The SOC Defenders CEF endpoint returns your filtered IOCs as Common Event Format log lines — one line per indicator. You can pipe the output directly into your syslog daemon or log collector, making it straightforward to ingest threat intelligence into ArcSight, QRadar, Splunk, or any other SIEM with a syslog input.Documentation Index
Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt
Use this file to discover all available pages before exploring further.
CEF/Syslog export requires a Pro subscription. Upgrade at socdefenders.ai.
Endpoint
GET /api/v1/iocs/cef
The response body is plain text — one CEF log line per IOC, with no JSON envelope. This makes it suitable for direct piping into standard Unix log utilities.
Authentication
Pass your API key as a Bearer token in theAuthorization header.
Query parameters
| Parameter | Type | Description |
|---|---|---|
type | string | Filter by IOC type: ipv4, ipv6, domain, url, md5, sha1, sha256, cve, email |
since | string | ISO 8601 timestamp — return only IOCs added after this date |
confidence | string | low, medium, or high |
industry | string | CISA Critical Infrastructure sector slug |
Example request
Fetch high-confidence IPv4 indicators and pipe them directly into your local syslog:CEF field mapping
Each response line follows the CEF standard format:| CEF field | Value | Description |
|---|---|---|
Version | 0 | CEF format version |
Device Vendor | SOC Defenders | Producer name |
Device Product | Threat Intelligence | Product identifier |
Signature ID | IOC type | e.g. ipv4, domain, sha256 |
Name | Human-readable label | Describes the indicator |
Severity | 1–10 | Mapped from confidence: low → 3, medium → 6, high → 9 |
src | IOC value | The raw indicator (IP, domain, hash, etc.) |
cs1 / cs1Label | Confidence string | low, medium, or high |
cs2 / cs2Label | Source feed name | e.g. CISA Alerts |
rt | Unix timestamp (ms) | Time the IOC was ingested |