Threat Intelligence Data Feed
The Data Feed equips your security systems with a comprehensive list of IoCs for automatic threat detection and response. The premium version enhances this with in-depth threat intelligence, similar to our API and Lookup services.
Subscription plans
We offer three subscription plans: Core, Professional, and Ultimate. The output fields vary between these plans, with more fields being added from Core to Ultimate.
Additionally, Ultimate Plan offers custom output formats and data enrichments, along with a streaming version. For a complete feature comparison of the plans, please refer to the pricing page.
Downloading the data
The data feed files are provided daily at UTC+03:00 and can be downloaded via HTTPS and SFTP protocols.
After confirming the payment for your subscription, you will receive all the required information on how to download them, including your personal Data Feed Key for authentication.
Full and incremental files
Each update provides a list of all active Indicators of Compromise (IoCs) along with their associated intelligence information. Additionally, it includes an incremental list that features only the IoCs added or modified since the last daily export.
Output formats
The data is provided in CSV and JSONL formats.
Field names are consistent across formats.
For CSV format, nested field names are joined using a period .
, e.g., location.region
or netblock.abuseContact.email
. Array field values are concatenated with a vertical slash |
character.
For the Ultimate plan, we provide data feed files with custom output formats and data enrichments. Please contact support for details.
"Core" data feed
The "Core" data feed contains IoCs, their associated threat types and first/last seen date fields.
Attributes
- Name
ioc
- Type
- string
- Description
IPv4 or IPv6 address
- Name
iocType
- Type
- string
- Description
IoC type. Available values:
- ipv4
- ipv6
- Name
threatTypes
- Type
- string[]
- Description
List of threat types associated with the IoC. Available values:
- suspicious
- malware
- phishing
- c2
- attack
- spam
- Name
firstSeen
- Type
- timestamp
- Description
UNIX timestamp when the activity was detected first time.
- Name
lastSeen
- Type
- timestamp
- Description
UNIX timestamp when the activity was detected last time.
Output format
{
"ioc": "1.0.131.138",
"iocType": "ipv4",
"threatTypes": [
"malware"
],
"firstSeen": 1678320000,
"lastSeen": 1722470400
}
File naming convention
- All files are archived in .GZ format.
- Filename format: fs.%YYYY-MM-DD%.core.[full|daily].ips.[csv|jsonl].gz
- Here is an example of a daily export:
File name | Rows count | File size, compressed | File size, decompressed |
---|---|---|---|
fs.2024-07-30.core.full.ips.csv.gz | 3,305,944 | 24MB | 162MB |
fs.2024-07-30.core.full.ips.jsonl.gz | 3,305,944 | 28MB | 362MB |
fs.2024-07-30.core.daily.ips.csv.gz | 245,344 | 1.7MB | 517KB |
fs.2024-07-30.core.daily.ips.jsonl.gz | 245,344 | 2MB | 12MB |
Sample download
You can download sample files here: CSV or JSONL. These samples include a limited amount of data and are intended to demonstrate the file format.
If you are interested in obtaining the full dataset for analysis, please contact support.
"Professional" data feed
The "Professional" data feed contains all from Core, plus Country, Region, City, PTR Value and PTR Reverse Match fields.
Attributes
- Name
ioc
- Type
- string
- Description
IPv4 or IPv6 address
- Name
iocType
- Type
- string
- Description
IoC type. Available values:
- ipv4
- ipv6
- Name
threatTypes
- Type
- string[]
- Description
List of threat types associated with the IoC. Available values:
- suspicious
- malware
- phishing
- c2
- attack
- spam
- Name
firstSeen
- Type
- timestamp
- Description
UNIX timestamp when the activity was detected first time.
- Name
lastSeen
- Type
- timestamp
- Description
UNIX timestamp when the activity was detected last time.
- Name
location
- Type
- object
- Description
Geolocation of the IP address. Is omitted if data is unavailable.
- Name
location.country
- Type
- string
- Description
Country name.
- Name
location.region
- Type
- string
- Description
Region name.
- Name
location.city
- Type
- string
- Description
City name.
- Name
ptr
- Type
- object
- Description
Retrieves the PTR record for the IP address and the result of the reverse match check. Is omitted if data is unavailable.
- Name
ptr.value
- Type
- nullable
- string
- Description
PTR record value. If the IP address does not have a PTR record,
null
.
