Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt

Use this file to discover all available pages before exploring further.

This endpoint returns paginated STIX 2.1 objects from a named collection. Use it to bulk-ingest indicators into your SIEM or TIP, or to poll incrementally for new objects using the added_after parameter. Each page is returned as a STIX bundle, and pagination is driven by response headers rather than a cursor in the response body.

Endpoint

Method: GET https://www.socdefenders.ai/api/taxii2/api/collections/{id}/objects/ Authentication: Required — pass your API key in the Authorization header as a Bearer token. Tier: Pro.

Path parameters

id
string
required
Collection ID obtained from GET /api/taxii2/api/collections/. For example, all-iocs, ip-addresses, file-hashes, or cves.

Query parameters

added_after
string
ISO 8601 timestamp. Returns only STIX objects added to the collection after this time. Use the value of the X-TAXII-Date-Added-Last response header from your previous request to poll incrementally.
limit
integer
Maximum number of STIX objects to return per page. The server may return fewer than the requested limit.
next
string
Pagination token. Use the value from the X-TAXII-Date-Added-Last response header as the added_after value on your next request to continue paginating through results.

Example request

curl -H "Authorization: Bearer sk_live_YOUR_KEY" \
  "https://www.socdefenders.ai/api/taxii2/api/collections/all-iocs/objects/?added_after=2024-01-01T00:00:00Z&limit=100"

Example response

{
  "type": "bundle",
  "id": "bundle--...",
  "spec_version": "2.1",
  "objects": [
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--...",
      "created": "2024-01-15T10:00:00Z",
      "modified": "2024-01-15T10:00:00Z",
      "name": "Malicious IP 192.0.2.1",
      "pattern": "[ipv4-addr:value = '192.0.2.1']",
      "pattern_type": "stix",
      "valid_from": "2024-01-15T10:00:00Z",
      "indicator_types": ["malicious-activity"]
    }
  ],
  "more": true,
  "next": "cursor_xyz789"
}

Response fields

type
string
Always bundle — the STIX 2.1 bundle type.
id
string
Unique STIX bundle identifier in the format bundle--<uuid>.
spec_version
string
STIX specification version. Always 2.1.
objects
object[]
Array of STIX 2.1 indicator objects contained in this page.
more
boolean
true if additional pages of objects are available. Use the response headers to paginate.
next
string
Pagination token for the next page. Present only when more is true.

Response headers

HeaderDescription
X-TAXII-Date-Added-FirstISO 8601 timestamp of the earliest object added in this page.
X-TAXII-Date-Added-LastISO 8601 timestamp of the latest object added in this page. Pass this as added_after on your next request to avoid re-fetching objects.

Delta polling

Store the value of the X-TAXII-Date-Added-Last response header after each successful poll and pass it as added_after on your next request. This ensures you only receive objects that were added after your previous poll, preventing duplicate processing and reducing unnecessary data transfer.
# Initial poll
curl -v -H "Authorization: Bearer sk_live_YOUR_KEY" \
  "https://www.socdefenders.ai/api/taxii2/api/collections/all-iocs/objects/?limit=100" \
  2>&1 | grep -E "(X-TAXII-Date-Added|^{)"

# Subsequent poll using the stored X-TAXII-Date-Added-Last value
curl -H "Authorization: Bearer sk_live_YOUR_KEY" \
  "https://www.socdefenders.ai/api/taxii2/api/collections/all-iocs/objects/?added_after=2024-01-15T10:00:00Z&limit=100"