The IOC Feed provides an hourly snapshot of IOCs extracted from samples processed by our service. The feed includes threat type information, malware identification, network indicators, and file indicators. Built with SOC teams, threat intelligence analysts, and incident responders in mind, this feed is designed for seamless integration into your SIEM and threat intelligence platforms. 

The IOC feed API returns results in a paginated JSON format, enabling teams to quickly track and identify campaigns in realtime. Refer to the API documentation for details on accessing and utilizing the IOC feed.

IOC Feed Properties

The following list provides a high-level overview of the properties available for an entry in the IOC feed.

  • sha256: The SHA-256 hash of the file.
  • sha1: The SHA-1 hash of the file.
  • md5: The MD5 has of the file.
  • file_type: The detected file type.
  • build_date: The build timestamp of the PE file, or 0 if unavailable.
  • file_size: The size of the file.
  • filenames: All observed public names of the file.
  • first_seen: Timestamp of the first public submission of the file.
  • last_seen: Timestamp of the last public submission of the file.
  • detections:  A list of structured properties defining the malware detections for the file.
    • malware_family: The identified malware_family.
    • classification: The classification of the file.
    • threat_type: The identified threat type.
    • confidence: Indicates the assigned confidence level of the malware classification and threat type.
    • attribution: Structured information related to the attribution information of the malware family or file.
    • detection_type: Information on the type of detection.
      • signature_based: Detection based on static signatures.
      • heuristic: Detection based on heuristic analysis.
  • command_and_control: Details of extracted command-and-control (C2) data.
    • type: The Type of indicator, such as IP, Domain, or URL.
    • value: The value representing the command-and-control (C2) entry.
  • relationships: Specifies observed relationships for the file, gathered from our SourceIntel collection, partner sources and analysis.
    • sha256: The sha-256 hash of the related file.
    • created: The Timestamp indicating when the relationship was created.
    • tags: A list of tags that provide additional context for the relationship.
    • source: The source, such as, URL, IP, or Domain.
    • ref: A list references that provide additional context for the relationship source.
    • type: Specifies the source type.
    • relationship_type: Defines the type of relationship.

Example Feed Entry

An example of feed entry is shown below:

{
    "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
	"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
	"md5": "d41d8cd98f00b204e9800998ecf8427e",
	"file_type": "PE32 executable (GUI) Intel 80386, for MS Windows",
	"build_date": 1730491281,
	"file_size": 6289004,
	"filenames": [
		"sample.exe",
		"somemalware.exe",
        "d41d8cd98f00b204e9800998ecf8427e.bin"
	],
	"first_seen": 1731024000,
	"last_seen": 1731196800,
    "detections":[{
  	    "malware_family": "Lumma Stealer",
	    "classification": "MALICIOUS",
	    "threat_type": "INFOSTEALER",
	    "confidence": "high",
	    "attribution": {},
	    "detection_type": {
		    "signature_based": true,
		    "heuristic": false
        }
    }],
	"command_and_control": [
		{
			"type": "domain",
			"value": "example.com"
		},
		{
			"type": "ip",
			"value": "127.0.0.1"
		},
		{
			"type": "url",
			"value": "https://example.com/landing.php"
		}
	],
	"relationships": [
		{
			"sha256": "992262ba23565f27dceb953f9b58e9d3b320e483d91733df8dd890fac35f4f7c",
			"created": 1731085816,
			"tags": ["amadey"],
			"source": "http://127.0.0.1/inc/somemalware.exe",
			"ref": [
				"SourceIntel"
			],
			"type": "loader",
			"relationship_type": "loader_download"
		}
	]
}

Example IOC Result