> ## Documentation Index
> Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# GET /api/v1/iocs/stix — export as STIX 2.1 bundle

> Download current IOCs as a STIX 2.1 bundle containing Indicator and Identity objects. Supports the same filters as the main IOC endpoint. Requires Pro.

The `/api/v1/iocs/stix` endpoint exports IOCs from the SOC Defenders feed as a STIX 2.1 bundle. The bundle contains an `identity` object representing SOC Defenders as the producing organization, followed by `indicator` objects — one per IOC — each with a STIX pattern, pattern type, and validity timestamp. This format is compatible with any STIX 2.1-aware platform, including threat intelligence platforms (TIPs), SIEMs, and sharing hubs. Apply the same filters as the list endpoint to scope the bundle to a specific type, time window, or confidence level.

## Request

**Method:** `GET`\
**URL:** `https://socdefenders.ai/api/v1/iocs/stix`\
**Auth:** Required — `Authorization: Bearer sk_live_YOUR_KEY`\
**Tier:** Pro\
**Content-Type:** `application/json` (STIX bundle)

<Note>
  This endpoint requires a Pro subscription. Requests made with a Free-tier key will receive a `403 Forbidden` response.
</Note>

## Query parameters

<ParamField query="type" type="string">
  Filter by IOC type. One of: `ipv4`, `ipv6`, `domain`, `url`, `md5`, `sha1`, `sha256`, `cve`, `mitre-attack`, `email`.
</ParamField>

<ParamField query="since" type="string">
  ISO 8601 timestamp. Returns only IOCs added or updated after this time (e.g. `2024-01-01T00:00:00Z`). Use for incremental exports.
</ParamField>

<ParamField query="confidence" type="string">
  Filter by confidence level. One of: `high`, `medium`, `low`.
</ParamField>

<ParamField query="industry" type="string">
  Filter by CISA sector name (e.g. `energy`, `healthcare`, `financial-services`).
</ParamField>

<ParamField query="limit" type="integer" default="100">
  Maximum number of indicator objects to include in the bundle. Pro tier: up to 10,000.
</ParamField>

## Example request

```bash theme={null}
curl -H "Authorization: Bearer sk_live_YOUR_KEY" \
  "https://socdefenders.ai/api/v1/iocs/stix?type=ipv4&since=2024-01-01T00:00:00Z"
```

## Response

The response is a STIX 2.1 bundle object. The `objects` array always begins with an `identity` object for SOC Defenders, followed by `indicator` objects for each matching IOC.

```json theme={null}
{
  "type": "bundle",
  "spec_version": "2.1",
  "id": "bundle--...",
  "objects": [
    {
      "type": "identity",
      "spec_version": "2.1",
      "id": "identity--...",
      "name": "SOC Defenders"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--...",
      "pattern": "[ipv4-addr:value = '192.0.2.1']",
      "pattern_type": "stix",
      "valid_from": "2024-01-15T10:00:00Z"
    }
  ]
}
```

### Response fields

<ResponseField name="type" type="string">
  Always `bundle`.
</ResponseField>

<ResponseField name="spec_version" type="string">
  STIX specification version. Always `2.1`.
</ResponseField>

<ResponseField name="id" type="string">
  Unique STIX identifier for this bundle (e.g. `bundle--<uuid>`).
</ResponseField>

<ResponseField name="objects" type="array">
  Array of STIX objects. The first object is always an `identity` for SOC Defenders; subsequent objects are `indicator` objects.

  <Expandable title="identity object">
    <ResponseField name="objects[].type" type="string">
      `identity` for the producing organization object.
    </ResponseField>

    <ResponseField name="objects[].name" type="string">
      `SOC Defenders`.
    </ResponseField>
  </Expandable>

  <Expandable title="indicator object">
    <ResponseField name="objects[].type" type="string">
      `indicator` for each IOC object.
    </ResponseField>

    <ResponseField name="objects[].pattern" type="string">
      STIX pattern expression for the indicator (e.g. `[ipv4-addr:value = '192.0.2.1']`).
    </ResponseField>

    <ResponseField name="objects[].pattern_type" type="string">
      Always `stix`.
    </ResponseField>

    <ResponseField name="objects[].valid_from" type="string">
      ISO 8601 timestamp when this indicator became valid.
    </ResponseField>
  </Expandable>
</ResponseField>

## Error responses

If your API key is missing, invalid, or from a Free-tier account, the API returns an error response:

```json theme={null}
{
  "error": {
    "code": "missing_api_key",
    "message": "API key is required. Include it in the Authorization header as \"Bearer sk_live_...\" or in the X-API-Key header.",
    "request_id": "req_..."
  }
}
```

See [Authentication](/api-reference/authentication) for the full error code reference.
