> ## Documentation Index
> Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Stream IOCs via CEF and Syslog to your log pipeline

> Use the SOC Defenders CEF endpoint to stream threat indicators in Common Event Format directly into your SIEM's log ingestion pipeline. Requires Pro.

The SOC Defenders CEF endpoint returns your filtered IOCs as Common Event Format log lines — one line per indicator. You can pipe the output directly into your syslog daemon or log collector, making it straightforward to ingest threat intelligence into ArcSight, QRadar, Splunk, or any other SIEM with a syslog input.

<Note>
  CEF/Syslog export requires a Pro subscription. Upgrade at [socdefenders.ai](https://socdefenders.ai).
</Note>

## Endpoint

**`GET /api/v1/iocs/cef`**

The response body is plain text — one CEF log line per IOC, with no JSON envelope. This makes it suitable for direct piping into standard Unix log utilities.

## Authentication

Pass your API key as a Bearer token in the `Authorization` header.

## Query parameters

| Parameter    | Type   | Description                                                                                  |
| ------------ | ------ | -------------------------------------------------------------------------------------------- |
| `type`       | string | Filter by IOC type: `ipv4`, `ipv6`, `domain`, `url`, `md5`, `sha1`, `sha256`, `cve`, `email` |
| `since`      | string | ISO 8601 timestamp — return only IOCs added after this date                                  |
| `confidence` | string | `low`, `medium`, or `high`                                                                   |
| `industry`   | string | CISA Critical Infrastructure sector slug                                                     |

## Example request

Fetch high-confidence IPv4 indicators and pipe them directly into your local syslog:

```bash theme={null}
curl -s -H "Authorization: Bearer sk_live_YOUR_KEY" \
  "https://socdefenders.ai/api/v1/iocs/cef?type=ipv4&confidence=high" \
  | logger -p security.warning -t SOCDefenders
```

To write to a file instead:

```bash theme={null}
curl -s -H "Authorization: Bearer sk_live_YOUR_KEY" \
  "https://socdefenders.ai/api/v1/iocs/cef?since=2026-05-16T00:00:00Z" \
  >> /var/log/soc-defenders-iocs.cef
```

## CEF field mapping

Each response line follows the CEF standard format:

```
CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
```

A sample line for a malicious IPv4 indicator looks like this:

```
CEF:0|SOC Defenders|Threat Intelligence|1.0|ipv4|Malicious IPv4 Indicator|7|src=203.0.113.42 cs1=high cs1Label=confidence cs2=CISA Alerts cs2Label=source rt=1747440000000
```

| CEF field          | Value                 | Description                                                 |
| ------------------ | --------------------- | ----------------------------------------------------------- |
| `Version`          | `0`                   | CEF format version                                          |
| `Device Vendor`    | `SOC Defenders`       | Producer name                                               |
| `Device Product`   | `Threat Intelligence` | Product identifier                                          |
| `Signature ID`     | IOC type              | e.g. `ipv4`, `domain`, `sha256`                             |
| `Name`             | Human-readable label  | Describes the indicator                                     |
| `Severity`         | `1`–`10`              | Mapped from confidence: `low` → 3, `medium` → 6, `high` → 9 |
| `src`              | IOC value             | The raw indicator (IP, domain, hash, etc.)                  |
| `cs1` / `cs1Label` | Confidence string     | `low`, `medium`, or `high`                                  |
| `cs2` / `cs2Label` | Source feed name      | e.g. `CISA Alerts`                                          |
| `rt`               | Unix timestamp (ms)   | Time the IOC was ingested                                   |
