Bulk Data feeds
Bulk Data is the right surface when you need every ELLIO indicator at once - for example, a Splunk lookup, a Google SecOps UDM ingest, or a daily archive in your data lake. Bulk feeds are downloads, not APIs; consume them on the schedule that fits your pipeline.
Browse the catalogue at platform.ellio.tech/dashboard/data-feeds/bulk-data.
Cadences
| Cadence | Behaviour |
|---|---|
| Always-Latest | A single URL that always points at the most recent snapshot. Suitable for SIEM lookups where you want "today's data". |
| Historical | A versioned archive of dated snapshots, typically the last 90+ days. Suitable for back-testing, evidence preservation, and offline analysis. |
Data sets
ELLIO Threat Intelligence (Non-Spoofable)
Every IP ELLIO observed in the last 90 days where a TCP handshake confirmed the source. Trust this for automated decisions.
| Format | Cadence | What you get |
|---|---|---|
| Splunk LUT | Daily, Always-Latest | Splunk lookup table for lookup commands. Drop into a Splunk app and pivot in SPL. |
| Google SecOps UDM | Daily, Always-Latest | Google SecOps Unified Data Model - direct ingest into a Chronicle/SecOps pipeline. |
| JSONL | Daily, Historical (typically 6+ snapshots) | One indicator per line. Universal format for custom pipelines. |
A typical record carries:
{
"ip": "5.189.157.228",
"cve": ["CVE-2017-9841", "CVE-2021-3129"],
"dst": {"geo": [{"city": "...", "country": {...}}]},
"src": {"asn": {...}, "geo": {...}},
"fingerprints": {"muonfp": "...", "ja4": "...", "ja3": "..."},
"ports": [...],
"tags": [...],
"first_seen": "...",
"last_seen": "..."
}
The exact schema is shown live on the feed's detail page in the platform. A sample preview is available without an active subscription.
ELLIO Threat Intelligence (Spoofable)
Same shape as the non-spoofable feed, scoped to IPs without a confirmed TCP handshake. Use these for advisory signals only - they may include spoofed sources.
Same three formats: Splunk LUT, Google SecOps UDM, JSONL. Same cadences.
PTR rDNS IPv4
Reverse DNS observations for IPv4 hosts. Two cadences:
- Daily - fresh PTR snapshot per day, typically with 100+ days of history retained.
- Weekly - PTR snapshot per week, typically with 17+ snapshots retained.
Format: JSONL. Useful for attribution research, naming-convention pivots, and RDNS-aware enrichment.
Accessing a feed
Each feed page in the platform has two panels:
- Sample Data - Preview. A short JSON preview of the most recent snapshot. Always visible.
- Programmatic Access - Direct download. Returns a fresh signed URL on demand. Available when your plan includes the feed.
Versions older than the latest are listed in the Versions table at the bottom, with file name, publication timestamp, record count, and size. Each older version has its own download button.
Common patterns
Splunk lookup
- Subscribe to ELLIO Threat Intelligence - Splunk (Always-Latest, Daily).
- Schedule a Splunk forwarder to download the LUT into your Splunk app.
- In SPL:
... | lookup ellio_ti ip OUTPUT classification, tags, asn, country
Google SecOps ingest
- Subscribe to ELLIO Threat Intelligence - Google SecOps UDM (Always-Latest, Daily).
- Configure SecOps to ingest the daily UDM file from the signed URL.
- Indicators appear in your
ENTITYgraph and are matchable in YARA-L rules.
Custom pipeline (JSONL)
- Subscribe to one of the JSONL feeds.
- Download the latest snapshot daily (cron or workflow tool).
- Parse line-by-line into your data lake or enrichment cache.
Programmatic credentials
The Credentials button at the top of the Bulk Data dashboard issues
short-lived tokens for the direct-download endpoints. Rotate these on a
schedule that matches your security policy. For UI-driven downloads, the
session cookie is enough.
See also
- Connectors - continuous delivery into SIEMs and MISP (Sentinel TAXII, MISP feed).
- CTI API - on-demand lookup, per IP.
- Microsoft Sentinel TAXII - STIX/TAXII into Microsoft Sentinel.
- MISP Feed - native feed-sync into MISP.