> ## Documentation Index
> Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# TAXII 2.1 discovery endpoint

> Entry point for TAXII 2.1 clients. Returns server metadata + a list of API roots. This is the URL you give your TAXII client (Splunk ES, Microsoft Sentinel, OpenCTI, MISP TAXII module).

## What clients do with this

1. Hit `/api/taxii2/` to learn server identity + API root URLs
2. Hit each API root (`/api/taxii2/api/`) to discover available collections
3. Poll each collection's `/objects/` endpoint to fetch STIX bundles

## Integration walkthroughs

- **Microsoft Sentinel**: Data connectors → Threat Intelligence - TAXII → add server, paste discovery URL + API key
- **Splunk ES**: TA-TAXII2 add-on → input → server URL + Bearer token
- **OpenCTI**: TAXII 2.1 Connector → discovery URL + key
- **MISP**: Sync server type "TAXII 2.1" → discovery URL + key



## OpenAPI

````yaml https://socdefenders.ai/api/openapi.json get /api/taxii2/
openapi: 3.0.3
info:
  title: SOC Defenders Threat Intelligence API
  description: >-
    # Overview


    The SOC Defenders Threat Intelligence API provides programmatic access to
    aggregated threat intelligence from 30+ cybersecurity sources. Export IOCs
    (Indicators of Compromise) in various formats including JSON, CSV, STIX 2.1,
    MISP, CEF, and OpenIOC.


    ## Authentication


    All API endpoints require authentication using an API key. Include your key
    in one of these ways:


    - **Authorization Header** (recommended): `Authorization: Bearer
    sk_live_xxx`

    - **X-API-Key Header**: `X-API-Key: sk_live_xxx`

    - **Query Parameter**: `?api_key=sk_live_xxx`


    ## Rate Limiting


    Rate limits vary by tier. When limits are exceeded, the API returns a 429
    status code.


    | Tier | Requests/min | Requests/day | Lookback | Formats |

    |------|-------------|--------------|----------|---------|

    | Free | 10 | 1,000 | 1 day | JSON / CSV |

    | Pro ($299/mo) | 1,000 | 1,000,000 | 365 days | All (STIX, TAXII, MISP,
    CEF, OpenIOC, Sigma) |


    Rate limit headers are included in all responses:

    - `X-RateLimit-Limit`: Maximum requests per minute

    - `X-RateLimit-Remaining`: Requests remaining in current window

    - `X-RateLimit-Reset`: Unix timestamp when the limit resets


    ## Error Handling


    All errors follow a consistent format:


    ```json

    {
      "error": {
        "code": "error_code",
        "message": "Human readable message",
        "details": {},
        "request_id": "req_abc123"
      }
    }

    ```


    ## STIX/TAXII Support


    For STIX 2.1 and TAXII 2.1 integration, see the TAXII endpoints section.
    TAXII endpoints are available at `/api/taxii2/`.
  version: 1.0.0
  contact:
    name: SOC Defenders Support
    url: https://socdefenders.ai/contact
    email: support@socdefenders.ai
  license:
    name: Proprietary
    url: https://socdefenders.ai/terms
servers:
  - url: https://socdefenders.ai
    description: Production server
security: []
tags:
  - name: IOCs
    description: Indicators of Compromise endpoints
  - name: Statistics
    description: Feed and IOC statistics
  - name: API Keys
    description: API key management (requires session auth)
  - name: TAXII
    description: TAXII 2.1 threat intelligence sharing endpoints
  - name: Export Formats
    description: Specialized export format endpoints (MISP, CEF, OpenIOC)
  - name: Articles
    description: >-
      Aggregated news articles from 30+ cybersecurity sources, with rich
      filtering and bulk-export support
  - name: Lookup
    description: >-
      Single-IOC enrichment lookup. Auto-detects type, aggregates reporting
      sources, returns AI risk + MITRE techniques + hunting queries. Free-tier
      friendly.
  - name: Detection Rules
    description: >-
      Generate ready-to-deploy SIEM detection rules from recent IOCs. Sigma
      rules ship as multi-document YAML covering network / DNS / proxy /
      process_creation logsources.
paths:
  /api/taxii2/:
    get:
      tags:
        - TAXII
      summary: TAXII 2.1 discovery endpoint
      description: >-
        Entry point for TAXII 2.1 clients. Returns server metadata + a list of
        API roots. This is the URL you give your TAXII client (Splunk ES,
        Microsoft Sentinel, OpenCTI, MISP TAXII module).


        ## What clients do with this


        1. Hit `/api/taxii2/` to learn server identity + API root URLs

        2. Hit each API root (`/api/taxii2/api/`) to discover available
        collections

        3. Poll each collection's `/objects/` endpoint to fetch STIX bundles


        ## Integration walkthroughs


        - **Microsoft Sentinel**: Data connectors → Threat Intelligence - TAXII
        → add server, paste discovery URL + API key

        - **Splunk ES**: TA-TAXII2 add-on → input → server URL + Bearer token

        - **OpenCTI**: TAXII 2.1 Connector → discovery URL + key

        - **MISP**: Sync server type "TAXII 2.1" → discovery URL + key
      operationId: taxiiDiscovery
      responses:
        '200':
          description: TAXII 2.1 discovery resource
          content:
            application/taxii+json;version=2.1:
              schema:
                $ref: '#/components/schemas/TAXIIDiscovery'
              example:
                title: SOC Defenders Threat Intelligence
                description: >-
                  TAXII 2.1 server providing curated threat intelligence from
                  30+ cybersecurity sources.
                contact: support@socdefenders.ai
                default: https://socdefenders.ai/api/taxii2/api/
                api_roots:
                  - https://socdefenders.ai/api/taxii2/api/
      x-codeSamples:
        - lang: cURL
          label: Discovery (no auth required for this endpoint)
          source: |-
            curl "https://socdefenders.ai/api/taxii2/" \
              -H "Accept: application/taxii+json;version=2.1"
components:
  schemas:
    TAXIIDiscovery:
      type: object
      properties:
        title:
          type: string
          example: SOC Defenders TAXII Server
        description:
          type: string
        contact:
          type: string
          format: email
        default:
          type: string
          format: uri
        api_roots:
          type: array
          items:
            type: string
            format: uri

````