Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt

Use this file to discover all available pages before exploring further.

The /api/v1/iocs/stix endpoint exports IOCs from the SOC Defenders feed as a STIX 2.1 bundle. The bundle contains an identity object representing SOC Defenders as the producing organization, followed by indicator objects — one per IOC — each with a STIX pattern, pattern type, and validity timestamp. This format is compatible with any STIX 2.1-aware platform, including threat intelligence platforms (TIPs), SIEMs, and sharing hubs. Apply the same filters as the list endpoint to scope the bundle to a specific type, time window, or confidence level.

Request

Method: GET
URL: https://socdefenders.ai/api/v1/iocs/stix
Auth: Required — Authorization: Bearer sk_live_YOUR_KEY
Tier: Pro
Content-Type: application/json (STIX bundle)
This endpoint requires a Pro subscription. Requests made with a Free-tier key will receive a 403 Forbidden response.

Query parameters

type
string
Filter by IOC type. One of: ipv4, ipv6, domain, url, md5, sha1, sha256, cve, mitre-attack, email.
since
string
ISO 8601 timestamp. Returns only IOCs added or updated after this time (e.g. 2024-01-01T00:00:00Z). Use for incremental exports.
confidence
string
Filter by confidence level. One of: high, medium, low.
industry
string
Filter by CISA sector name (e.g. energy, healthcare, financial-services).
limit
integer
default:"100"
Maximum number of indicator objects to include in the bundle. Pro tier: up to 10,000.

Example request

curl -H "Authorization: Bearer sk_live_YOUR_KEY" \
  "https://socdefenders.ai/api/v1/iocs/stix?type=ipv4&since=2024-01-01T00:00:00Z"

Response

The response is a STIX 2.1 bundle object. The objects array always begins with an identity object for SOC Defenders, followed by indicator objects for each matching IOC. 
{
  "type": "bundle",
  "spec_version": "2.1",
  "id": "bundle--...",
  "objects": [
    {
      "type": "identity",
      "spec_version": "2.1",
      "id": "identity--...",
      "name": "SOC Defenders"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--...",
      "pattern": "[ipv4-addr:value = '192.0.2.1']",
      "pattern_type": "stix",
      "valid_from": "2024-01-15T10:00:00Z"
    }
  ]
}

Response fields

type
string
Always bundle.
spec_version
string
STIX specification version. Always 2.1.
id
string
Unique STIX identifier for this bundle (e.g. bundle--<uuid>).
objects
array
Array of STIX objects. The first object is always an identity for SOC Defenders; subsequent objects are indicator objects.

Error responses

If your API key is missing, invalid, or from a Free-tier account, the API returns an error response: 
{
  "error": {
    "code": "missing_api_key",
    "message": "API key is required. Include it in the Authorization header as \"Bearer sk_live_...\" or in the X-API-Key header.",
    "request_id": "req_..."
  }
}
See Authentication for the full error code reference.