Export as OpenIOC
Export Formats
Export IOCs as Mandiant OpenIOC 1.0 XML
Generates an OpenIOC 1.0 XML document — the format Mandiant introduced and still used by FireEye HX, several EDR products, and some commercial threat intel tools.
Output structure
<ioc>
<metadata>...</metadata>
<criteria>
<Indicator operator="OR">
<IndicatorItem condition="is"><Context type="mir" search="Network/DNS"/><Content type="string">malicious.com</Content></IndicatorItem>
...
</Indicator>
</criteria>
</ioc>
Import targets
- Mandiant HX: Configuration → Indicators → Import OpenIOC
- FireEye products: Same UI path
- Stix-shifter:
stix-shifter translate openioc query ...
Requires the Pro plan (read:openioc scope).
GET
Export as OpenIOC
Authorizations
API key in X-API-Key header
Query Parameters
Lower time bound (ISO 8601). Clamped to your tier lookback.
Example:
"2026-05-15T00:00:00Z"
Max indicators in the document. Tier-capped.
Example:
500
Response
OpenIOC 1.0 XML document
The response is of type string.