Threat Intelligence Data Feed

The Data Feed equips your security systems with a comprehensive list of IoCs for automatic threat detection and response. The premium version enhances this with in-depth threat intelligence, similar to our API and Lookup services.


Subscription plans

We offer three subscription plans: Core, Professional, and Ultimate. The output fields vary between these plans, with more fields being added from Core to Ultimate.

Additionally, Ultimate Plan offers custom output formats and data enrichments, along with a streaming version. For a complete feature comparison of the plans, please refer to the pricing page.


Downloading the data

The data feed files are provided daily at UTC+03:00 and can be downloaded via HTTPS and SFTP protocols.

After confirming the payment for your subscription, you will receive all the required information on how to download them, including your personal Data Feed Key for authentication.


Full and incremental files

Each update provides a list of all active Indicators of Compromise (IoCs) along with their associated intelligence information. Additionally, it includes an incremental list that features only the IoCs added or modified since the last daily export.


Output formats

The data is provided in CSV and JSONL formats.

Field names are consistent across formats.

For CSV format, nested field names are joined using a period ., e.g., location.region or netblock.abuseContact.email. Array field values are concatenated with a vertical slash | character.

For the Ultimate plan, we provide data feed files with custom output formats and data enrichments. Please contact support for details.


"Core" data feed

The "Core" data feed contains IoCs, their associated threat types and first/last seen date fields.

Attributes

  • Name
    ioc
    Type
    string
    Description

    IPv4 or IPv6 address

  • Name
    iocType
    Type
    string
    Description

    IoC type. Available values:

    • ipv4
    • ipv6
  • Name
    threatTypes
    Type
    string[]
    Description

    List of threat types associated with the IoC. Available values:

    • suspicious
    • malware
    • phishing
    • c2
    • attack
    • spam
  • Name
    firstSeen
    Type
    timestamp
    Description

    UNIX timestamp when the activity was detected first time.

  • Name
    lastSeen
    Type
    timestamp
    Description

    UNIX timestamp when the activity was detected last time.

Output format

{
    "ioc": "1.0.131.138",
    "iocType": "ipv4",
    "threatTypes": [
        "malware"
    ],
    "firstSeen": 1678320000,
    "lastSeen": 1722470400
}

File naming convention

  • All files are archived in .GZ format.
  • Filename format: fs.%YYYY-MM-DD%.core.[full|daily].ips.[csv|jsonl].gz
  • Here is an example of a daily export:
File nameRows countFile size, compressedFile size, decompressed
fs.2024-07-30.core.full.ips.csv.gz3,305,94424MB162MB
fs.2024-07-30.core.full.ips.jsonl.gz3,305,94428MB362MB
fs.2024-07-30.core.daily.ips.csv.gz245,3441.7MB517KB
fs.2024-07-30.core.daily.ips.jsonl.gz245,3442MB12MB

Sample download

You can download sample files here: CSV or JSONL. These samples include a limited amount of data and are intended to demonstrate the file format.

If you are interested in obtaining the full dataset for analysis, please contact support.


"Professional" data feed

The "Professional" data feed contains all from Core, plus Country, Region, City, PTR Value and PTR Reverse Match fields.

Attributes

  • Name
    ioc
    Type
    string
    Description

    IPv4 or IPv6 address

  • Name
    iocType
    Type
    string
    Description

    IoC type. Available values:

    • ipv4
    • ipv6
  • Name
    threatTypes
    Type
    string[]
    Description

    List of threat types associated with the IoC. Available values:

    • suspicious
    • malware
    • phishing
    • c2
    • attack
    • spam
  • Name
    firstSeen
    Type
    timestamp
    Description

    UNIX timestamp when the activity was detected first time.

  • Name
    lastSeen
    Type
    timestamp
    Description

    UNIX timestamp when the activity was detected last time.

  • Name
    location
    Type
    object
    Description

    Geolocation of the IP address. Is omitted if data is unavailable.

    • Name
      location.country
      Type
      string
      Description

      Country name.

    • Name
      location.region
      Type
      string
      Description

      Region name.

    • Name
      location.city
      Type
      string
      Description

      City name.

  • Name
    ptr
    Type
    object
    Description

    Retrieves the PTR record for the IP address and the result of the reverse match check. Is omitted if data is unavailable.

    • Name
      ptr.value
      Type
      nullable
      string
      Description

      PTR record value. If the IP address does not have a PTR record, null.

