URL feed
URL feed provides information about current and prevalent malicious URLs and associated data. The feed is created from all URL sources every five minutes, deduplication happens every 24 hours, and the filtering in this case is stricter to ensure no sensitive information is being shared. Therefore, it is based on sharing URLs without parameters. Unlike the Domain feed, the URL feed is much smaller and more targeted in terms of allowing analysts to block specific malicious URLs instead of blocking entire domains.
ESET ensures compatibility through using standards like TAXII 2.1 and STIX 2.1, which make the ESET threat intelligence data easily consumable across various TIP, XDR/EDR, SIEM, SOAR, and firewalls. Each of these feeds is created in near real time, and deduplication happens every 24 hours.
URL feed mainly utilizes the following STIX 2.1 SDO, SRO and SCO objects and related metadata:
Example data is directly available inside the ESET Threat Intelligence portal. To use the portal without the license in Demo mode, follow the steps in the Get started guide to create an account. Additionally, see the Demo mode topic.
ESET STIX 2.1 SDO Names and Labels
Indicator
•Name:
o"Blocked"—URL has shown malicious activity—High severity threat, High confidence
o"Phishing"—URL has shown phishing activity—High severity threat, High confidence
o"Unwanted"—URL was considered a PUA or scam—Medium severity threat, High confidence
o"BlockedObject"—URL has, for example, hosted malicious object—Any severity, Low confidence (We propose not to block this confidence level as it could potentially cause an increased number of FPs.)
•Label:
o"malicious-activity"
o"phishing-activity"
o"unwanted-activity"
o"benign"
Malware
•Name: name of the detection
•Labels:
o"trojan"
o"worm"
o"virus"
o"dropper"
o"adware"
o"rogue security software"
o"ransomware"
o"keylogger"
o"rootkit"
o"ddos"
o"bot"
o"spyware"