The Enterprise IOC Feed turns research into proactive defense. It strengthens your threat detection and response posture by pushing intelligence directly into your security stack. Feeds deliver threat intelligence from Flare into your existing security tooling (SIEM, SOAR, EDR, TIP, or firewalls) in industry-standard STIX 2.1 format via the TAXII 2.1 protocol.

The Enterprise IOC Feed is delivered as two TAXII feeds:

 Carries the intelligence objects themselves, including indicators, malware, threat actors, campaigns, and the other entity types.

 Carries the STIX relationships that connect those objects to one another, for example linking an indicator to the malware, campaign, and threat actor it belongs to.

Both feeds use the same configuration. They use TAXII 2.1, with basic authentication using your Flare API key. Each feed points to its own TAXII endpoint and collection, which Flare provides.

Support for the core indicator types security teams rely on, such as, domains, URLs, IPs, file hashes, campaigns, threat actor profiles, and intrusion sets.

: All feeds use STIX 2.1 for the intelligence format and TAXII 2.1 as the transport protocol. This is the industry standard and most SIEMs, SOARs, TIPs, and EDRs support it natively. Your existing tooling can consume these feeds without custom integration work.

 Indicators are delivered with their full relationship context intact. An indicator links to the campaign it belongs to, which links to the threat actor behind it, which links to the associated malware family. Your TIP receives queryable, traversable intelligence, not a flat list.

: In addition to the TAXII feeds, Flare provides a programmatic IOC API. This allows you to push indicators directly from Flare research into downstream blocking rules without waiting for the next feed poll cycle.

Click through the following product tour to learn how to integrate the Enterprise IOC Feed into your existing security stack. 

Saved Queries

Enterprise IOC Feed

Sandbox

Flare

docs.flare.io

Welcome to Flare!

What We Are Working On

Get Started

Unresolved Events

Event Trends

Event Explorer

Identifier Trends

Dashboard

Respond to Leaked Credentials Events

Respond to Look-alike Domains Events

Respond to Open Web Events

Respond to .ph Domain Alerts

Respond to Illicit Networks Events

Playbooks

Flare Executive and VIP Monitoring

GUIDES

Actions

Event Categories

Search in Existing Data

Understand Event Severity

Forum Thread Intelligence

Actor Intelligence

Open Ports

Events

Email Alerts

Alert Central

Configure Identifiers

Configure Identifiers - Advanced

Identifier Recommendations

Matching Policies for Identifiers

Identifiers - Listing Subdomains

Rate-limiting of identifier event feeds

Identifiers

Collection Overview

Telegram Channels

Breaches

Collection Data Categories

Collection

Scheduled Reports

Reports Migration FAQ

Reports

Global Search - Quota

Global Search

Supply Chain Ransomware Exposure Monitoring

Takedown Services

Account and Session Takeover Prevention

CORE FEATURES

IEM Okta Setup

IEM Entra ID Setup

IEM Credential Browser

Identity Profile

IEM FAQ

Identity Exposure Management Overview

Use Cases

Credentials Browser

IDENTITY EXPOSURE

Intelligence Browser

Threat Flow

The CTI Module

THREAT INTELLIGENCE

Integrations Hub

Tenants

Team

Usage

Audit Logs

Roles & Permissions

Profile

SSO SAML Configuration

SSO and Authentication

Policies

Pre-Sales Tenants

CONFIGURE FLARE

Azure Sentinel IOC Feed Setup

Sentinel Integration

Azure Sentinel Integration (Legacy)

Discord

Jira

Microsoft Entra ID

ServiceNow

Slack

Splunk Cloud (Legacy)

Splunk App

Microsoft Teams

Webhooks

INTEGRATIONS

Illicit Networks

Source Code Secret Detection

Open Web

Leaked Credentials

Permutation strategies

Look-alike Domains

Emerging Sources

DATA SOURCES

Product Specifications

Fraudster Jargon

Data Fields

Queries

Event Date Fields

Asset Relations

REFERENCES

RESEARCH CENTER