Export as OpenIOC

curl -H "Authorization: Bearer sk_live_..." \
  "https://socdefenders.ai/api/v1/iocs/openioc?since=2026-05-15T00:00:00Z&limit=500" \
  -o socdefenders.ioc

"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<ioc xmlns=\"http://schemas.mandiant.com/2010/ioc\" id=\"b1c2d3e4-f5a6-7890-abcd-ef1234567890\" last-modified=\"2026-05-17T10:30:00Z\">\n  <short_description>SOC Defenders Threat Intelligence Feed</short_description>\n  <authored_date>2026-05-17T10:30:00Z</authored_date>\n  <authored_by>SOC Defenders</authored_by>\n  <criteria>\n    <Indicator operator=\"OR\" id=\"indicator-1\">\n      <IndicatorItem id=\"item-1\" condition=\"is\">\n        <Context document=\"Network\" search=\"Network/DNS\" type=\"mir\"/>\n        <Content type=\"string\">c2.example.com</Content>\n      </IndicatorItem>\n      <IndicatorItem id=\"item-2\" condition=\"is\">\n        <Context document=\"FileItem\" search=\"FileItem/Sha256sum\" type=\"mir\"/>\n        <Content type=\"string\">e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855</Content>\n      </IndicatorItem>\n    </Indicator>\n  </criteria>\n</ioc>"

Export Formats

Export IOCs as Mandiant OpenIOC 1.0 XML

Generates an OpenIOC 1.0 XML document — the format Mandiant introduced and still used by FireEye HX, several EDR products, and some commercial threat intel tools.

Output structure

<ioc>
  <metadata>...</metadata>
  <criteria>
    <Indicator operator="OR">
      <IndicatorItem condition="is"><Context type="mir" search="Network/DNS"/><Content type="string">malicious.com</Content></IndicatorItem>
      ...
    </Indicator>
  </criteria>
</ioc>

Import targets

Mandiant HX: Configuration → Indicators → Import OpenIOC
FireEye products: Same UI path
Stix-shifter: stix-shifter translate openioc query ...

Requires the Pro plan (read:openioc scope).

GET

api

iocs

openioc

Export as OpenIOC

curl -H "Authorization: Bearer sk_live_..." \
  "https://socdefenders.ai/api/v1/iocs/openioc?since=2026-05-15T00:00:00Z&limit=500" \
  -o socdefenders.ioc

"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<ioc xmlns=\"http://schemas.mandiant.com/2010/ioc\" id=\"b1c2d3e4-f5a6-7890-abcd-ef1234567890\" last-modified=\"2026-05-17T10:30:00Z\">\n  <short_description>SOC Defenders Threat Intelligence Feed</short_description>\n  <authored_date>2026-05-17T10:30:00Z</authored_date>\n  <authored_by>SOC Defenders</authored_by>\n  <criteria>\n    <Indicator operator=\"OR\" id=\"indicator-1\">\n      <IndicatorItem id=\"item-1\" condition=\"is\">\n        <Context document=\"Network\" search=\"Network/DNS\" type=\"mir\"/>\n        <Content type=\"string\">c2.example.com</Content>\n      </IndicatorItem>\n      <IndicatorItem id=\"item-2\" condition=\"is\">\n        <Context document=\"FileItem\" search=\"FileItem/Sha256sum\" type=\"mir\"/>\n        <Content type=\"string\">e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855</Content>\n      </IndicatorItem>\n    </Indicator>\n  </criteria>\n</ioc>"

Authorizations

X-API-Key

string

header

required

API key in X-API-Key header

Query Parameters

since

string<date-time>

Lower time bound (ISO 8601). Clamped to your tier lookback.

Example:

"2026-05-15T00:00:00Z"

limit

integer

default:100

Max indicators in the document. Tier-capped.

Example:

500

Response

OpenIOC 1.0 XML document

The response is of type string.

Export IOCs as CEF or RFC 5424 Syslog events

Generate deployable Sigma detection rules

⌘I

Overview

IOC Endpoints

Articles Endpoints

TAXII 2.1

IOCs

Statistics

Export Formats

Detection Rules

Lookup

API Keys

TAXII

Articles

Export IOCs as Mandiant OpenIOC 1.0 XML

Output structure

Import targets

Authorizations

Query Parameters

Response

Overview

IOC Endpoints

Articles Endpoints

TAXII 2.1

IOCs

Statistics

Export Formats

Detection Rules

Lookup

API Keys

TAXII

Articles

Documentation Index

Authorizations

Query Parameters

Response