Domain feed
The Domain feed consists of domains that are considered malicious. This feed recognizes and shares the following specifications about the domains:
•DomainName
oThe name of the domain (un-stop.org)
oThe type of maliciousness of the domain. The following are the possible types:
▪Block—A malicious link is blocked in the domain
▪Phishing—A phishing link is blocked in the domain
▪Unwanted—A potentially unwanted application link is blocked in the domain
▪Blocked Object—The domain hosts downloadable malware but should not be blocked as a whole
oThe number of times the domain is identified as malicious in a given type
•AddressObj—The IP address of the malicious domain (192.3.136.10)
•Downloaded_detection—The detection of a file downloaded from a given blocked link (Application.JS/Adware.Imali.A)
•Parent_detection—The detection of a file that was trying to access the given blocked link (Application.Win32/Adware.ICLoader.ME)
JSON
Below is a snippet of a domain feed in JSON format.
<taxii_11:Content_Block> <taxii_11:Content_Binding binding_id="urn:eset.com:json:1.0.0"/> <taxii_11:Content>[ { "confidence": "Low", "count": 16054, "count_24h": 12, "countries": [ { "code": "UNKNOWN", "count_24h": 12, "unique_users_count_24h": 1 } ], "domain": "tgory.pl", "downloaded_detection": null, "first_seen": "2018-07-31 23:00:00 UTC", "ip": null, "last_seen": "2020-10-22 11:17:59 UTC", "location": null, "opener_detection": null, "reason": "Host actively distributes high-severity threat in the form of executable code.", "state": "BlockedObject", "valid_to": "2020-10-24 11:41:26 UTC" } ]</taxii_11:Content> <taxii_11:Timestamp_Label>2020-10-22T11:41:30+00:00</taxii_11:Timestamp_Label> </taxii_11:Content_Block> |
STIX 2.0
Below is a snippet of a domain feed in STIX 2.0 format.
{ "type": "observed-data", "id": "observed-data--491ae041-7454-42e9-a7ee-8f3b25d7d035", "created": "2020-10-22T11:41:26.000Z", "modified": "2020-10-22T11:41:26.000Z", "first_observed": "2018-07-31T23:00:00Z", "last_observed": "2020-10-22T11:17:59Z", "number_observed": 16054, "objects": { "0": { "type": "domain-name", "value": "tgory.pl" } } } |
The following STIX domain objects are available for the Domain feed:
•Indicator—An Indicator of Comprise (IoC) to use for further blocking or investigation
•Observed data—Extra information about the given domain that is intended for manual investigation
•Malware—An optional object shared with every domain IoC only if a malicious file downloaded from the given domain is detected and blocked
•Relationship