Skip to main content
SOC Defenders lets you consume threat intelligence in the format that fits your existing stack. Free tier accounts can pull IOCs and articles as JSON or CSV, look up individual indicators, and read aggregated news. Pro accounts unlock industry-standard formats for automated SIEM ingestion, platform integrations, and deployable detection rules — including STIX 2.1, TAXII 2.1, MISP, CEF/Syslog, OpenIOC, and Sigma.

All supported formats

FormatTierEndpointUse case
JSONFreeGET /api/v1/iocsFlexible REST consumption, custom pipelines
CSVFreeGET /api/v1/iocs?format=csvSpreadsheet analysis, bulk imports
IOC LookupFreeGET /api/v1/lookupSingle-value enrichment
News ArticlesFreeGET /api/v1/articlesArticle aggregation, delta polling
STIX 2.1ProGET /api/v1/iocs/stixStandard threat intel bundles
TAXII 2.1ProGET /api/taxii2/Automated SIEM feed polling
CEF/SyslogProGET /api/v1/iocs/cefLog pipeline / SIEM ingestion
MISPProGET /api/v1/iocs/mispMISP platform import
OpenIOCProGET /api/v1/iocs/openiocMandiant OpenIOC XML
SigmaProGET /api/v1/iocs/sigmaDeployable detection rules
Articles NDJSONProGET /api/v1/articles (bulk)Bulk news export with cursor pagination

Pro export formats

The formats below are available on the Pro tier and are designed for automated ingestion and platform integration. Each has a dedicated page with endpoint details, request examples, and filter parameters.

STIX 2.1 and TAXII 2.1

Pull IOC bundles in the OASIS STIX 2.1 standard or configure automated TAXII 2.1 feed polling directly into your SIEM.

MISP

Download current IOCs as a MISP-compatible JSON event for import into your Malware Information Sharing Platform instance.

CEF/Syslog

Stream IOCs as Common Event Format log lines directly into syslog-based SIEM pipelines such as ArcSight and QRadar.

Sigma rules

Generate deployable YAML detection rules for each IOC, ready to convert and import into any Sigma-compatible SIEM.