- Name
ptr.reverseMatch
- Type
- boolean
- Description
Indicates whether the A/AAAA record of the domain in the PTR record matches the original IP address.
Output format
{
"ioc": "1.0.131.138",
"type": "ipv4",
"threatTypes": [
"malware"
],
"firstSeen": 1678320000,
"lastSeen": 1722470400,
"location": {
"country": "Thailand",
"region": "Songkhla",
"city": "Songkhla"
},
"ptr": {
"value": "node-p6.pool-1-0.dynamic.totinternet.net.",
"reverseMatch": true
}
}
File naming convention
- All files are archived in .GZ format.
- Filename format: fs.%YYYY-MM-DD%.professional.[full|daily].ips.[csv|jsonl].gz
- Here is an example of a daily export:
File name | Rows count | File size, compressed | File size, decompressed |
---|---|---|---|
fs.2024-07-30.professional.full.ips.csv.gz | 3,305,944 | 37MB | 323MB |
fs.2024-07-30.professional.full.ips.jsonl.gz | 3,305,944 | 44MB | 715MB |
fs.2024-07-30.professional.daily.ips.csv.gz | 245,344 | 3MB | 25MB |
fs.2024-07-30.professional.daily.ips.jsonl.gz | 245,344 | 4MB | 54MB |
Sample download
You can download sample files here: CSV or JSONL. These samples include a limited amount of data and are intended to demonstrate the file format.
If you are interested in obtaining the full dataset for analysis, please contact support.
"Ultimate" data feed
The "Ultimate" data feed contains all from Professional, plus IP Netblock Score, WHOIS (Netblock) Info, ASN Number, ASN Name and ASN Domain.
Attributes
- Name
ioc
- Type
- string
- Description
IPv4 or IPv6 address
- Name
iocType
- Type
- string
- Description
IoC type. Available values:
- ipv4
- ipv6
- Name
threatTypes
- Type
- string[]
- Description
List of threat types associated with the IoC. Available values:
- suspicious
- malware
- phishing
- c2
- attack
- spam
- Name
firstSeen
- Type
- timestamp
- Description
UNIX timestamp when the activity was detected first time.
- Name
lastSeen
- Type
- timestamp
- Description
UNIX timestamp when the activity was detected last time.
- Name
location
- Type
- object
- Description
Geolocation of the IP address. Is omitted if data is unavailable.
- Name
location.country
- Type
- string
- Description
Country name.
- Name
location.region
- Type
- string
- Description
Region name.
- Name
location.city
- Type
- string
- Description
City name.
- Name
ptr
- Type
- object
- Description
Retrieves the PTR record for the IP address and the result of the reverse match check. Is omitted if data is unavailable.
- Name
ptr.value
- Type
- nullable
- string
- Description
PTR record value. If the IP address does not have a PTR record,
null
.
- Name
ptr.reverseMatch
- Type
- boolean
- Description
Indicates whether the A/AAAA record of the domain in the PTR record matches the original IP address.
- Name
as
- Type
- object
- Description
Autonomous System (AS) object. Is omitted if data is unavailable.
- Name
as.asn
- Type
- integer
- Description
Autonomous System's number.
- Name
as.name
- Type
- string
- Description
Autonomous System's name.
- Name
as.domain
- Type
- string
- Description
Autonomous System's website URL.
- Name
netblock
- Type
- object
- Description
WHOIS information for the IP Netblock associated with the IP address.
- Name
netblock.threatScore
- Type
- integer
- Description
A numerical score representing the threat level of the Netblock, ranging from
0
to100
. A score of0
indicates no threat, while a score of100
indicates high confidence that all IPs within the Netblock are classified as threats.
- Name
netblock.source
- Type
- string
- Description
Organization responsible for the management and allocation of the IP address range.
- Name
netblock.netname
- Type
- string
- Description
Name of the IP range.
- Name
netblock.modified
- Type
- string
- Description
Date and time of the last modification to the range, as provided by the registry. Format: '2012-02-24T09:44:34-05:00'.
- Name
netblock.inetnum
- Type
- string
- Description
The range of IP addresses within the netblock. Example: '192.168.1.0 - 192.168.1.255'.
