Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt

Use this file to discover all available pages before exploring further.

You can bring SOC Defenders threat indicators into Splunk either by polling the REST API with a scripted input or HTTP Event Collector, or by connecting Splunk Enterprise Security’s Threat Intelligence Management module to the SOC Defenders TAXII 2.1 feed. The REST approach works on any Splunk deployment and is available on the Free tier; TAXII requires Splunk Enterprise Security and a Pro subscription.

Option 1: REST API polling

Use a scripted input or the HTTP Event Collector (HEC) to poll GET /api/v1/iocs on a schedule and forward the results to Splunk.

Set up the scripted input

1

Generate an API key

In the SOC Defenders dashboard, open the API Keys tab and create a new key. Copy the key value — you will not be able to view it again.
2

Create a polling script

Save the following script on your Splunk heavy forwarder or search head. Replace YOUR_API_KEY and YOUR_HEC_TOKEN with your actual values.
poll-iocs.sh
#!/bin/bash
curl -s \
  -H "Authorization: Bearer YOUR_API_KEY" \
  "https://socdefenders.ai/api/v1/iocs?type=ipv4&limit=100" | \
curl -s -X POST \
  -H "Authorization: Splunk YOUR_HEC_TOKEN" \
  -H "Content-Type: application/json" \
  --data-binary @- \
  "https://your-splunk-host:8088/services/collector/raw"
3

Schedule the input

In Splunk Web, go to Settings → Data inputs → Scripts and add the script. Set the interval to 900 seconds (15 minutes) for Free tier accounts. Pro accounts can reduce the interval to 60 seconds or lower.
Free tier accounts are limited to 100 IOCs per request and 1,000 requests per day. If you need higher throughput or longer lookback periods (up to 365 days), upgrade to Pro.
TierRecommended interval
FreeEvery 15 minutes
ProEvery 1 minute or continuously

Option 2: TAXII 2.1 (Pro)

Splunk Enterprise Security includes a Threat Intelligence Management module with a built-in TAXII client. You can point it directly at the SOC Defenders TAXII server for automatic, scheduled feed polling.
TAXII 2.1 integration requires a SOC Defenders Pro subscription and Splunk Enterprise Security.

Configure the TAXII feed

1

Open Threat Intelligence Management

In Splunk Enterprise Security, go to Security Intelligence → Threat Intelligence Management → Threat Intelligence Sources.
2

Add a new TAXII source

Click New Source and select TAXII Feed. Fill in the following fields:
FieldValue
NameSOC Defenders
TAXII server URLhttps://www.socdefenders.ai/api/taxii2/
Usernameapikey
PasswordYour SOC Defenders API key
Poll interval60 minutes (adjust to your needs)
3

Select collections

After connecting, choose from the available collections:
  • All IOCs — every indicator type
  • IPs only — IPv4 and IPv6 addresses
  • Hashes only — MD5, SHA1, SHA256
  • CVEs — vulnerability identifiers
4

Save and verify

Save the source. Splunk ES will begin polling immediately. You can verify ingestion under Security Intelligence → Threat Intelligence Sources — look for a green status indicator and a non-zero indicator count.

Hunting with SPL

Once IOCs are in Splunk, use the following SPL examples to hunt for matches in your environment.

Match network traffic against ingested IP indicators

index=network sourcetype=firewall
| lookup threat_intel_by_ip src_ip AS dest_ip OUTPUT threat_key, threat_collection
| where isnotnull(threat_key)
| table _time, src_ip, dest_ip, action, threat_key, threat_collection

Match DNS queries against ingested domain indicators

index=dns sourcetype=dns_logs
| lookup threat_intel_by_domain query AS domain OUTPUT threat_key, confidence
| where isnotnull(threat_key)
| table _time, src_ip, domain, threat_key, confidence
| sort -_time