> ## Documentation Index
> Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# List available TAXII collections

> Returns the set of TAXII collections (logical streams of STIX objects). Each collection has a stable UUID consumers reference when fetching objects.

## Collections available

| Collection | Contents |
|---|---|
| `all-iocs` | All IOCs regardless of type |
| `network` | IPs, domains, URLs |
| `hashes` | MD5/SHA1/SHA256/SHA512 |
| `cves` | CVE IDs with context |
| `high-confidence` | Only high-confidence IOCs across types |
| `recent-24h` | Anything seen in the last 24 hours |
| `apt` | IOCs tagged with known APT campaigns |
| `ransomware` | IOCs tagged with ransomware families |



## OpenAPI

````yaml https://socdefenders.ai/api/openapi.json get /api/taxii2/api/collections/
openapi: 3.0.3
info:
  title: SOC Defenders Threat Intelligence API
  description: >-
    # Overview


    The SOC Defenders Threat Intelligence API provides programmatic access to
    aggregated threat intelligence from 30+ cybersecurity sources. Export IOCs
    (Indicators of Compromise) in various formats including JSON, CSV, STIX 2.1,
    MISP, CEF, and OpenIOC.


    ## Authentication


    All API endpoints require authentication using an API key. Include your key
    in one of these ways:


    - **Authorization Header** (recommended): `Authorization: Bearer
    sk_live_xxx`

    - **X-API-Key Header**: `X-API-Key: sk_live_xxx`

    - **Query Parameter**: `?api_key=sk_live_xxx`


    ## Rate Limiting


    Rate limits vary by tier. When limits are exceeded, the API returns a 429
    status code.


    | Tier | Requests/min | Requests/day | Lookback | Formats |

    |------|-------------|--------------|----------|---------|

    | Free | 10 | 1,000 | 1 day | JSON / CSV |

    | Pro ($299/mo) | 1,000 | 1,000,000 | 365 days | All (STIX, TAXII, MISP,
    CEF, OpenIOC, Sigma) |


    Rate limit headers are included in all responses:

    - `X-RateLimit-Limit`: Maximum requests per minute

    - `X-RateLimit-Remaining`: Requests remaining in current window

    - `X-RateLimit-Reset`: Unix timestamp when the limit resets


    ## Error Handling


    All errors follow a consistent format:


    ```json

    {
      "error": {
        "code": "error_code",
        "message": "Human readable message",
        "details": {},
        "request_id": "req_abc123"
      }
    }

    ```


    ## STIX/TAXII Support


    For STIX 2.1 and TAXII 2.1 integration, see the TAXII endpoints section.
    TAXII endpoints are available at `/api/taxii2/`.
  version: 1.0.0
  contact:
    name: SOC Defenders Support
    url: https://socdefenders.ai/contact
    email: support@socdefenders.ai
  license:
    name: Proprietary
    url: https://socdefenders.ai/terms
servers:
  - url: https://socdefenders.ai
    description: Production server
security: []
tags:
  - name: IOCs
    description: Indicators of Compromise endpoints
  - name: Statistics
    description: Feed and IOC statistics
  - name: API Keys
    description: API key management (requires session auth)
  - name: TAXII
    description: TAXII 2.1 threat intelligence sharing endpoints
  - name: Export Formats
    description: Specialized export format endpoints (MISP, CEF, OpenIOC)
  - name: Articles
    description: >-
      Aggregated news articles from 30+ cybersecurity sources, with rich
      filtering and bulk-export support
  - name: Lookup
    description: >-
      Single-IOC enrichment lookup. Auto-detects type, aggregates reporting
      sources, returns AI risk + MITRE techniques + hunting queries. Free-tier
      friendly.
  - name: Detection Rules
    description: >-
      Generate ready-to-deploy SIEM detection rules from recent IOCs. Sigma
      rules ship as multi-document YAML covering network / DNS / proxy /
      process_creation logsources.
paths:
  /api/taxii2/api/collections/:
    get:
      tags:
        - TAXII
      summary: List available TAXII collections
      description: >-
        Returns the set of TAXII collections (logical streams of STIX objects).
        Each collection has a stable UUID consumers reference when fetching
        objects.


        ## Collections available


        | Collection | Contents |

        |---|---|

        | `all-iocs` | All IOCs regardless of type |

        | `network` | IPs, domains, URLs |

        | `hashes` | MD5/SHA1/SHA256/SHA512 |

        | `cves` | CVE IDs with context |

        | `high-confidence` | Only high-confidence IOCs across types |

        | `recent-24h` | Anything seen in the last 24 hours |

        | `apt` | IOCs tagged with known APT campaigns |

        | `ransomware` | IOCs tagged with ransomware families |
      operationId: listTAXIICollections
      responses:
        '200':
          description: List of collections
          content:
            application/taxii+json;version=2.1:
              schema:
                $ref: '#/components/schemas/TAXIICollections'
              example:
                collections:
                  - id: soc-defenders-all
                    title: All IOCs
                    description: All indicators regardless of type
                    can_read: true
                    can_write: false
                    media_types:
                      - application/stix+json;version=2.1
                  - id: soc-defenders-network
                    title: Network IOCs
                    description: IPs, domains, URLs
                    can_read: true
                    can_write: false
                    media_types:
                      - application/stix+json;version=2.1
                  - id: soc-defenders-hashes
                    title: File Hashes
                    description: MD5/SHA1/SHA256/SHA512
                    can_read: true
                    can_write: false
                    media_types:
                      - application/stix+json;version=2.1
      security:
        - ApiKeyAuth: []
        - BearerAuth: []
      x-codeSamples:
        - lang: cURL
          label: List collections
          source: |-
            curl -H "Authorization: Bearer sk_live_..." \
              -H "Accept: application/taxii+json;version=2.1" \
              "https://socdefenders.ai/api/taxii2/api/collections/"
components:
  schemas:
    TAXIICollections:
      type: object
      properties:
        collections:
          type: array
          items:
            type: object
            properties:
              id:
                type: string
              title:
                type: string
              description:
                type: string
              can_read:
                type: boolean
              can_write:
                type: boolean
              media_types:
                type: array
                items:
                  type: string
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: X-API-Key
      description: API key in X-API-Key header
    BearerAuth:
      type: http
      scheme: bearer
      description: 'API key in Authorization header: `Authorization: Bearer sk_live_xxx`'

````