We cover the following 9 threat types:
- Attack: malicious activity detected from the host. For example, SSH brute-force, etc.
- Botnet: a host was detected as an actor in a group of connected hosts that perform malicious activities (botnet).
- C2 or C&C: the host is a known botnet's "Command and Control" server.
- Malware: the IoC is related to malicious software distribution. It can be a host or a URL serving the malware.
- Phishing: the indicator, usually a domain name or URL, is involved in Phishing activity.
- Spam: a host engaged in sending spam.
- Suspicious: IoC's activity hasn't been verified to be of malicious nature. For instance, it may be a host scraping websites, sending large amounts of ICMP queries, etc.
- Tor: a host acts as a TOR exit node.
- Generic: IoC has been involved in some form of malicious activity but couldn't be classified into one of the other categories.
Our data sources:
Our Threat Intelligence Data Feed is powered by multiple sources, ensuring that you receive comprehensive and accurate information to protect your organization. Our sources include:
- Server logs: we scrutinize server logs to detect unusual activity and unauthorized access attempts.
- Honeypots: we use decoy systems called honeypots to attract attackers and gather intelligence on the latest attack methods.
- OSINT: we collect threat intelligence from open sources such as social media, forums, and blogs to stay informed on emerging threats and trends.
- Abuse reports (ISPs): we monitor abuse reports from internet service providers to identify potential threats and malicious activity.
- Our own researches: our team of experts conducts in-depth research to identify new and emerging threats and provide comprehensive analysis of existing threats.
Coverage statistics
The following table shows the coverage statistics for each threat type. The data is updated daily.
| Threat type | IPs | CIDRs | Domains | URLs | File hashes | Total |
|---|---|---|---|---|---|---|
| Attack | 222,296 | 493,729 | 0 | 0 | 0 | 716,025 |
| Botnet | 671 | 828 | 0 | 0 | 0 | 1,499 |
| C2 | 10,514 | 11,403 | 521,813 | 397 | 0 | 543,730 |
| Malware | 380,122 | 386,832 | 421,767 | 169,767 | 639,219 | 1,990,997 |
| Phishing | 5,405 | 6,473 | 644,828 | 900,963 | 0 | 1,557,669 |
| Spam | 83,361 | 115,554 | 0 | 0 | 0 | 198,915 |
| Suspicious | 1,999 | 2,828 | 0 | 0 | 0 | 4,827 |
| Tor | 8,393 | 10,796 | 0 | 0 | 0 | 19,189 |
| Generic | 924,107 | 3,564,089 | 5,369,010 | 2,975 | 0 | 9,860,181 |
| In total | 1,547,199 | 4,257,507 | 6,813,728 | 1,073,672 | 639,219 | 14,331,325 |
Output formats
There are 10 different types of data in the daily export. Each data feed is published daily at 3 AM UTC. Contact us for a streaming version of the data feed.
| Data type | Files included | IoCs included | Record count | Formats available |
|---|---|---|---|---|
| Malicious IPv4/IPv6 address data feeds | *.malicious-ips.v4.csv.gz *.malicious-ips.v4.jsonl.gz *.malicious-ips.v6.csv.gz *.malicious-ips.v6.jsonl.gz | IPv4, IPv6 | IPv4 - 1,004,672 IPv6 - 1,009,224 | CSV, JSON |
| Malicious domain name data feed | *.malicious-domains.csv.gz *.malicious-domains.jsonl.gz | Domains | 6,957,036 | CSV, JSON |
| Malicious URL data feed | *.malicious-urls.csv.gz *.malicious-urls.jsonl.gz | URLs | 1,073,285 | CSV, JSON |
| Malicious file hashes data feed | *.malicious-file-hashes.csv.gz *.malicious-file-hashes.jsonl.gz | File hashes | 631,141 | CSV, JSON |
| Hosts file | *.hosts.gz | Domains | 6,813,347 | Hosts file format |
| Nginx's ngx_http_access_module compatible IPv4/IPv6 denylist | *.nginx-access.v4.gz *.nginx-access.v6.gz | IPv4, IPv6 ranges in CIDR notation | IPv4 - 1,352,895 IPv6 - 1,499,909 | ngx_http_access_module compatible |
| Raw IPv4/IPv6 denylists | *.deny-ips.v4.gz *.deny-ips.v6.gz | IPv4, IPv6 | IPv4 - 929,017 IPv6 - 933,565 | List |
| Raw domain denylist | *.deny-domains.gz | Domains | 6,813,347 | List |
| Raw CIDR denylist | *.deny-cidrs.v4.gz *.deny-cidrs.v6.gz | IPv4, IPv6 ranges in CIDR notation | IPv4 - 1,352,895 IPv6 - 1,499,909 | List |
| Malicious IPv4/IPv6 ranges in CIDR notation data feeds | *.malicious-cidrs.v4.csv.gz *.malicious-cidrs.v4.jsonl.gz *.malicious-cidrs.v6.csv.gz *.malicious-cidrs.v6.jsonl.gz | IPv4, IPv6 ranges in CIDR notation | IPv4 - 1,853,752 IPv6 - 2,000,874 | CSV, JSON |
1. Malicious IPv4/IPv6 address data feeds
- Filename format: tidf.%DATE%.daily.malicious-ips.[v4|v6].[csv|jsonl]
- Samples:
Average file sizes
| Filename suffix | Avg. gzipped file size | Avg. unpacked file size | Records |
|---|---|---|---|
| malicious-ips.v4.csv.gz | 5.5MB | 32MB | 1,004,672 |
| malicious-ips.v4.jsonl.gz | 6.2MB | 67MB | 1,004,672 |
| malicious-ips.v6.csv.gz | 5.6MB | 39MB | 1,009,224 |
| malicious-ips.v6.jsonl.gz | 6.3MB | 74MB | 1,009,224 |
Output format
CSV output format
ip,threatType,lastSeen
203.0.113.1,malware,1678372385
2001:0db8:85a3::8a2e:0370:7334,spam,1678372385
...
