> ## Documentation Index
> Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Export SOC Defenders IOCs as a MISP event

> Download current IOCs as a MISP-compatible JSON event for import into your Malware Information Sharing Platform instance. Requires Pro.

The SOC Defenders MISP endpoint returns your filtered IOCs packaged as a MISP JSON event. You can import this file directly into any MISP instance using the standard file or URL import flow — no manual attribute creation required.

<Note>
  MISP export requires a Pro subscription. Upgrade at [socdefenders.ai](https://socdefenders.ai).
</Note>

## Endpoint

**`GET /api/v1/iocs/misp`**

The response is a MISP-compatible JSON event containing one attribute per IOC.

## Authentication

Pass your API key as a Bearer token in the `Authorization` header.

## Query parameters

| Parameter    | Type   | Description                                                                                  |
| ------------ | ------ | -------------------------------------------------------------------------------------------- |
| `type`       | string | Filter by IOC type: `ipv4`, `ipv6`, `domain`, `url`, `md5`, `sha1`, `sha256`, `cve`, `email` |
| `since`      | string | ISO 8601 timestamp — return only IOCs added after this date                                  |
| `confidence` | string | `low`, `medium`, or `high`                                                                   |
| `industry`   | string | CISA Critical Infrastructure sector slug                                                     |

## Example request

```bash theme={null}
curl -H "Authorization: Bearer sk_live_YOUR_KEY" \
  "https://socdefenders.ai/api/v1/iocs/misp?type=domain&confidence=high" \
  -o soc-defenders-iocs.json
```

## Importing into MISP

<Steps>
  <Step title="Download the MISP event file">
    Run the curl command above to save the MISP JSON event to a local file, or copy the endpoint URL for direct URL import.
  </Step>

  <Step title="Open your MISP instance">
    Navigate to **Sync Actions → Import from file** (or **Import from URL** if you want MISP to fetch directly).
  </Step>

  <Step title="Select the event file">
    Upload the downloaded JSON file, or paste the full endpoint URL including your `Authorization` header if your MISP version supports authenticated URL imports.
  </Step>

  <Step title="Review and publish">
    MISP previews the event attributes before committing. Review the attribute count and types, then click **Publish** to add the event to your instance.
  </Step>
</Steps>

<Tip>
  Use the `since` parameter to pull only new IOCs since your last import. Store the timestamp of each successful import and pass it as `since` in your next request to avoid duplicate attributes.
</Tip>
