The IOC Feed provides an hourly snapshot of IOCs extracted from samples processed by our service. The feed includes threat type information, malware identification, network indicators, and file indicators. Built with SOC teams, threat intelligence analysts, and incident responders in mind, this feed is designed for seamless integration into your SIEM and threat intelligence platforms. 

The IOC feed API returns results in a paginated JSON format, enabling teams to quickly track and identify campaigns in realtime. Refer to the API documentation for details on accessing and utilizing the IOC feed.

IOC Feed Properties

The following list provides a high-level overview of the properties available for an entry in the IOC feed.

  • sha256: The SHA-256 hash of the file.
  • sha1: The SHA-1 hash of the file.
  • md5: The MD5 has of the file.
  • file_type: The detected file type.
  • build_date: The build timestamp of the PE file, or 0 if unavailable.
  • file_size: The size of the file.
  • filenames: All observed public names of the file.
  • first_seen: Timestamp of the first public submission of the file.
  • last_seen: Timestamp of the last public submission of the file.
  • detections:  A list of structured properties defining the malware detections for the file.
    • malware_family: The identified malware_family.
    • classification: The classification of the file.
    • threat_type: The identified threat type.
    • confidence: Indicates the assigned confidence level of the malware classification and threat type.
    • attribution: Structured information related to the attribution information of the malware family or file.
    • detection_type: Information on the type of detection.
      • signature_based: Detection based on static signatures.
      • heuristic: Detection based on heuristic analysis.
  • command_and_control: Details of extracted command-and-control (C2) data.
    • type: The Type of indicator, such as IP, Domain, or URL.
    • value: The value representing the command-and-control (C2) entry.
    • confidence: Indicates the assigned confidence level of the C2.
  • relationships: Specifies observed relationships for the file, gathered from our SourceIntel collection, partner sources and analysis.
    • sha256: The sha-256 hash of the related file.
    • created: The Timestamp indicating when the relationship was created.
    • tags: A list of tags that provide additional context for the relationship.
    • source: The source, such as, URL, IP, or Domain.
    • ref: A list references that provide additional context for the relationship source.
    • type: Specifies the source type.
    • relationship_type: Defines the type of relationship.

Example Feed Entry

An example of feed entry is shown below:

{
    "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
	"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
	"md5": "d41d8cd98f00b204e9800998ecf8427e",
	"file_type": "PE32 executable (GUI) Intel 80386, for MS Windows",
	"build_date": 1730491281,
	"file_size": 6289004,
	"filenames": [
		"sample.exe",
		"somemalware.exe",
        "d41d8cd98f00b204e9800998ecf8427e.bin"
	],
	"first_seen": 1731024000,
	"last_seen": 1731196800,
    "detections":[{
  	    "malware_family": "Lumma Stealer",
	    "classification": "MALICIOUS",
	    "threat_type": "INFOSTEALER",
	    "confidence": "high",
	    "attribution": {},
	    "detection_type": {
		    "signature_based": true,
		    "heuristic": false
        }
    }],
	"command_and_control": [
		{
			"type": "domain",
			"value": "example.com",
            "confidence": "High"
		},
		{
			"type": "ip",
			"value": "127.0.0.1",
            "confidence": "High"
		},
		{
			"type": "url",
			"value": "https://example.com/landing.php",
            "confidence": "High"
		}
	],
	"relationships": [
		{
			"sha256": "992262ba23565f27dceb953f9b58e9d3b320e483d91733df8dd890fac35f4f7c",
			"created": 1731085816,
			"tags": ["amadey"],
			"source": "http://127.0.0.1/inc/somemalware.exe",
			"ref": [
				"SourceIntel"
			],
			"type": "loader",
			"relationship_type": "loader_download"
		}
	]
}

Example IOC Result

Indicator Confidence

We use the following confidence levels to express the reliability of an indicator:

  • High: Strong evidence, including confirmed static detections, indicates the indicator is malicious with minimal uncertainty. These indicators are highly reliable and actionable.
  • Low: Indicators with limited static detection, often derived from heuristic detections, suggest potential malicious activity. These should be used as a basis for further investigation rather than being treated as confirmed threats.