IP feed
This feed shares the current and prevalent malicious and abusive IPs and some data associated with them. The structure of the data is similar to that used for the domain and URL feeds. The main use case is to understand which malicious IPs are currently prevalent in the wild, to block those with high severity and inspect the less severe based on additional data, and to see what harm has already been caused. Filtering, in this case, is very similar to that in the URL feed.
ESET ensures compatibility through using standards like TAXII 2.1 and STIX 2.1, which make the ESET threat intelligence data easily consumable across various TIP, XDR/EDR, SIEM, SOAR, and firewalls. Each of these feeds is created in near real time, and deduplication happens every 24 hours.
IP feed mainly utilizes the following STIX 2.1 SDO, SRO and SCO objects and related metadata:
Example data is directly available inside the ESET Threat Intelligence portal. To use the portal without the license in Demo mode, follow the steps in the Get started guide to create an account. Additionally, see the Demo mode topic.
ESET STIX 2.1 SDO Names and Labels
Indicator
•Name:
o"Blocked"—IP has shown malicious activity—High severity threat, High confidence
o"Unwanted"—IP was considered a PUA or scam—Medium severity threat, High confidence
o"BlockedObject"—IP has, for example, hosted malicious object—Any severity, Low confidence (We propose not to block this confidence level as it could potentially cause an increased number of FPs.)
•Label:
o"malicious-activity"
o"unwanted-activity"
o"benign"
Malware
•Name: name of the detection
•Labels:
o"trojan"
o"worm"
o"virus"
o"dropper"
o"adware"
o"rogue security software"
o"ransomware"
o"keylogger"
o"rootkit"
o"ddos"
o"bot"
o"spyware"