eCrime MISP
The eCrime ESET Malware Information Sharing Platform (eCrime MISP) server contains IoCs described in the eCrime reports. Every time a new eCrime report is available, the administrator receives an email notification. Historical reports are also available.
Integration, automation and interaction with ESET eCrime MISP
Access the eCrime ESET Malware Information Sharing Platform from the ESET Threat Intelligence Portal > eCrime Reports > Access eCrime MISP.
We recommend using the MISP API, as it offers a simple way for integration and automation tasks.
To use automation with eCrime MISP, ensure you have your Auth key. You can get your eCrime MISP Auth key on the eCrime ESET Malware Information Sharing Platform > My Profile:
1.Scroll down to the Auth keys section.
2.Click Add authentication key:
3.Verify the email address automatically set in the User field—it is the email address of the currently logged-in user. Optionally fill the following fields:
•Comment—You can type a special comment to identify this Auth key easily
•Allowed IPs—You can add IP addresses from which this Auth key can be used to access the eCrime MISP API
•Expiration—You can specify a desired expiration date for this Auth key
•Read only—You can skip this checkmark, as the ESET Threat Intelligence eCrime MISP access model uses read-only accounts
4.Click Submit.
5.Copy and save your created Auth key:
|
Ensure to save your Auth key. This window is the only place where you can access the Auth key. |
6.Click I have noted down my key, take me back now. The added Auth key appears on the Auth keys list.
Basic eCrime MISP API usage examples
Download a specific event:
$ curl --header "Authorization: YOUR AUTH KEY" \ --header "Accept: application/json" \ --header "Content-Type: application/json" \ https://mispecrime.eset.com/events/view/<EventID> |
Download all events:
$ curl --header "Authorization: YOUR AUTH KEY" \ --header "Accept: application/json" \ --header "Content-Type: application/json" \ https://mispecrime.eset.com/events/ |
Upload events to the target MISP:
$ curl --request POST https://<TARGET MISP>/events/ \ --header "Accept: application/json" \ --header "Content-Type: application/json" \ --header "Authorization: YOUR API KEY" \ --include \ --data "@event.json" |
To simplify usage of the MISP API, consider utilizing the PyMISP Python library or PyMISP Python library on GitHub.
Reports in eCrime MISP
The reports in eCrime MISP, like the reports in APT MISP, are accessible by the ETI (ESET Threat Intelligence) Portal download link (PDF) and ETI Portal Report UUID. The ETI Portal download link (PDF) and ETI Portal Report UUID are provided as object attributes of the MISP Event. The eCrime MISP event has the same structure as the APT MISP event.
•ETI Portal Report ID:
"type": "other" "category": "External analysis" "comment": "ETI Portal Report ID" "value": ETI Portal Report ID in the format of UUID, for example, "4215b9c3-b176-4de3-9234-2fe03c2913d6" |
•ETI Portal download link (PDF):
"type": "other" "category": "External analysis" "comment": "ETI Portal download link (PDF)" "value": ETI Portal download link (PDF), for example, "https://eti.eset.com/reports/ecrime/download/4215b9c3-b176-4de3-9234-2fe03c2913d6" |
ETI Portal Report ID
ETI Portal Report ID can be used with the ESET Threat Intelligence APIv2.
The ESET Threat Intelligence API documentation (Swagger/OpenAPI) is available through the provided link. To use the ESET Threat Intelligence API, you must have the ESET Threat Intelligence Portal API credentials generated.
For the eCrime report download link (PDF), use the https://eti.eset.com/api/v2/ecrime-reports/{reportUuid}/files endpoint. Alternatively, you can use the direct API download link: https://eti.eset.com/api/v2/ecrime-reports/{reportUuid}/download/pdf.
ETI Portal download link (PDF)
The ETI Portal download link (PDF) directs to the ESET Threat Intelligence Portal UI, which requires authentication using your ESET Business Account/ESET PROTECT Hub login credentials. The eCrime MISP UI and ESET Threat Intelligence Portal UI users can use the link to download PDFs in the browser.