[KB8507] ESET Threat Intelligence with ThreatQuotient

Issue

  • Utilize ThreatQuotient to ingest ESET Threat Intelligence feed data

Solution

  1. Install the integration
  2. Configure the integration
  3. ThreatQ mapping

I. Install the integration

  1. Log in to ThreatQ Marketplace.

  2. On the ThreatQ Marketplace, locate and download the integration file.

  3. Navigate to the integrations management page on your ThreatQ instance and click Add New Integration.

  4. Upload the integration file you downloaded in step 2 using one of the following methods:

    • Drag-and-drop the file into the dialog box.
    • Select Click to Browse to locate the integration file on your local machine.
    Feeds

    ThreatQ will inform you if the feed already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the feed contains changes to the user configuration. The new user configurations will overwrite the existing ones for the feed and require user confirmation before proceeding.

  5. If prompted, select the individual feeds to install and click Install. The feed will be added to the integrations page.


II. Configure the integration

API keys for third-party vendors 

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

  1. Navigate to your integrations management page in ThreatQ.

  2. Optionally, select Commercial from the Category drop-down menu.

    First-time installation

    If you install the integration for the first time, the integration will be located under the Disabled tab.

  3. Click the integration entry to open its details page.

  4. Type your ESET Threat Intelligence username and password into the respective fields.

  5. Review any additional settings and make any changes if needed. Click Save.

  6. Click the toggle above the Additional Information section to enable it.


III. ThreatQ mapping

All feeds access the same endpoint, ESET Threat Intelligence TAXII service. Each feed requests the content of a specific collection.

The feeds return a list of STIX bundles, each of them containing:

  • Indicators
  • Malware
  • Identities
  • The relationships between the returned objects
JSON data 

The returned JSON data is a list of qualified STIX bundles that are passed into ThreatQ's STIX Parser.

ESET Botnet

ESET Botnet feed connects to ei.botnet (stix2) collection and ingests data about the Botnet network. It also retrieves information about Command and Control (CnC) servers.

ESET Domain

ESET Domain feed connects to ei.domains v2 (stix2) collection and ingests domains that are considered malicious.

ESET Malicious Files

ESET Malicious Files feed connects to ei.malicious files v2 (stix2) collection and ingests data about executable files that are considered malicious.

ESET URL

ESET URL feed connects to the ei.urls (stix2) collection and ingests addresses that are considered malicious.

Difference between URL and Domain feeds

ESET URL feed differs from the ESET Domain feed based on the applied ESET filtering options.

For example, if there are objects blocked on the URL level only and not at the domain level, the ESET Domain feed will not return these objects.