TIDF

Threat Intelligence Data Feeds

Documentation

Updated: Mar. 20, 2023

We cover the following 9 threat types:

  • Attack: malicious activity detected from the host. For example, SSH brute-force, etc.
  • Botnet: a host was detected as an actor in a group of connected hosts that perform malicious activities (botnet).
  • C2 or C&C: the host is a known botnet's "Command and Control" server.
  • Malware: the IoC is related to malicious software distribution. It can be a host or a URL serving the malware.
  • Phishing: the indicator, usually a domain name or URL, is involved in Phishing activity.
  • Spam: a host engaged in sending spam.
  • Suspicious: IoC's activity hasn't been verified to be of malicious nature. For instance, it may be a host scraping websites, sending large amounts of ICMP queries, etc.
  • Tor: a host acts as a TOR exit node.
  • Generic: IoC has been involved in some form of malicious activity but couldn't be classified into one of the other categories.

Our data sources:

Our Threat Intelligence Data Feed is powered by multiple sources, ensuring that you receive comprehensive and accurate information to protect your organization. Our sources include:

  • Server logs: we scrutinize server logs to detect unusual activity and unauthorized access attempts.
  • Honeypots: we use decoy systems called honeypots to attract attackers and gather intelligence on the latest attack methods.
  • OSINT: we collect threat intelligence from open sources such as social media, forums, and blogs to stay informed on emerging threats and trends.
  • Abuse reports (ISPs): we monitor abuse reports from internet service providers to identify potential threats and malicious activity.
  • Our own researches: our team of experts conducts in-depth research to identify new and emerging threats and provide comprehensive analysis of existing threats.

Coverage statistics

The following table shows the coverage statistics for each threat type. The data is updated daily.

Threat typeIPsCIDRsDomainsURLsFile hashesTotal
Attack222,296493,729000716,025
Botnet6718280001,499
C210,51411,403521,8133970543,730
Malware380,122386,832421,767169,767639,2191,990,997
Phishing5,4056,473644,828900,96301,557,669
Spam83,361115,554000198,915
Suspicious1,9992,8280004,827
Tor8,39310,79600019,189
Generic924,1073,564,0895,369,0102,97509,860,181
In total1,547,1994,257,5076,813,7281,073,672639,21914,331,325

Output formats

There are 10 different types of data in the daily export. Each data feed is published daily at 3 AM UTC. Contact us for a streaming version of the data feed.

Data typeFiles includedIoCs includedRecord countFormats available
Malicious IPv4/IPv6 address data feeds*.malicious-ips.v4.csv.gz
*.malicious-ips.v4.jsonl.gz
*.malicious-ips.v6.csv.gz
*.malicious-ips.v6.jsonl.gz
IPv4, IPv6IPv4 - 1,004,672
IPv6 - 1,009,224
CSV, JSON
Malicious domain name data feed*.malicious-domains.csv.gz
*.malicious-domains.jsonl.gz
Domains6,957,036CSV, JSON
Malicious URL data feed*.malicious-urls.csv.gz
*.malicious-urls.jsonl.gz
URLs1,073,285CSV, JSON
Malicious file hashes data feed*.malicious-file-hashes.csv.gz
*.malicious-file-hashes.jsonl.gz
File hashes631,141CSV, JSON
Hosts file*.hosts.gzDomains6,813,347Hosts file format
Nginx's ngx_http_access_module
compatible IPv4/IPv6 denylist
*.nginx-access.v4.gz
*.nginx-access.v6.gz
IPv4, IPv6 ranges
in CIDR notation
IPv4 - 1,352,895
IPv6 - 1,499,909
ngx_http_access_module
compatible
Raw IPv4/IPv6 denylists*.deny-ips.v4.gz
*.deny-ips.v6.gz
IPv4, IPv6IPv4 - 929,017
IPv6 - 933,565
List
Raw domain denylist*.deny-domains.gzDomains6,813,347List
Raw CIDR denylist*.deny-cidrs.v4.gz
*.deny-cidrs.v6.gz
IPv4, IPv6 ranges
in CIDR notation
IPv4 - 1,352,895
IPv6 - 1,499,909
List
Malicious IPv4/IPv6 ranges
in CIDR notation data feeds
*.malicious-cidrs.v4.csv.gz
*.malicious-cidrs.v4.jsonl.gz
*.malicious-cidrs.v6.csv.gz
*.malicious-cidrs.v6.jsonl.gz
IPv4, IPv6 ranges
in CIDR notation
IPv4 - 1,853,752
IPv6 - 2,000,874
CSV, JSON

