curl -H "Authorization: Bearer sk_live_..." \
"https://socdefenders.ai/api/v1/iocs/cef?format=cef&since=2026-05-15T00:00:00Z&limit=500""CEF:0|SOCDefenders|ThreatIntel|1.0|ipv4|Malicious IPv4|6|src=192.168.1.1 cs1=high cs1Label=confidence msg=C2 IP from \"New botnet observed beaconing\"\nCEF:0|SOCDefenders|ThreatIntel|1.0|domain|Malicious Domain|6|destinationDnsDomain=c2.example.com cs1=high cs1Label=confidence\nCEF:0|SOCDefenders|ThreatIntel|1.0|sha256|Malicious Hash|7|fileHash=e3b0c44298fc1c14... cs1=high cs1Label=confidence"Stream IOCs as either CEF (Common Event Format, ArcSight-compatible) or RFC 5424 Syslog. Designed to be piped into a SIEM ingestion pipeline.
format=cef (default): One CEF line per IOC. Example header: CEF:0|SOCDefenders|ThreatIntel|1.0|ipv4|Malicious IPv4|6|src=192.168.1.1 ...format=syslog: RFC 5424 lines with structured-data sections.curl ... | nc splunk.example.com 514logger -p local0.info -t socdefendersRequires the Pro plan (read:cef scope).
curl -H "Authorization: Bearer sk_live_..." \
"https://socdefenders.ai/api/v1/iocs/cef?format=cef&since=2026-05-15T00:00:00Z&limit=500""CEF:0|SOCDefenders|ThreatIntel|1.0|ipv4|Malicious IPv4|6|src=192.168.1.1 cs1=high cs1Label=confidence msg=C2 IP from \"New botnet observed beaconing\"\nCEF:0|SOCDefenders|ThreatIntel|1.0|domain|Malicious Domain|6|destinationDnsDomain=c2.example.com cs1=high cs1Label=confidence\nCEF:0|SOCDefenders|ThreatIntel|1.0|sha256|Malicious Hash|7|fileHash=e3b0c44298fc1c14... cs1=high cs1Label=confidence"Documentation Index
Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt
Use this file to discover all available pages before exploring further.
API key in X-API-Key header
Output format — cef (ArcSight) or syslog (RFC 5424).
cef, syslog "cef"
Lower time bound (ISO 8601). Clamped to your tier lookback.
"2026-05-15T00:00:00Z"
Max events to emit. Tier-capped.
500
CEF or Syslog events, one per line
The response is of type string.