JSONL output format
...
{"ip”: "203.0.113.1”, "threatType”:”malware”, "lastSeen”:”1678372385”}
{"ip”: "2001:0db8:85a3::8a2e:0370:7334”, "threatType”:”spam”, "lastSeen”:”1678372385”}
...
Output parameters
| ip | IoC: IPv4 and IPv6 addresses. IPv6 feed also contains IPv4 addresses represented in the IPv6 notation. |
| threatType | The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic. |
| lastSeen | UNIX timestamp when the activity was detected last time. |
2. Malicious domain name data feed
- Filename format: tidf.%DATE%.daily.malicious-domains.[csv|jsonl]
- Samples:
Average file sizes
| Filename suffix | Avg. gzipped file size | Avg. unpacked file size | Records |
|---|---|---|---|
| malicious-domains.csv.gz | 39MB | 286MB | 6,957,036 |
| malicious-domains.jsonl.gz | 42MB | 558MB | 6,957,036 |
Output format
CSV output format
domainName,threatType,lastSeen
example.com,malware,1678372385
example.org,spam,1678372385
...
JSONL output format
...
{"domainName": "example.com", "threatType":"malware", "lastSeen":"1678372385"}
{"domainName": "example.org", "threatType":"spam", "lastSeen":"1678372385"}
...
Output parameters
| domainName | IoC: domain name. |
| threatType | The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic. |
| lastSeen | UNIX timestamp when the activity was detected last time. |
3. Malicious URL data feed
- Filename format: tidf.%DATE%.daily.malicious-urls.[csv|jsonl]
- Samples:
Average file sizes
| Filename suffix | Avg. gzipped file size | Avg. unpacked file size | Records |
|---|---|---|---|
| malicious-urls.csv.gz | 42MB | 116MB | 1,073,285 |
| malicious-urls.jsonl.gz | 44MB | 165MB | 1,073,285 |
Output format
CSV output format
url,host,threatType,lastSeen
"example.com/wp-admin.php?hack_me=1","example.com",malware,1678372385
"/bad_path/bad_file.php","",malware,1678372385
...
JSONL output format
...
{"url": "example.com/wp-admin.php?hack_me=1", "host": "example.com", "threatType":"malware", "lastSeen":"1678372385"}
{"url": "/bad_path/bad_file.php","host": "", "threatType":"malware", "lastSeen":"1678372385"}
...
Output parameters
| url | IoC: URL. It might be absolute (https://example.com/files/badfile.php) or relative (/files/badfile.php). Relative URLs do not have a corresponding domainName field. |
| host | Domain name or IP for absolute URLs. |
| threatType | The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic. |
| lastSeen | UNIX timestamp when the activity was detected last time. |
4. Malicious file hash data feed
- Filename format: tidf.%DATE%.daily.malicious-file-hashes.[csv|jsonl]
- Samples:
Average file sizes
| Filename suffix | Avg. gzipped file size | Avg. unpacked file size | Records |
|---|---|---|---|
| malicious-file-hashes.csv.gz | 13MB | 35MB | 639,141 |
| malicious-file-hashes.jsonl.gz | 13MB | 64MB | 639,141 |
Output format
CSV output format
hash,algo,threatType,lastSeen
1118d9c97f4ababe8ffcecef0946bcc8,md5,malware,1678372385
930619bc49c9836d26a3a2b75a3db93934d26fcb,sha1,malware,1678372385
...
JSONL output format
...
{"hash": "1118d9c97f4ababe8ffcecef0946bcc8", "algo": "md5", "threatType":"malware", "lastSeen":"1678372385"}
{"hash": "930619bc49c9836d26a3a2b75a3db93934d26fcb", "algo": "sha1", "threatType":"malware", "lastSeen":"1678372385"}
...