    • Name
      ptr.reverseMatch
      Type
      boolean
      Description

      Indicates whether the A/AAAA record of the domain in the PTR record matches the original IP address.

Output format

{
    "ioc": "1.0.131.138",
    "type": "ipv4",
    "threatTypes": [
        "malware"
    ],
    "firstSeen": 1678320000,
    "lastSeen": 1722470400,
    "location": {
        "country": "Thailand",
        "region": "Songkhla",
        "city": "Songkhla"
    },
    "ptr": {
        "value": "node-p6.pool-1-0.dynamic.totinternet.net.",
        "reverseMatch": true
    }
}

File naming convention

  • All files are archived in .GZ format.
  • Filename format: fs.%YYYY-MM-DD%.professional.[full|daily].ips.[csv|jsonl].gz
  • Here is an example of a daily export:
File nameRows countFile size, compressedFile size, decompressed
fs.2024-07-30.professional.full.ips.csv.gz3,305,94437MB323MB
fs.2024-07-30.professional.full.ips.jsonl.gz3,305,94444MB715MB
fs.2024-07-30.professional.daily.ips.csv.gz245,3443MB25MB
fs.2024-07-30.professional.daily.ips.jsonl.gz245,3444MB54MB

Sample download

You can download sample files here: CSV or JSONL. These samples include a limited amount of data and are intended to demonstrate the file format.

If you are interested in obtaining the full dataset for analysis, please contact support.


"Ultimate" data feed

The "Ultimate" data feed contains all from Professional, plus IP Netblock Score, WHOIS (Netblock) Info, ASN Number, ASN Name and ASN Domain.

Attributes

  • Name
    ioc
    Type
    string
    Description

    IPv4 or IPv6 address

  • Name
    iocType
    Type
    string
    Description

    IoC type. Available values:

    • ipv4
    • ipv6
  • Name
    threatTypes
    Type
    string[]
    Description

    List of threat types associated with the IoC. Available values:

    • suspicious
    • malware
    • phishing
    • c2
    • attack
    • spam
  • Name
    firstSeen
    Type
    timestamp
    Description

    UNIX timestamp when the activity was detected first time.

  • Name
    lastSeen
    Type
    timestamp
    Description

    UNIX timestamp when the activity was detected last time.

  • Name
    location
    Type
    object
    Description

    Geolocation of the IP address. Is omitted if data is unavailable.

    • Name
      location.country
      Type
      string
      Description

      Country name.

    • Name
      location.region
      Type
      string
      Description

      Region name.

    • Name
      location.city
      Type
      string
      Description

      City name.

  • Name
    ptr
    Type
    object
    Description

    Retrieves the PTR record for the IP address and the result of the reverse match check. Is omitted if data is unavailable.

    • Name
      ptr.value
      Type
      nullable
      string
      Description

      PTR record value. If the IP address does not have a PTR record, null.

    • Name
      ptr.reverseMatch
      Type
      boolean
      Description

      Indicates whether the A/AAAA record of the domain in the PTR record matches the original IP address.

  • Name
    as
    Type
    object
    Description

    Autonomous System (AS) object. Is omitted if data is unavailable.

    • Name
      as.asn
      Type
      integer
      Description

      Autonomous System's number.

    • Name
      as.name
      Type
      string
      Description

      Autonomous System's name.

    • Name
      as.domain
      Type
      string
      Description

      Autonomous System's website URL.

  • Name
    netblock
    Type
    object
    Description

    WHOIS information for the IP Netblock associated with the IP address.

    • Name
      netblock.threatScore
      Type
      integer
      Description

      A numerical score representing the threat level of the Netblock, ranging from 0 to 100. A score of 0 indicates no threat, while a score of 100 indicates high confidence that all IPs within the Netblock are classified as threats.

    • Name
      netblock.source
      Type
      string
      Description

      Organization responsible for the management and allocation of the IP address range.

    • Name
      netblock.netname
      Type
      string
      Description

      Name of the IP range.

    • Name
      netblock.modified
      Type
      string
      Description

      Date and time of the last modification to the range, as provided by the registry. Format: '2012-02-24T09:44:34-05:00'.

    • Name
      netblock.inetnum
      Type
      string
      Description

      The range of IP addresses within the netblock. Example: '192.168.1.0 - 192.168.1.255'.

    • Name
      netblock.organization
      Type
      object
      Description

      Organization that registered the range. Is omitted if data is unavailable.

