curl -H "Authorization: Bearer sk_live_..." \
-H "Accept: application/taxii+json;version=2.1" \
"https://socdefenders.ai/api/taxii2/api/collections/soc-defenders-network/objects/?added_after=2026-05-16T00:00:00Z&limit=500"{
"type": "bundle",
"id": "bundle--12345678-1234-1234-1234-123456789abc",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--f8e75d96-8e4c-4b1a-9e3d-4f8a7b6c5d3e",
"created": "2024-01-01T00:00:00.000Z",
"modified": "2026-05-17T10:30:00.000Z",
"name": "SOC Defenders",
"identity_class": "organization"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--00000000-0000-4000-8000-000000000001",
"created": "2026-05-16T08:21:30Z",
"modified": "2026-05-16T08:21:30Z",
"created_by_ref": "identity--f8e75d96-8e4c-4b1a-9e3d-4f8a7b6c5d3e",
"object_marking_refs": [
"marking-definition--bab4a63c-aed9-4cf5-a766-dfca5abac2bb"
],
"name": "Malicious Domain - c2.example.com",
"indicator_types": [
"malicious-activity"
],
"pattern": "[domain-name:value = 'c2.example.com']",
"pattern_type": "stix",
"valid_from": "2026-05-16T08:21:30Z",
"confidence": 85,
"labels": [
"c2",
"botnet"
]
}
]
}Returns a STIX 2.1 bundle of objects in the requested collection. This is the workhorse pull endpoint for TAXII clients.
TAXII pagination uses added_after + limit + the X-TAXII-Date-Added-Last response header. Save the response’s X-TAXII-Date-Added-Last and pass it as added_after on the next request to walk forward without missing objects.
?type=indicator — only Indicator SDOs (most common)?match[type]=ipv4-addr — narrow further by indicator subtypeadded_after is the canonical delta-poll mechanism. Don’t use any other field.This endpoint has a 2.5× rate multiplier (it generates a full STIX bundle). Plan polling cadence accordingly.
curl -H "Authorization: Bearer sk_live_..." \
-H "Accept: application/taxii+json;version=2.1" \
"https://socdefenders.ai/api/taxii2/api/collections/soc-defenders-network/objects/?added_after=2026-05-16T00:00:00Z&limit=500"{
"type": "bundle",
"id": "bundle--12345678-1234-1234-1234-123456789abc",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--f8e75d96-8e4c-4b1a-9e3d-4f8a7b6c5d3e",
"created": "2024-01-01T00:00:00.000Z",
"modified": "2026-05-17T10:30:00.000Z",
"name": "SOC Defenders",
"identity_class": "organization"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--00000000-0000-4000-8000-000000000001",
"created": "2026-05-16T08:21:30Z",
"modified": "2026-05-16T08:21:30Z",
"created_by_ref": "identity--f8e75d96-8e4c-4b1a-9e3d-4f8a7b6c5d3e",
"object_marking_refs": [
"marking-definition--bab4a63c-aed9-4cf5-a766-dfca5abac2bb"
],
"name": "Malicious Domain - c2.example.com",
"indicator_types": [
"malicious-activity"
],
"pattern": "[domain-name:value = 'c2.example.com']",
"pattern_type": "stix",
"valid_from": "2026-05-16T08:21:30Z",
"confidence": 85,
"labels": [
"c2",
"botnet"
]
}
]
}Documentation Index
Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt
Use this file to discover all available pages before exploring further.
API key in X-API-Key header
Collection ID from the list endpoint (e.g. soc-defenders-all, soc-defenders-network, soc-defenders-hashes).
"soc-defenders-network"
Return only objects added to the collection after this timestamp. Canonical delta-poll mechanism — save the response's X-TAXII-Date-Added-Last header value and pass it back here on the next request.
"2026-05-16T00:00:00Z"
Max objects per response (max 1000). For deep pulls, walk forward via added_after rather than skipping.
x <= 1000500
Filter by STIX object type. indicator is the most common — narrows the bundle to just IOC indicators (no identity/marking-definition objects).
"indicator"