Output parameters
| hash | IoC: file's checksum. The hashing algorithm is determined by the algorithm field. |
| algo | The algorithm used to generate the value in the hash field: md5 or sha1. |
| threatType | The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic. |
| lastSeen | UNIX timestamp when the activity was detected last time. |
5. Hosts files
A denylist in the hosts file format containing malicious domain names mapped to 0.0.0.0, to block access to them. Compatible with most operating systems. The denylist contains the IoCs active the day before the export.
- Filename format: tidf.%DATE%.daily.hosts
- Samples: tidf.2023-03-16.daily.hosts
Average file sizes
| Filename suffix | Avg. gzipped file size | Avg. unpacked file size | Records |
|---|---|---|---|
| hosts.gz | 34MB | 211MB | 6,813,347 |
Output format
...
0.0.0.0 example.com
0.0.0.0 example.org
...
6. Nginx ngx_http_access_module compatible IPv4/IPv6 denylists in CIDR notation
A list containing IPv4 and IPv6 ranges in CIDR notation formatted for the ngx_http_access_module. The file can be used in Nginx configuration to block malicious IP addresses. The denylist contains the IoCs active the day before the export.
- Filename format: tidf.%DATE%.daily.nginx-access.[v4|v6]
- Samples:
Average file sizes
| Filename suffix | Avg. gzipped file size | Avg. unpacked file size | Records |
|---|---|---|---|
| nginx-access.v4.gz | 5.1MB | 30MB | 1,352,895 |
| nginx-access.v6.gz | 5.6MB | 44MB | 1,499,909 |
Output format
...
deny 203.0.113.1/31;
deny 2001:0db8:85a3::8a2e:0370:7334/127;
...
7. Raw IPv4/IPv6 denylists
A plain text denylist containing IPv4/IPv6 addresses to block. Can be used in web server or firewall configuration. The denylist contains the IoCs active the day before the export.
- Filename format: tidf.%DATE%.daily.deny-ips.[v4|v6]
- Samples:
Average file sizes
| Filename suffix | Avg. gzipped file size | Avg. unpacked file size | Records |
|---|---|---|---|
| deny-ips.v4.gz | 3.1MB | 13MB | 929,017 |
| deny-ips.v6.gz | 3.4MB | 19MB | 933,565 |
Output format
...
203.0.113.1
2001:0db8:85a3::8a2e:0370:7334
...
8. Raw domain denylist
A plain text file containing domains to block. Can be used in web server or firewall configuration. The denylist contains the IoCs active the day before the export.
- Filename format: tidf.%DATE%.daily.deny-domains
- Samples: tidf.2023-03-16.daily.deny-domains
Average file sizes
| Filename suffix | Avg. gzipped file size | Avg. unpacked file size | Records |
|---|---|---|---|
| deny-domains.gz | 32MB | 159MB | 6,813,347 |
Output format
...
example.com
example.org
...
9. Raw CIDR denylist
A plain text denylist containing IP address ranges in CIDR notation to block. Can be used in web server or firewall configuration. The denylist contains all the active IoCs for the last 24 hours.
- Filename format: tidf.%DATE%.daily.deny-cidrs.[v4|v6].gz
- Samples:
Average file sizes
| Filename suffix | Avg. gzipped file size | Avg. unpacked file size | Records |
|---|---|---|---|
| deny-cidrs.v4.gz | 4.6MB | 23MB | 1,352,895 |
| deny-cidrs.v6.gz | 5.5MB | 36MB | 1,499,909 |
Output format
...
deny 1.0.0.0/32;
deny 1.0.1.21/32;
...
10. Malicious IPv4/IPv6 ranges in CIDR notation data feeds
A plain text denylist containing IP address ranges in CIDR notation to block. Can be used in web server or firewall configuration.
- Filename format: tidf.%DATE%.daily.malicious-cidrs.[v4|v6].[csv|jsonl]
- Samples:
Average file sizes
| Filename suffix | Avg. gzipped file size | Avg. unpacked file size | Records |
|---|---|---|---|
| malicious-cidrs.v4.csv.gz | 9.5MB | 64MB | 1,853,752 |
| malicious-cidrs.v4.jsonl.gz | 11MB | 133MB | 1,853,752 |
| malicious-cidrs.v6.csv.gz | 11MB | 83MB | 2,000,874 |
| malicious-cidrs.v6.jsonl.gz | 12MB | 158MB | 2,000,874 |
Output format
CSV output format
cidr,threatType,lastSeen
1.0.0.0/32,attack,1678412656
1.0.1.21/32,attack,1678360646
...
JSONL output format
...
{"cidr":"1.0.0.0/32","lastSeen":"1678412656","threatType":"attack"}
{"cidr":"1.0.1.21/32","lastSeen":"1678360646","threatType":"attack"}
...
Output parameters
| cidr | IoC: IPv4 and IPv6 ranges in CIDR notation. IPv6 feed also contains IPv4 ranges represented in the IPv6 notation; |
| threatType | The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic. |
| lastSeen | UNIX timestamp when the activity was detected last time. |
