curl -H "Authorization: Bearer sk_live_..." \
-H "Accept: application/stix+json;version=2.1" \
"https://socdefenders.ai/api/v1/iocs/stix?type=ipv4&since=2026-05-15T00:00:00Z&limit=500" \
-o socdefenders.stix.json{
"type": "bundle",
"id": "bundle--12345678-1234-1234-1234-123456789abc",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--f8e75d96-8e4c-4b1a-9e3d-4f8a7b6c5d3e",
"created": "2024-01-01T00:00:00.000Z",
"modified": "2024-12-09T10:30:00.000Z",
"name": "SOC Defenders",
"identity_class": "organization"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--87654321-4321-4321-4321-abc123456789",
"created": "2024-12-08T14:30:00Z",
"modified": "2024-12-09T08:15:00Z",
"created_by_ref": "identity--f8e75d96-8e4c-4b1a-9e3d-4f8a7b6c5d3e",
"object_marking_refs": [
"marking-definition--bab4a63c-aed9-4cf5-a766-dfca5abac2bb"
],
"name": "Malicious IPv4 Address - 192.168.1.1",
"indicator_types": [
"malicious-activity"
],
"pattern": "[ipv4-addr:value = '192.168.1.1']",
"pattern_type": "stix",
"valid_from": "2024-12-08T14:30:00Z",
"confidence": 85
}
]
}Generates a STIX 2.1 bundle of Indicator SDOs (Structured Data Objects) for direct download. Use this when you want a one-shot bundle; for streaming/polling integrations use the TAXII 2.1 endpoints instead.
bundle
├── identity (SOC Defenders, optional)
├── marking-definition (TLP, optional)
└── indicator × N
Each indicator SDO carries:
[ipv4-addr:value = '1.2.3.4'])tlp=)labelskill_chain_phasesBy default, indicators are tagged with TLP based on their confidence. Override with tlp=:
clear: share freely (low confidence)green: share within community (high confidence indicators by default)amber: limited distributionamber+strict: amber + need-to-knowred: do not shareBoth platforms accept STIX bundles via their threat-intel connectors. Download with format=bundle (default) and upload via their UI/API.
Requires the Pro plan (read:stix scope).
curl -H "Authorization: Bearer sk_live_..." \
-H "Accept: application/stix+json;version=2.1" \
"https://socdefenders.ai/api/v1/iocs/stix?type=ipv4&since=2026-05-15T00:00:00Z&limit=500" \
-o socdefenders.stix.json{
"type": "bundle",
"id": "bundle--12345678-1234-1234-1234-123456789abc",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--f8e75d96-8e4c-4b1a-9e3d-4f8a7b6c5d3e",
"created": "2024-01-01T00:00:00.000Z",
"modified": "2024-12-09T10:30:00.000Z",
"name": "SOC Defenders",
"identity_class": "organization"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--87654321-4321-4321-4321-abc123456789",
"created": "2024-12-08T14:30:00Z",
"modified": "2024-12-09T08:15:00Z",
"created_by_ref": "identity--f8e75d96-8e4c-4b1a-9e3d-4f8a7b6c5d3e",
"object_marking_refs": [
"marking-definition--bab4a63c-aed9-4cf5-a766-dfca5abac2bb"
],
"name": "Malicious IPv4 Address - 192.168.1.1",
"indicator_types": [
"malicious-activity"
],
"pattern": "[ipv4-addr:value = '192.168.1.1']",
"pattern_type": "stix",
"valid_from": "2024-12-08T14:30:00Z",
"confidence": 85
}
]
}Documentation Index
Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt
Use this file to discover all available pages before exploring further.
API key in X-API-Key header
Filter by IOC type. Generates patterns specific to each: ipv4-addr:value, domain-name:value, url:value, file:hashes, etc.
ipv4, ipv6, domain, url, md5, sha1, sha256, sha512, email, cve, mitre_attack "ipv4"
Lower time bound (ISO 8601). Clamped to tier lookback.
"2026-05-15T00:00:00Z"
Maximum number of indicator SDOs in the bundle. Capped at 1000 per request.
x <= 1000500
bundle wraps objects in a STIX Bundle (recommended — most tools expect this). objects returns just the array, no wrapper.
bundle, objects "bundle"
Include a SOC Defenders Identity SDO that all indicators reference via created_by_ref. Most STIX consumers expect this; keep enabled unless your importer rejects unknown SDOs.
true
Include explicit TLP Marking Definition SDOs. Some tools require these to recognize TLP tagging on indicators; others auto-resolve them. Toggle on if your importer drops indicators whose object_marking_refs is unresolved.
true
Force a TLP level on every indicator (overrides the confidence-based default).
clear, green, amber, amber+strict, red "amber"