Skip to main content

Networking Indicators TAXII Feeds - Flexible Intel Feed API (TCTF-0003)

The Flexible Intel Feed is a curated, private threat intelligence feed delivered via the TAXII 2.1 protocol in STIX 2.1 format.

This feed provides structured Indicators of Compromise (IOCs) based on your organization's submissions to Spectra Intelligence. The data is enriched with context from across the ReversingLabs product portfolio and made available through a TAXII-compatible API.

  • The feed is read-only.
  • Data is scoped to your Spectra Intelligence account configured on the Spectra Analyze appliance.
  • Supports integration with third-party platforms like OpenCTI.
  • A typical usage pattern is to poll the objects endpoint regularly using the added_after filter.
note

Retention period: The feed contains data submitted within the past 30 days.

Feed access is authenticated and personalized per account. Each user is assigned a unique TAXII collection, available under a dedicated API root.

important

To enable the feed and obtain connection credentials, refer to the Spectra Analyze Flexible Intel Feed documentation.

Once the feed is enabled, Spectra Analyze displays a pop-up with the connection details:

  • TAXII Discovery URL
    https://data.reversinglabs.com/api/taxii/taxii2/

  • API Root
    https://data.reversinglabs.com/api/taxii/flexible-intel-feeds/

  • Collection ID
    A unique ID assigned to your Spectra Intelligence account. Used to query your private STIX feed.

  • Username
    Your Spectra Intelligence username with /fif appended
    Example: u/company/user/a1000u/company/user/a1000/fif

  • Password
    Shown only once in the UI. Save it securely or regenerate it if lost.

Authentication

Access to the Flexible Intel Feed requires Basic Authentication using credentials provided when the feed was enabled.

All requests must include:

Authorization: Basic <base64(username:password)>
Accept: application/taxii+json;version=2.1
User-Agent: ReversingLabs TAXII FIF Public Docs Example

Endpoints

Discovery

GET https://data.reversinglabs.com/api/taxii/taxii2/

Returns a list of available TAXII API roots.

API Root

GET https://data.reversinglabs.com/api/taxii/flexible-intel-feeds/

Describes the Flexible Intel Feed root and its associated collections.

Collections

GET https://data.reversinglabs.com/api/taxii/flexible-intel-feeds/collections/

Returns the list of collections available under this root. Each user receives a single private collection.

STIX Objects

Retrieves STIX 2.1 objects from your private feed collection.

GET https://data.reversinglabs.com/api/taxii/flexible-intel-feeds/collections/<collection-id>/objects/

Query Parameters

ParameterDescription
added_afterReturn only objects added after a given ISO 8601 timestamp

Example

curl --location 'https://data.reversinglabs.com/api/taxii/flexible-intel-feeds/collections/49f2c125-4854-5a12-a0fd-62400f5a7af7/objects/?added_after=2025-06-09T11%3A00%3A00.000Z' \
  --header 'Accept: application/taxii+json;version=2.1' \
  --header 'User-Agent: ReversingLabs TAXII FIF Public Docs Example' \
  --header 'Authorization: Basic <base64_token>'

Response Example

Object Types

The feed returns STIX 2.1 objects wrapped in a {"objects": [...]} structure.

Typical object types include:

  • url, domain-name, ipv4-addr, file: Basic observable IOCs
  • indicator: Structured detection logic (e.g. "match if SHA256 is X")
  • malware: Classification and metadata about malware families
  • relationship: Links between objects (e.g., "this indicator indicates this malware")

The object structure follows the STIX 2.1 specification.

{
  "objects": [
    {
      "id": "url--8e9478a4-ea09-5679-8b79-9661ee249f68",
      "type": "url",
      "value": "http://down.yueshou.net",
      "spec_version": "2.1"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9e7e69a6-7782-5be1-91a9-faa524e4e4b2",
      "created": "2025-06-09T11:09:41Z",
      "modified": "2025-06-09T11:09:41Z",
      "created_by_ref": "identity--b0228148-e101-5bcb-ae0f-220c1a65f2f0",
      "relationship_type": "based-on",
      "source_ref": "indicator--af979875-b9b8-5dd4-9417-66e1560bcd23",
      "target_ref": "url--8e9478a4-ea09-5679-8b79-9661ee249f68"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--af979875-b9b8-5dd4-9417-66e1560bcd23",
      "created": "2025-06-09T11:09:41Z",
      "modified": "2025-06-09T11:09:41Z",
      "valid_from": "2025-06-09T11:09:41Z",
      "valid_until": "2025-07-09T11:09:41Z",
      "created_by_ref": "identity--b0228148-e101-5bcb-ae0f-220c1a65f2f0",
      "name": "http://down.yueshou.net",
      "description": "Malware file was observed to contact an URL",
      "confidence": 60,
      "indicator_types": ["malicious-activity"],
      "pattern_type": "stix",
      "pattern": "[url:value = 'http://down.yueshou.net']",
      "labels": ["ReversingLabs", "sample-source"]
    },
    {
      "id": "domain-name--d4bb29e6-946c-5718-9179-5d49f9656337",
      "type": "domain-name",
      "value": "bzqcb.kxq79.com",
      "spec_version": "2.1"
    },
    {
      "id": "file--d0ad5c70-a0b4-5585-beeb-1f8b6879c4c6",
      "type": "file",
      "hashes": {
        "SHA-1": "62defcf5a81f6def01e80822cec8f5cac8e5c807",
        "SHA-256": "ef087454771bc2a6bd9a00d110451baa2ba79ca58be7339b7e05abcc3eeb4a62",
        "MD5": "68ad68a69313bc151f2de06e3d68f4f0"
      },
      "size": 2347784,
      "name": "62defcf5a81f6def01e80822cec8f5cac8e5c807.rl"
    }
  ]
}

Example Use Cases

Any file submitted to Spectra Intelligence becomes part of the Flexible Intel Feed, whether submitted manually, via API, through connectors, or from features like Bulk Search or YARA matching. Once analyzed, any verified malicious content is enriched with ReversingLabs metadata and exposed in STIX format via the TAXII API.

You can use this mechanism to enrich IOCs from multiple workflows, such as:

  1. Log into Spectra Analyze.

  2. Perform a Bulk Search: Paste a list of unstructured IOCs (e.g., hashes or URLs) copied from another threat source

  3. Review the Cloud matches, then select Fetch and Analyze

  4. The appliance will analyze the retrieved files. Any verified malicious IOCs will be enriched with ReversingLabs metadata and included in your Flexible Intel Feed.

This workflow allows you to convert external threat data into enriched, structured STIX IOCs accessible via TAXII — ready for integration into downstream tools like OpenCTI.

YARA

  1. Log into Spectra Analyze.
  2. Deploy a YARA rule to perform a live or retroactive hunt.
  3. Review the Cloud matches, then select Fetch and Analyze.
  4. The appliance will analyze the retrieved files and populate the Flexible Intel Feed with any verified malicious IOCs.

This enables you to extend YARA-based detection into a structured intelligence workflow, turning raw match results into curated, machine-readable STIX indicators.