1. Malicious IPv4/IPv6 address data feeds

Average file sizes

Filename suffixAvg. gzipped file sizeAvg. unpacked file sizeRecords
malicious-ips.v4.csv.gz5.5MB32MB1,004,672
malicious-ips.v4.jsonl.gz6.2MB67MB1,004,672
malicious-ips.v6.csv.gz5.6MB39MB1,009,224
malicious-ips.v6.jsonl.gz6.3MB74MB1,009,224

Output format

CSV output format

ip,threatType,lastSeen 
203.0.113.1,malware,1678372385
2001:0db8:85a3::8a2e:0370:7334,spam,1678372385
...

JSONL output format

... 
{"ip”: "203.0.113.1”, "threatType”:”malware”, "lastSeen”:”1678372385”}
{"ip”: "2001:0db8:85a3::8a2e:0370:7334”, "threatType”:”spam”, "lastSeen”:”1678372385”}
...

Output parameters

ip
IoC: IPv4 and IPv6 addresses. IPv6 feed also contains IPv4 addresses represented in the IPv6 notation.
threatType
The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic.
lastSeen
UNIX timestamp when the activity was detected last time.

2. Malicious domain name data feed

Average file sizes

Filename suffixAvg. gzipped file sizeAvg. unpacked file sizeRecords
malicious-domains.csv.gz39MB286MB6,957,036
malicious-domains.jsonl.gz42MB558MB6,957,036

Output format

CSV output format

domainName,threatType,lastSeen 
example.com,malware,1678372385
example.org,spam,1678372385
...

JSONL output format

... 
{"domainName": "example.com", "threatType":"malware", "lastSeen":"1678372385"}
{"domainName": "example.org", "threatType":"spam", "lastSeen":"1678372385"}
...

Output parameters

domainName
IoC: domain name.
threatType
The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic.
lastSeen
UNIX timestamp when the activity was detected last time.

3. Malicious URL data feed

Average file sizes

Filename suffixAvg. gzipped file sizeAvg. unpacked file sizeRecords
malicious-urls.csv.gz42MB116MB1,073,285
malicious-urls.jsonl.gz44MB165MB1,073,285

Output format

CSV output format

url,host,threatType,lastSeen 
"example.com/wp-admin.php?hack_me=1","example.com",malware,1678372385
"/bad_path/bad_file.php","",malware,1678372385
...

JSONL output format

...
{"url": "example.com/wp-admin.php?hack_me=1", "host": "example.com", "threatType":"malware", "lastSeen":"1678372385"}
{"url": "/bad_path/bad_file.php","host": "", "threatType":"malware", "lastSeen":"1678372385"}
...

Output parameters

url
IoC: URL. It might be absolute (https://example.com/files/badfile.php) or relative (/files/badfile.php). Relative URLs do not have a corresponding domainName field.
host
Domain name or IP for absolute URLs.
threatType
The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic.
lastSeen
UNIX timestamp when the activity was detected last time.

4. Malicious file hash data feed

Average file sizes

Filename suffixAvg. gzipped file sizeAvg. unpacked file sizeRecords
malicious-file-hashes.csv.gz13MB35MB639,141
malicious-file-hashes.jsonl.gz13MB64MB639,141

Output format

CSV output format

hash,algo,threatType,lastSeen 
1118d9c97f4ababe8ffcecef0946bcc8,md5,malware,1678372385
930619bc49c9836d26a3a2b75a3db93934d26fcb,sha1,malware,1678372385
...

JSONL output format

... 
{"hash": "1118d9c97f4ababe8ffcecef0946bcc8", "algo": "md5", "threatType":"malware", "lastSeen":"1678372385"}
{"hash": "930619bc49c9836d26a3a2b75a3db93934d26fcb", "algo": "sha1", "threatType":"malware", "lastSeen":"1678372385"}
...

Output parameters

hash
IoC: file's checksum. The hashing algorithm is determined by the algorithm field.
algo
The algorithm used to generate the value in the hash field: md5 or sha1.
threatType
The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic.
lastSeen
UNIX timestamp when the activity was detected last time.

5. Hosts files

A denylist in the hosts file format containing malicious domain names mapped to 0.0.0.0, to block access to them. Compatible with most operating systems. The denylist contains the IoCs active the day before the export.

Average file sizes

Filename suffixAvg. gzipped file sizeAvg. unpacked file sizeRecords
hosts.gz34MB211MB6,813,347

Output format

... 
0.0.0.0 example.com
0.0.0.0 example.org
...

