ESET Threat Intelligence Data Feeds
Connector Category: API Feed Source
Notice
This integration is available as a Beta release in Intel Exchange from v3.7.6.1 onwards.
About Integration
Configure ESET Threat Intelligence Data Feeds as an API feed source in Intel Exchange to ingest threat intelligence across key object types, including indicators, malware, identities, observed data, and observables. This integration delivers curated intelligence from ESET’s global research, enriching investigations and supporting detection and analysis workflows within Intel Exchange
Intel Exchange integrates with ESET Threat Intelligence to retrieve threat intel feeds about the following threat objects:
Indicators
Malware
Identity
Observed Data
Observables
Note
This connector does not support STIX 2.0 objects.
Use Cases
Access timely threat intelligence from ESET to identify malware, botnet activity, and APT-related indicators.
Enrich IOCs and alerts in Intel Exchange using ESET data, such as malicious files, IPs, URLs, and domains.
Support threat hunting and proactive defense by correlating ESET intelligence with internal telemetry and other threat sources.
Prioritize response and remediation based on ESET insights into malware behavior, botnet infrastructure, and associated indicators.
Share curated ESET intelligence across teams to improve situational awareness and coordinated response.
Configure ESET Threat Intelligence
Integrate ESET Threat Intelligence as a feed source and start receiving the threat intel in Intel Exchange. You can use the following sections for more information:
Configure ESET as a Feed Source
Configure ESET Threat Intelligence as an API feed source in Intel Exchange to retrieve IOCs, malicious files, botnet activity, IPs, URLs, domains, and APT-related indicators from ESET.
Before you Start
You must have the View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions in Intel Exchange.
You must have the username and password of your ESET account.
Steps
To configure ESET as an API feed source in Intel Exchange, follow these steps:
Go to Administration > Integration Management. In Feed Sources, click APIs.
Click Add API Source.
Search and select ESET Threat Intelligence Data Feeds.
Click Add Instance.
Instance Name: Enter a unique name to identify the instance name. For example, ESET-Prod.
Base URL: Enter the base URL of your ESET instance. The default base URL is
https://taxii.eset.com/taxii2/.Username: Enter the username of your ESET account to authenticate communication.
Password: Enter the password of your ESET account to authenticate communication.
Select Verify SSL to verify the SSL certificate and secure the connection between the Intel Exchange and ESET servers. By default, the verification is enabled.
Note
Enabling SSL verification is recommended. If you disable this option, it may result in the use of an expired SSL certificate while configuring the instance. This may not establish the connection properly, and you will not be notified in case of a broken or improper connection.
The ESET Threat Intelligence instance is configured, and you can view the feed channels. You can configure multiple instances by clicking Manage > Add More.
Configure ESET Feed Channels
Configure the feed channel to retrieve threat data feeds from ESET Threat Intelligence and store the feeds in a collection.
Steps
To configure the feed channels, follow these steps:
Go to Administration > Integration Management. In Feed Sources, click APIs.
Search and select ESET Threat Intelligence.
Click the vertical ellipsis, and select Manage.
Click Manage Feed Channels.
Select a feed channel and turn on the toggle. Use the following information while configuring the channel:
Collection Name: Enter the name of the collection to group the feed data. For example, ESET Feeds. Intel Exchange creates the collection and stores all the feeds from the feed channel.
Polling Cron Schedule: Select from one of the following Polling Cron Schedule types to define when to poll the data:
Manual: Allows you to manually poll from the source collection.
Auto: Allows you to automatically poll for threat intel from sources at specific time intervals. The default polling cron schedule is Auto. Enter a frequency in minutes between 240 and 10080 in Polling Time. The default polling time is 1440 minutes. Each poll retrieves data from the last 24 hours only.
TLP: Set the TLP for the feeds that do not have a TLP already assigned. The default TLP is Amber. Alternatively, you can select None to ensure that no TLP is assigned to the feeds.
Default Source Confidence: Enter the confidence score for the feeds that do not have a confidence score already assigned. The default confidence score is 100.
Custom Scores: Select the Relevance and Severity Score for the channel.
Default Tags: Select any tags to identify and categorize the feeds.
Click Save.
The feed channel is configured, and you can poll feeds from the channel. You can enable the other feed channels and poll feeds, and view the feeds.
Test Feed Channel Connectivity
Test the connectivity of the ESET API feed channels to ensure that the connection with the correct API endpoint is established and that you have permission to poll feeds.
Before you Start
Ensure that the ESET Threat Intelligence API feed source is enabled.
Ensure that the feed channel for which you want to test connectivity is enabled.
Steps
To test the connectivity of a feed channel, follow these steps:
Go to Administration > Integration Management. In Feed Sources, click APIs.
Search and select the ESET Threat Intelligence app.
On a feed channel, click the vertical ellipsis and select View Details.
In the Working Status section, click Test Connectivity.
If the connection is established, then the working status shows Running. If the connectivity is broken, then the working status shows a Connection Error. Hover over the tooltip next to Connection Error to view the error code.
Note
When a feed channel loses connectivity, it is automatically disabled, and the system attempts to restore connectivity three times per hour. If the connectivity is successfully restored, the feed channel is automatically re-enabled.
To understand the error code and troubleshoot broken connectivity, see Troubleshoot Integrations
ESET Threat Intelligence Feed Channels
The following table lists the feed channel and the API endpoint used to retrieve feeds from ESET Threat Intelligence:
Feed Channel | API Endpoint |
|---|---|
Retrieve Android Infostealer Feeds |
|
Retrieve Android threats Feeds |
|
Retrieve APT IoC Feeds |
|
Retrieve Botnet - C&C Feed |
|
Retrieve Botnet - Target Feed |
|
Retrieve Domain Feeds |
|
Retrieve Cryptoscam Feed |
|
Retrieve IP Feeds |
|
Retrieve Malicious Email Attachments Feeds |
|
Retrieve Malicious Files Feeds |
|
Retrieve Phishing URL Feeds |
|
Retrieve PUA Adware Files Feeds |
|
Retrieve PUA dual-use App Files Feeds |
|
Retrieve Ransomware Feeds |
|
Retrieve Scam URL Feeds |
|
Retrieve Smishing Feeds |
|
Retrieve SMS scam Feeds |
|
Retrieve URL Feeds |
|