CEF/Syslog export requires a Pro subscription. Upgrade at socdefenders.ai.
Endpoint
GET /api/v1/iocs/cef
The response body is plain text — one CEF log line per IOC, with no JSON envelope. This makes it suitable for direct piping into standard Unix log utilities.
Authentication
Pass your API key as a Bearer token in theAuthorization header.
Query parameters
| Parameter | Type | Description |
|---|---|---|
type | string | Filter by IOC type: ipv4, ipv6, domain, url, md5, sha1, sha256, cve, email |
since | string | ISO 8601 timestamp — return only IOCs added after this date |
confidence | string | low, medium, or high |
industry | string | CISA Critical Infrastructure sector slug |
Example request
Fetch high-confidence IPv4 indicators and pipe them directly into your local syslog:CEF field mapping
Each response line follows the CEF standard format:| CEF field | Value | Description |
|---|---|---|
Version | 0 | CEF format version |
Device Vendor | SOC Defenders | Producer name |
Device Product | Threat Intelligence | Product identifier |
Signature ID | IOC type | e.g. ipv4, domain, sha256 |
Name | Human-readable label | Describes the indicator |
Severity | 1–10 | Mapped from confidence: low → 3, medium → 6, high → 9 |
src | IOC value | The raw indicator (IP, domain, hash, etc.) |
cs1 / cs1Label | Confidence string | low, medium, or high |
cs2 / cs2Label | Source feed name | e.g. CISA Alerts |
rt | Unix timestamp (ms) | Time the IOC was ingested |