Export IOCs as a STIX 2.1 bundle
Generates a STIX 2.1 bundle of Indicator SDOs (Structured Data Objects) for direct download. Use this when you want a one-shot bundle; for streaming/polling integrations use the TAXII 2.1 endpoints instead.
Bundle structure
bundle
├── identity (SOC Defenders, optional)
├── marking-definition (TLP, optional)
└── indicator × N
Each indicator SDO carries:
- A STIX 2.1 pattern (e.g.
[ipv4-addr:value = '1.2.3.4']) - TLP marking (mapped from our confidence: high→green, medium→amber, low→clear, or override with
tlp=) - Tags as STIX
labels - MITRE references via
kill_chain_phases
TLP markings
By default, indicators are tagged with TLP based on their confidence. Override with tlp=:
clear: share freely (low confidence)green: share within community (high confidence indicators by default)amber: limited distributionamber+strict: amber + need-to-knowred: do not share
Splunk ES / Sentinel ingestion
Both platforms accept STIX bundles via their threat-intel connectors. Download with format=bundle (default) and upload via their UI/API.
Requires the Pro plan (read:stix scope).
Authorizations
API key in X-API-Key header
Query Parameters
Filter by IOC type. Generates patterns specific to each: ipv4-addr:value, domain-name:value, url:value, file:hashes, etc.
ipv4, ipv6, domain, url, md5, sha1, sha256, sha512, email, cve, mitre_attack "ipv4"
Lower time bound (ISO 8601). Clamped to tier lookback.
"2026-05-15T00:00:00Z"
Maximum number of indicator SDOs in the bundle. Capped at 1000 per request.
x <= 1000500
bundle wraps objects in a STIX Bundle (recommended — most tools expect this). objects returns just the array, no wrapper.
bundle, objects "bundle"
Include a SOC Defenders Identity SDO that all indicators reference via created_by_ref. Most STIX consumers expect this; keep enabled unless your importer rejects unknown SDOs.
true
Include explicit TLP Marking Definition SDOs. Some tools require these to recognize TLP tagging on indicators; others auto-resolve them. Toggle on if your importer drops indicators whose object_marking_refs is unresolved.
true
Force a TLP level on every indicator (overrides the confidence-based default).
clear, green, amber, amber+strict, red "amber"