ransomware"
o"keylogger"
o"rootkit"
o"ddos"
o"bot"
o"spyware"