CERT.at Data feeds

CERT.at sends out daily mails containing data breach notifications, reports on vulnerable systems or other mis-use on the Internet to network owners. The following page describes these data feeds.

Current Version: 1.2

Overview

Our data feeds are structured in a uniform way and try to answer the following questions:

  • When did something happen (time.source field)?
  • What happened (classification.*, feed)?
  • Where did it happen (source.ip, source.asn, source.url, protocol.*, destination.* fields)?
  • How did it happen and where can I read more about it? (event_description.*, feed.documentation fields )

We will call one entry in the data feed (e.g. one log line) an event. In order to categorize the event, CERT.at uses the well known eCSIRT II Taxonomy (also known as "ENISA Taxonomy"). In short, the taxonomy is structured in three fields:

  • classification.taxonomy - highest level: the incident class.
  • classification.type - sub categorization.
  • classification.identifier - this is an internal CERT.at identifier which further specifies the event.

All fields named source.* denote the origin of the problem (example: source.ip is the IP address of an infected PC). Fields named destination.* refer usually to a command & control (C & C) server or to a sinkhole server.

You can find a complete list of all defined fields in the Data Harmonisation Ontology.

Time zones are always UTC.

CSV Format, Version 1.2

The following lists all fields (in their respective order) as of version 1.2:

Field nameDescription
time.sourceWhen did the event happen? (incl. time zone)?
source.ipThe affected IP address.
protocol.transportThe Transport Protocol (TCP/UDP).
source.portSource Port.
protocol.applicationThe service (e.g. ssh, vnc, ftp, etc.)
source.fqdnThe hostname of the affected machine.
source.local_hostnamePossible internal hostnames within a LAN (e.g. Bill_Gates_PC).
source.local_ipInternal IP address in a LAN (e.g. 192.168.0.27)
source.urlAn involved URL pointing to the victim (e.g. the URL of a phishing site pointing to a hacked server)
source.asnThe Autonomous System Number (ASN) of the network which hosts the IP address
source.geolocation.ccCountry code ( ISO3166-1) of the IP address (according to some geolocation database).
source.geolocation.cityCity
classification.taxonomyTaxonomy. See ENISA eCSIRT II Taxonomy.
classification.typeType. See eCSIRT II Taxonomy.
classification.identifierCERT.at internal identifier.
destination.ipThe destination IP address (e.g. C&C Server)
destination.portDestination port number
destination.fqdnDestination hostname if known
destination.urlDestination URL if known
feedThis is a unique identifier denoting the source of our data. Most of the time it will be a URL to the feed (for verification at the recipient), sometimes when the feed asks us to anonymize, we will assign a feed code.
event_description.textFree form description of the event
event_description.urlA URL which points to further descriptions for the event.
malware.nameIf the event refers to malware, this is the malware family name (as known to CERT.at).
extraAny extra fields (in JSON Format), which we received from the feed.
commentFree form comment
additional_field_freetext  Here add any other fields which the feed might have specified in free form text.
feed.documentationA URL pointing to the data feed (if available).
version: 1.2The CERT.at format version string