      • Name
        netblock.organization.id
        Type
        string
        Description

        ID of the organization.

      • Name
        netblock.organization.name
        Type
        string
        Description

        Name of the organization.

      • Name
        netblock.organization.email
        Type
        string
        Description

        Contact email of the organization.

      • Name
        netblock.organization.phone
        Type
        string
        Description

        Contact phone of the organization.

      • Name
        netblock.organization.address
        Type
        string[]
        Description

        Address of the organization.

    • Name
      netblock.adminContact
      Type
      object
      Description

      Administrative contact information. Is omitted if data is unavailable.

      • Name
        netblock.adminContact.id
        Type
        string
        Description

        ID of the contact.

      • Name
        netblock.adminContact.role
        Type
        string
        Description

        Role of the contact.

      • Name
        netblock.adminContact.email
        Type
        string
        Description

        Email of the contact.

      • Name
        netblock.adminContact.phone
        Type
        string
        Description

        Phone number of the contact.

      • Name
        netblock.adminContact.address
        Type
        string[]
        Description

        Address of the contact.

    • Name
      netblock.techContact
      Type
      object
      Description

      Technical contact information. This field follows the same structure as the adminContact object. Is omitted if data is unavailable.

    • Name
      netblock.abuseContact
      Type
      object
      Description

      Abuse contact information. This field follows the same structure as the adminContact object. Is omitted if data is unavailable.

Output format

{
    "ioc": "1.0.131.138",
    "type": "ipv4",
    "firstSeen": 1678320000,
    "lastSeen": 1722470400,
    "threatType": [
        "malware"
    ],
    "location": {
        "country": "Thailand",
        "region": "Songkhla",
        "city": "Songkhla"
    },
    "ptr": {
        "value": "node-p6.pool-1-0.dynamic.totinternet.net.",
        "reverseMatch": true
    },
    "as": {
        "asn": 23969,
        "name": "TOT ISP",
        "domain": "https://www.ntplc.co.th/"
    },
    "netblock": {
        "threatScore": 0,
        "inetnum": "1.0.128.0 - 1.0.191.255",
        "source": "apnic",
        "netname": "TOTNET",
        "modified": "2021-01-27T13:28:05Z",
        "organization": {
            "id": "SANT",
            "name": "SantRun Electric LLC",
            "email": "info@srun.com",
            "phone": "+358507081154",
            "address": [
                "760 Main Street",
                "Fremont",
                "CA",
                "94539",
                "United States"
            ],
        }
        "adminContact": {
            "id": "AG100-AP",
            "role": "Apipol Gunabhibal",
            "email": "abuse@totidc.net",
            "phone": "+66-2574-9178",
            "address": [
                "TOT Public Company Limited",
                "89/2 Moo 3 Chaengwattana Rd, Laksi, Bangkok 10210 THAILAND"
            ]
        },
        "techContact": {
            "id": "AG100-AP",
            "role": "Apipol Gunabhibal",
            "email": "abuse@totidc.net",
            "phone": "+66-2574-9178",
            "address": [
                "TOT Public Company Limited",
                "89/2 Moo 3 Chaengwattana Rd, Laksi, Bangkok 10210 THAILAND"
            ]
        },
        "abuseContact": {
            "id": "IRT-TOT-TH",
            "role": "IRT-TOT-TH",
            "email": "abuse@totisp.net",
            "phone": "",
            "address": [
                "TOT Public Company Limited",
                "89/2 Moo 3 Chaengwattana Rd, Laksi,Bangkok 10210 THAILAND"
            ]
        }
    }
}

File naming convention

  • All files are archived in .GZ format.
  • Filename format: fs.%YYYY-MM-DD%.ultimate.[full|daily].ips.[csv|jsonl].gz
  • Here is an example of a daily export:
File nameRows countFile size, compressedFile size, decompressed
fs.2024-07-30.ultimate.full.ips.csv.gz3,305,94461MB1.7GB
fs.2024-07-30.ultimate.full.ips.jsonl.gz3,305,94478MB3.2GB
fs.2024-07-30.ultimate.daily.ips.csv.gz245,3447.6MB234MB
fs.2024-07-30.ultimate.daily.ips.jsonl.gz245,3449.3MB126MB

Sample download

You can download sample files here: CSV or JSONL. These samples include a limited amount of data and are intended to demonstrate the file format.

If you are interested in obtaining the full dataset for analysis, please contact support.