Export Formats
Export IOCs as CEF or RFC 5424 Syslog events
Stream IOCs as either CEF (Common Event Format, ArcSight-compatible) or RFC 5424 Syslog. Designed to be piped into a SIEM ingestion pipeline.
Output
format=cef(default): One CEF line per IOC. Example header:CEF:0|SOCDefenders|ThreatIntel|1.0|ipv4|Malicious IPv4|6|src=192.168.1.1 ...format=syslog: RFC 5424 lines with structured-data sections.
Ingestion examples
- Splunk: configure a TCP/UDP listener on port 514 and
curl ... | nc splunk.example.com 514 - Sentinel: forward via Logstash + Common Event Format connector
- rsyslog: pipe directly with
logger -p local0.info -t socdefenders
Requires the Pro plan (read:cef scope).
GET
Authorizations
API key in X-API-Key header
Query Parameters
Output format — cef (ArcSight) or syslog (RFC 5424).
Available options:
cef, syslog Example:
"cef"
Lower time bound (ISO 8601). Clamped to your tier lookback.
Example:
"2026-05-15T00:00:00Z"
Max events to emit. Tier-capped.
Example:
500
Response
CEF or Syslog events, one per line
The response is of type string.