Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt

Use this file to discover all available pages before exploring further.

SOC Defenders exposes a TAXII 2.1 server that allows you to integrate the threat intelligence feed directly into SIEM platforms, threat intelligence platforms (TIPs), and custom tooling using the industry-standard TAXII protocol. TAXII (Trusted Automated eXchange of Intelligence Information) is defined by OASIS and is natively supported by tools such as Splunk, Microsoft Sentinel, IBM QRadar, and OpenCTI. Objects are served in STIX 2.1 format.
TAXII 2.1 access requires a Pro subscription. Upgrade your account at socdefenders.ai to enable this feature.

Protocol overview

TAXII 2.1 organises threat data into collections — named groups of STIX objects such as all IOCs, IP addresses only, file hashes, or CVEs. Clients discover the server’s API root, list available collections, and then poll individual collections for objects, optionally using the added_after parameter to retrieve only objects added since their last poll.

Discovery endpoint

Send a GET request to the discovery URL to retrieve the server’s title, description, contact information, and the API root URL you will use for all subsequent requests. Method: GET https://socdefenders.ai/api/taxii2/ Authentication: Required — pass your API key in the Authorization header as a Bearer token. Tier: Pro.

Example request

curl -H "Authorization: Bearer sk_live_YOUR_KEY" \
  "https://socdefenders.ai/api/taxii2/"

Example response

{
  "title": "SOC Defenders TAXII Server",
  "description": "Threat intelligence feed aggregating 30+ cybersecurity sources including CISA alerts, vendor advisories, and threat research",
  "contact": "support@socdefenders.ai",
  "default": "https://www.socdefenders.ai/api/taxii2/api/",
  "api_roots": ["https://www.socdefenders.ai/api/taxii2/api/"]
}

Response fields

title
string
Human-readable name of the TAXII server.
description
string
Description of the threat intelligence feed provided by this server.
contact
string
Contact address for the server operator. Reach the SOC Defenders team at support@socdefenders.ai.
default
string
The default API root URL. Use this as the base URL for collections and object requests.
api_roots
string[]
Array of API root URLs available on this server. Each root can have its own set of collections.

API root

All collection and object requests are made under the API root returned in the discovery response: 
https://www.socdefenders.ai/api/taxii2/api/
Proceed to Collections to list the available collections, or to Collection Objects to begin fetching STIX objects.