> ## Documentation Index
> Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Export threat intel in STIX 2.1 and TAXII 2.1

> Pull IOCs as STIX 2.1 indicator bundles or configure automated TAXII 2.1 feed polling for your SIEM. Both formats require a Pro subscription.

SOC Defenders supports two complementary standards for structured threat intelligence sharing. The STIX 2.1 endpoint returns a point-in-time bundle of indicators you can download on demand. The TAXII 2.1 server exposes the same data as a live feed your SIEM can poll automatically — no custom scripts required.

<Note>
  Both STIX 2.1 and TAXII 2.1 require a Pro subscription. Upgrade at [socdefenders.ai](https://socdefenders.ai).
</Note>

## STIX 2.1 export

The STIX endpoint returns a valid STIX 2.1 bundle containing `indicator` objects for each IOC and a single `identity` object representing SOC Defenders as the producer.

**Endpoint:** `GET /api/v1/iocs/stix`

### Authentication

Pass your API key as a Bearer token in the `Authorization` header.

### Query parameters

The STIX endpoint accepts the same filter parameters as `GET /api/v1/iocs`:

| Parameter    | Type   | Description                                                                                  |
| ------------ | ------ | -------------------------------------------------------------------------------------------- |
| `type`       | string | Filter by IOC type: `ipv4`, `ipv6`, `domain`, `url`, `md5`, `sha1`, `sha256`, `cve`, `email` |
| `since`      | string | ISO 8601 timestamp — return only IOCs added after this date                                  |
| `industry`   | string | CISA Critical Infrastructure sector slug                                                     |
| `confidence` | string | `low`, `medium`, or `high`                                                                   |

### Example request

```bash theme={null}
curl -H "Authorization: Bearer sk_live_YOUR_KEY" \
  "https://socdefenders.ai/api/v1/iocs/stix?type=ipv4&confidence=high"
```

### Response structure

The response is a STIX 2.1 bundle. Each IOC appears as an `indicator` object inside the `objects` array.

```json theme={null}
{
  "type": "bundle",
  "spec_version": "2.1",
  "id": "bundle--a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "objects": [
    {
      "type": "identity",
      "spec_version": "2.1",
      "id": "identity--socdefenders",
      "name": "SOC Defenders",
      "identity_class": "organization"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f1e2d3c4-b5a6-7890-abcd-ef0987654321",
      "created": "2026-05-17T00:00:00.000Z",
      "modified": "2026-05-17T00:00:00.000Z",
      "name": "Malicious IPv4: 203.0.113.42",
      "pattern": "[ipv4-addr:value = '203.0.113.42']",
      "pattern_type": "stix",
      "valid_from": "2026-05-17T00:00:00.000Z",
      "indicator_types": ["malicious-activity"],
      "confidence": 85
    }
  ]
}
```

***

## TAXII 2.1 server

The SOC Defenders TAXII 2.1 server lets your SIEM poll for new threat intelligence automatically using the standard TAXII protocol. Configure it once and your SIEM fetches updates on its own schedule.

**Discovery endpoint:** `GET /api/taxii2/`

**API root:** `https://www.socdefenders.ai/api/taxii2/api/`

### Authentication

Pass your API key as the password in HTTP Basic Auth, or use an `Authorization: Bearer` header — both are accepted.

```bash theme={null}
curl -u "your_email@example.com:sk_live_YOUR_KEY" \
  "https://socdefenders.ai/api/taxii2/"
```

### TAXII endpoints

| Endpoint                                        | Description                                                              |
| ----------------------------------------------- | ------------------------------------------------------------------------ |
| `GET /api/taxii2/`                              | Server discovery — returns API roots and server metadata                 |
| `GET /api/taxii2/api/collections/`              | List available collections (all IOCs, IPs only, hashes only, CVEs, etc.) |
| `GET /api/taxii2/api/collections/{id}/objects/` | Paginated STIX objects from a specific collection                        |

### Discovery response

Calling the discovery endpoint returns the server title, description, and available API roots:

```json theme={null}
{
  "title": "SOC Defenders TAXII 2.1 Server",
  "description": "Aggregated threat intelligence from 30+ cybersecurity sources",
  "contact": "support@socdefenders.ai",
  "api_roots": [
    "https://www.socdefenders.ai/api/taxii2/api/"
  ]
}
```

### Fetching objects from a collection

Once you have a collection ID from the `/collections/` endpoint, retrieve its STIX objects:

```bash theme={null}
curl -u "your_email@example.com:sk_live_YOUR_KEY" \
  "https://socdefenders.ai/api/taxii2/api/collections/all-iocs/objects/?limit=100"
```

The response returns a standard TAXII envelope containing STIX objects, with `next` cursor values for pagination.