- Name
netblock.organization
- Type
- object
- Description
Organization that registered the range. Is omitted if data is unavailable.
- Name
netblock.organization.id
- Type
- string
- Description
ID of the organization.
- Name
netblock.organization.name
- Type
- string
- Description
Name of the organization.
- Name
netblock.organization.email
- Type
- string
- Description
Contact email of the organization.
- Name
netblock.organization.phone
- Type
- string
- Description
Contact phone of the organization.
- Name
netblock.organization.address
- Type
- string[]
- Description
Address of the organization.
- Name
netblock.adminContact
- Type
- object
- Description
Administrative contact information. Is omitted if data is unavailable.
- Name
netblock.adminContact.id
- Type
- string
- Description
ID of the contact.
- Name
netblock.adminContact.role
- Type
- string
- Description
Role of the contact.
- Name
netblock.adminContact.email
- Type
- string
- Description
Email of the contact.
- Name
netblock.adminContact.phone
- Type
- string
- Description
Phone number of the contact.
- Name
netblock.adminContact.address
- Type
- string[]
- Description
Address of the contact.
- Name
netblock.techContact
- Type
- object
- Description
Technical contact information. This field follows the same structure as the
adminContact
object. Is omitted if data is unavailable.
- Name
netblock.abuseContact
- Type
- object
- Description
Abuse contact information. This field follows the same structure as the
adminContact
object. Is omitted if data is unavailable.
Output format
{
"ioc": "1.0.131.138",
"type": "ipv4",
"firstSeen": 1678320000,
"lastSeen": 1722470400,
"threatType": [
"malware"
],
"location": {
"country": "Thailand",
"region": "Songkhla",
"city": "Songkhla"
},
"ptr": {
"value": "node-p6.pool-1-0.dynamic.totinternet.net.",
"reverseMatch": true
},
"as": {
"asn": 23969,
"name": "TOT ISP",
"domain": "https://www.ntplc.co.th/"
},
"netblock": {
"threatScore": 0,
"inetnum": "1.0.128.0 - 1.0.191.255",
"source": "apnic",
"netname": "TOTNET",
"modified": "2021-01-27T13:28:05Z",
"organization": {
"id": "SANT",
"name": "SantRun Electric LLC",
"email": "info@srun.com",
"phone": "+358507081154",
"address": [
"760 Main Street",
"Fremont",
"CA",
"94539",
"United States"
],
}
"adminContact": {
"id": "AG100-AP",
"role": "Apipol Gunabhibal",
"email": "abuse@totidc.net",
"phone": "+66-2574-9178",
"address": [
"TOT Public Company Limited",
"89/2 Moo 3 Chaengwattana Rd, Laksi, Bangkok 10210 THAILAND"
]
},
"techContact": {
"id": "AG100-AP",
"role": "Apipol Gunabhibal",
"email": "abuse@totidc.net",
"phone": "+66-2574-9178",
"address": [
"TOT Public Company Limited",
"89/2 Moo 3 Chaengwattana Rd, Laksi, Bangkok 10210 THAILAND"
]
},
"abuseContact": {
"id": "IRT-TOT-TH",
"role": "IRT-TOT-TH",
"email": "abuse@totisp.net",
"phone": "",
"address": [
"TOT Public Company Limited",
"89/2 Moo 3 Chaengwattana Rd, Laksi,Bangkok 10210 THAILAND"
]
}
}
}
File naming convention
- All files are archived in .GZ format.
- Filename format: fs.%YYYY-MM-DD%.ultimate.[full|daily].ips.[csv|jsonl].gz
- Here is an example of a daily export:
File name | Rows count | File size, compressed | File size, decompressed |
---|---|---|---|
fs.2024-07-30.ultimate.full.ips.csv.gz | 3,305,944 | 61MB | 1.7GB |
fs.2024-07-30.ultimate.full.ips.jsonl.gz | 3,305,944 | 78MB | 3.2GB |
fs.2024-07-30.ultimate.daily.ips.csv.gz | 245,344 | 7.6MB | 234MB |
fs.2024-07-30.ultimate.daily.ips.jsonl.gz | 245,344 | 9.3MB | 126MB |
Sample download
You can download sample files here: CSV or JSONL. These samples include a limited amount of data and are intended to demonstrate the file format.
If you are interested in obtaining the full dataset for analysis, please contact support.