Issue
-
Utilize ThreatQuotient to ingest ESET Threat Intelligence feed data
Solution
I. Install the integration
-
Log in to ThreatQ Marketplace.
-
On the ThreatQ Marketplace, locate and download the integration file.
-
Navigate to the integrations management page on your ThreatQ instance and click Add New Integration.
-
Upload the integration file you downloaded in step 2 using one of the following methods:
- Drag-and-drop the file into the dialog box.
- Select Click to Browse to locate the integration file on your local machine.
-
If prompted, select the individual feeds to install and click Install. The feed will be added to the integrations page.
II. Configure the integration
-
Navigate to your integrations management page in ThreatQ.
-
Optionally, select Commercial from the Category drop-down menu.
-
Click the integration entry to open its details page.
-
Type your ESET Threat Intelligence username and password into the respective fields.
-
Review any additional settings and make any changes if needed. Click Save.
-
Click the toggle above the Additional Information section to enable it.
III. ThreatQ mapping
All feeds access the same endpoint, ESET Threat Intelligence TAXII service. Each feed requests the content of a specific collection.
The feeds return a list of STIX bundles, each of them containing:
- Indicators
- Malware
- Identities
- The relationships between the returned objects
ESET Botnet
ESET Botnet feed connects to ei.botnet
(stix2) collection and ingests data about the Botnet network. It also retrieves information about Command and Control (CnC) servers.
ESET Domain
ESET Domain feed connects to ei.domains
v2 (stix2) collection and ingests domains that are considered malicious.
ESET Malicious Files
ESET Malicious Files feed connects to ei.malicious
files v2 (stix2) collection and ingests data about executable files that are considered malicious.
ESET URL
ESET URL feed connects to the ei.urls
(stix2) collection and ingests addresses that are considered malicious.