6. Nginx ngx_http_access_module compatible IPv4/IPv6 denylists in CIDR notation

A list containing IPv4 and IPv6 ranges in CIDR notation formatted for the ngx_http_access_module. The file can be used in Nginx configuration to block malicious IP addresses. The denylist contains the IoCs active the day before the export.

Average file sizes

Filename suffixAvg. gzipped file sizeAvg. unpacked file sizeRecords
nginx-access.v4.gz5.1MB30MB1,352,895
nginx-access.v6.gz5.6MB44MB1,499,909

Output format

... 
deny 203.0.113.1/31;
deny 2001:0db8:85a3::8a2e:0370:7334/127;
...

7. Raw IPv4/IPv6 denylists

A plain text denylist containing IPv4/IPv6 addresses to block. Can be used in web server or firewall configuration. The denylist contains the IoCs active the day before the export.

Average file sizes

Filename suffixAvg. gzipped file sizeAvg. unpacked file sizeRecords
deny-ips.v4.gz3.1MB13MB929,017
deny-ips.v6.gz3.4MB19MB933,565

Output format

... 
203.0.113.1
2001:0db8:85a3::8a2e:0370:7334
...

8. Raw domain denylist

A plain text file containing domains to block. Can be used in web server or firewall configuration. The denylist contains the IoCs active the day before the export.

Average file sizes

Filename suffixAvg. gzipped file sizeAvg. unpacked file sizeRecords
deny-domains.gz32MB159MB6,813,347

Output format

... 
example.com
example.org
...

9. Raw CIDR denylist

A plain text denylist containing IP address ranges in CIDR notation to block. Can be used in web server or firewall configuration. The denylist contains all the active IoCs for the last 24 hours.

Average file sizes

Filename suffixAvg. gzipped file sizeAvg. unpacked file sizeRecords
deny-cidrs.v4.gz4.6MB23MB1,352,895
deny-cidrs.v6.gz5.5MB36MB1,499,909

Output format

... 
deny 1.0.0.0/32;
deny 1.0.1.21/32;
...

10. Malicious IPv4/IPv6 ranges in CIDR notation data feeds

A plain text denylist containing IP address ranges in CIDR notation to block. Can be used in web server or firewall configuration.

Average file sizes

Filename suffixAvg. gzipped file sizeAvg. unpacked file sizeRecords
malicious-cidrs.v4.csv.gz9.5MB64MB1,853,752
malicious-cidrs.v4.jsonl.gz11MB133MB1,853,752
malicious-cidrs.v6.csv.gz11MB83MB2,000,874
malicious-cidrs.v6.jsonl.gz12MB158MB2,000,874

Output format

CSV output format

cidr,threatType,lastSeen 
1.0.0.0/32,attack,1678412656
1.0.1.21/32,attack,1678360646
...

JSONL output format

... 
{"cidr":"1.0.0.0/32","lastSeen":"1678412656","threatType":"attack"}
{"cidr":"1.0.1.21/32","lastSeen":"1678360646","threatType":"attack"}
...

Output parameters

cidr
IoC: IPv4 and IPv6 ranges in CIDR notation. IPv6 feed also contains IPv4 ranges represented in the IPv6 notation;
threatType
The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic.
lastSeen
UNIX timestamp when the activity was detected last time.

We provide flexible data export options to meet your needs

We provided the most commonly used data formats. We can also export the data in other schemes, such as XML, firewall-compatible (e.g., ModSecurity), etc. Upon request, we provide exports in formats that perfectly suit your need within one calendar week.

Pricing plans for all team sizes

Threat Intelligence Data Feeds provide daily data in CSV and JSON formats. The data includes denylists, malicious domains, suspicious IPs, CIDRs, malware hashes, and more.

Billed MonthlyBilled Annually🎁 2 months FREE
TIDFStartup

$499 / month

< 100 employees

All threat types

Daily updates

TIDFBusiness

$1,990 / month

101 - 500 employees

All threat types

Daily updates

Dedicated support

TIDFEnterprise

Ask for a quote

> 500 employees

All threat types

Daily updates

Dedicated support

Custom data formats

Real-time streaming

Data enrichment

Database integrations

Unlock the power of Snowflake and AWS: Seamlessly access, deploy, and utilize our data feed product through the Snowflake Marketplace and AWS Marketplace.

You’ll be in good company

FlexWebAfricaWeWorkGuardDogCyberCNS

Contact Us

Got a technical issue? Want to send feedback about data feeds? Need details about our plans? Let us know.