Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt

Use this file to discover all available pages before exploring further.

SOC Defenders aggregates threat indicators from 30+ cybersecurity sources and makes them available through multiple integration methods so you can get IOCs into your SIEM without building a custom pipeline from scratch. Whether you prefer polling a REST API on a schedule, using the native TAXII 2.1 protocol your SIEM already understands, or streaming events over a syslog pipeline, there is an approach that fits your existing stack.

Integration approaches

SOC Defenders supports three primary methods for delivering threat intelligence to your SIEM.

REST API polling (JSON or CSV)

Available on the Free and Pro tiers, the REST API is the most flexible option. You poll GET /api/v1/iocs on a schedule — every 15 minutes is recommended for Free accounts, while Pro accounts can poll continuously. The API returns paginated JSON or CSV that you can parse and forward to your SIEM using a scripted input, Azure Logic App, or any HTTP-capable automation tool. 
curl -H "Authorization: Bearer YOUR_API_KEY" \
  "https://socdefenders.ai/api/v1/iocs?type=ipv4&limit=100"
Use REST when you need custom field mapping, want to filter IOCs before ingestion, or are building a bespoke pipeline.

TAXII 2.1 (Pro)

TAXII 2.1 is the industry-standard protocol for threat intelligence feed distribution. SOC Defenders exposes a TAXII server at https://www.socdefenders.ai/api/taxii2/ that your SIEM’s native threat intelligence connector can poll automatically. Collections are organized by IOC type (all IOCs, IPs only, hashes only, CVEs), and indicators are delivered as STIX 2.1 objects. Use TAXII when your SIEM has a built-in threat intelligence module — Splunk Enterprise Security and Microsoft Sentinel both have native TAXII connectors — and you want zero-maintenance feed ingestion.

CEF/Syslog (Pro)

The GET /api/v1/iocs/cef endpoint returns IOCs in Common Event Format, ready for ingestion through any syslog-based log pipeline. Use CEF/Syslog when your organization already routes security events through a syslog forwarder and wants to treat threat indicators as another log source.

Supported SIEMs

SIEMREST APITAXII 2.1CEF/Syslog
SplunkYesYes (Pro)Yes (Pro)
Microsoft SentinelYesYes (Pro)Yes (Pro)
IBM QRadarYesYes (Pro)Yes (Pro)
Elastic SecurityYesYes (Pro)Yes (Pro)
Google ChronicleYesYes (Pro)Yes (Pro)

Choosing an approach

  • REST API — best for custom pipelines, scripted inputs, or when you need to filter or transform indicators before ingestion.
  • TAXII 2.1 — best for SIEMs with native threat intelligence connectors; requires Pro and provides the lowest-maintenance integration.
  • CEF/Syslog — best for organizations routing all security data through a centralized syslog forwarder.

SIEM integration guides

Splunk

Pull IOCs via REST scripted input or TAXII 2.1 in Splunk Enterprise Security. Includes SPL hunting queries.

Microsoft Sentinel

Configure the TAXII Threat Intelligence connector or poll via Logic Apps. Includes KQL hunting queries.

Elastic Security

Ingest IOCs through the REST API or Elastic Agent TAXII integration. Includes EQL detection examples.

TAXII 2.1 format guide

Reference for TAXII collections, STIX object structure, and authentication.