Threat Intelligence Data Feed

The Data Feed equips your security systems with a comprehensive list of IoCs for automatic threat detection and response. The premium version enhances this with in-depth threat intelligence, similar to our API and Lookup services.

Subscription plans

We offer three subscription plans: Core, Professional, and Ultimate. The output fields vary between these plans, with more fields being added from Core to Ultimate.

Additionally, Ultimate Plan offers custom output formats and data enrichments, along with a streaming version. For a complete feature comparison of the plans, please refer to the pricing page.

Downloading the data

The data feed files are provided daily at UTC+03:00 and can be downloaded via HTTPS and SFTP protocols.

After confirming the payment for your subscription, you will receive all the required information on how to download them, including your personal Data Feed Key for authentication.

Full and incremental files

Each update provides a list of all active Indicators of Compromise (IoCs) along with their associated intelligence information. Additionally, it includes an incremental list that features only the IoCs added or modified since the last daily export.

Output formats

The data is provided in CSV and JSONL formats.

Field names are consistent across formats.

For CSV format, nested field names are joined using a period ., e.g., location.region or netblock.abuseContact.email. Array field values are concatenated with a vertical slash | character.

For the Ultimate plan, we provide data feed files with custom output formats and data enrichments. Please contact support for details.

"Core" data feed

The "Core" data feed contains IoCs, their associated threat types and first/last seen date fields.

{
    "ioc": "1.0.131.138",
    "iocType": "ipv4",
    "threatTypes": [
        "malware"
    ],
    "firstSeen": 1678320000,
    "lastSeen": 1722470400
}

File naming convention

• All files are archived in .GZ format.
• Filename format: fs.%YYYY-MM-DD%.core.[full|daily].ips.[csv|jsonl].gz
• Here is an example of a daily export:

Sample download

You can download sample files here: CSV or JSONL. These samples include a limited amount of data and are intended to demonstrate the file format.

If you are interested in obtaining the full dataset for analysis, please contact support.

"Professional" data feed

The "Professional" data feed contains all from Core, plus Country, Region, City, PTR Value and PTR Reverse Match fields.

{
    "ioc": "1.0.131.138",
    "type": "ipv4",
    "threatTypes": [
        "malware"
    ],
    "firstSeen": 1678320000,
    "lastSeen": 1722470400,
    "location": {
        "country": "Thailand",
        "region": "Songkhla",
        "city": "Songkhla"
    },
    "ptr": {
        "value": "node-p6.pool-1-0.dynamic.totinternet.net.",
        "reverseMatch": true
    }
}

File naming convention

• All files are archived in .GZ format.
• Filename format: fs.%YYYY-MM-DD%.professional.[full|daily].ips.[csv|jsonl].gz
• Here is an example of a daily export:

Sample download

You can download sample files here: CSV or JSONL. These samples include a limited amount of data and are intended to demonstrate the file format.

If you are interested in obtaining the full dataset for analysis, please contact support.

"Ultimate" data feed

The "Ultimate" data feed contains all from Professional, plus IP Netblock Score, WHOIS (Netblock) Info, ASN Number, ASN Name and ASN Domain.

{
    "ioc": "1.0.131.138",
    "type": "ipv4",
    "firstSeen": 1678320000,
    "lastSeen": 1722470400,
    "threatType": [
        "malware"
    ],
    "location": {
        "country": "Thailand",
        "region": "Songkhla",
        "city": "Songkhla"
    },
    "ptr": {
        "value": "node-p6.pool-1-0.dynamic.totinternet.net.",
        "reverseMatch": true
    },
    "as": {
        "asn": 23969,
        "name": "TOT ISP",
        "domain": "https://www.ntplc.co.th/"
    },
    "netblock": {
        "threatScore": 0,
        "inetnum": "1.0.128.0 - 1.0.191.255",
        "source": "apnic",
        "netname": "TOTNET",
        "modified": "2021-01-27T13:28:05Z",
        "organization": {
            "id": "SANT",
            "name": "SantRun Electric LLC",
            "email": "info@srun.com",
            "phone": "+358507081154",
            "address": [
                "760 Main Street",
                "Fremont",
                "CA",
                "94539",
                "United States"
            ],
        }
        "adminContact": {
            "id": "AG100-AP",
            "role": "Apipol Gunabhibal",
            "email": "abuse@totidc.net",
            "phone": "+66-2574-9178",
            "address": [
                "TOT Public Company Limited",
                "89/2 Moo 3 Chaengwattana Rd, Laksi, Bangkok 10210 THAILAND"
            ]
        },
        "techContact": {
            "id": "AG100-AP",
            "role": "Apipol Gunabhibal",
            "email": "abuse@totidc.net",
            "phone": "+66-2574-9178",
            "address": [
                "TOT Public Company Limited",
                "89/2 Moo 3 Chaengwattana Rd, Laksi, Bangkok 10210 THAILAND"
            ]
        },
        "abuseContact": {
            "id": "IRT-TOT-TH",
            "role": "IRT-TOT-TH",
            "email": "abuse@totisp.net",
            "phone": "",
            "address": [
                "TOT Public Company Limited",
                "89/2 Moo 3 Chaengwattana Rd, Laksi,Bangkok 10210 THAILAND"
            ]
        }
    }
}

File naming convention

• All files are archived in .GZ format.
• Filename format: fs.%YYYY-MM-DD%.ultimate.[full|daily].ips.[csv|jsonl].gz
• Here is an example of a daily export:

Sample download

You can download sample files here: CSV or JSONL. These samples include a limited amount of data and are intended to demonstrate the file format.

If you are interested in obtaining the full dataset for analysis, please contact support.