> ## Documentation Index
> Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Ingest SOC Defenders IOCs into Splunk

> Configure Splunk to pull threat indicators from SOC Defenders via the REST API or TAXII 2.1 feed. Includes example SPL hunting queries.

You can bring SOC Defenders threat indicators into Splunk either by polling the REST API with a scripted input or HTTP Event Collector, or by connecting Splunk Enterprise Security's Threat Intelligence Management module to the SOC Defenders TAXII 2.1 feed. The REST approach works on any Splunk deployment and is available on the Free tier; TAXII requires Splunk Enterprise Security and a Pro subscription.

## Option 1: REST API polling

Use a scripted input or the HTTP Event Collector (HEC) to poll `GET /api/v1/iocs` on a schedule and forward the results to Splunk.

### Set up the scripted input

<Steps>
  <Step title="Generate an API key">
    In the SOC Defenders dashboard, open the **API Keys** tab and create a new key. Copy the key value — you will not be able to view it again.
  </Step>

  <Step title="Create a polling script">
    Save the following script on your Splunk heavy forwarder or search head. Replace `YOUR_API_KEY` and `YOUR_HEC_TOKEN` with your actual values.

    ```bash poll-iocs.sh theme={null}
    #!/bin/bash
    curl -s \
      -H "Authorization: Bearer YOUR_API_KEY" \
      "https://socdefenders.ai/api/v1/iocs?type=ipv4&limit=100" | \
    curl -s -X POST \
      -H "Authorization: Splunk YOUR_HEC_TOKEN" \
      -H "Content-Type: application/json" \
      --data-binary @- \
      "https://your-splunk-host:8088/services/collector/raw"
    ```
  </Step>

  <Step title="Schedule the input">
    In Splunk Web, go to **Settings → Data inputs → Scripts** and add the script. Set the interval to `900` seconds (15 minutes) for Free tier accounts. Pro accounts can reduce the interval to 60 seconds or lower.
  </Step>
</Steps>

<Note>
  Free tier accounts are limited to 100 IOCs per request and 1,000 requests per day. If you need higher throughput or longer lookback periods (up to 365 days), upgrade to Pro.
</Note>

### Recommended poll intervals

| Tier | Recommended interval           |
| ---- | ------------------------------ |
| Free | Every 15 minutes               |
| Pro  | Every 1 minute or continuously |

## Option 2: TAXII 2.1 (Pro)

Splunk Enterprise Security includes a Threat Intelligence Management module with a built-in TAXII client. You can point it directly at the SOC Defenders TAXII server for automatic, scheduled feed polling.

<Note>
  TAXII 2.1 integration requires a SOC Defenders Pro subscription and Splunk Enterprise Security.
</Note>

### Configure the TAXII feed

<Steps>
  <Step title="Open Threat Intelligence Management">
    In Splunk Enterprise Security, go to **Security Intelligence → Threat Intelligence Management → Threat Intelligence Sources**.
  </Step>

  <Step title="Add a new TAXII source">
    Click **New Source** and select **TAXII Feed**. Fill in the following fields:

    | Field            | Value                                     |
    | ---------------- | ----------------------------------------- |
    | Name             | SOC Defenders                             |
    | TAXII server URL | `https://www.socdefenders.ai/api/taxii2/` |
    | Username         | `apikey`                                  |
    | Password         | Your SOC Defenders API key                |
    | Poll interval    | 60 minutes (adjust to your needs)         |
  </Step>

  <Step title="Select collections">
    After connecting, choose from the available collections:

    * **All IOCs** — every indicator type
    * **IPs only** — IPv4 and IPv6 addresses
    * **Hashes only** — MD5, SHA1, SHA256
    * **CVEs** — vulnerability identifiers
  </Step>

  <Step title="Save and verify">
    Save the source. Splunk ES will begin polling immediately. You can verify ingestion under **Security Intelligence → Threat Intelligence Sources** — look for a green status indicator and a non-zero indicator count.
  </Step>
</Steps>

## Hunting with SPL

Once IOCs are in Splunk, use the following SPL examples to hunt for matches in your environment.

### Match network traffic against ingested IP indicators

```spl theme={null}
index=network sourcetype=firewall
| lookup threat_intel_by_ip src_ip AS dest_ip OUTPUT threat_key, threat_collection
| where isnotnull(threat_key)
| table _time, src_ip, dest_ip, action, threat_key, threat_collection
```

### Match DNS queries against ingested domain indicators

```spl theme={null}
index=dns sourcetype=dns_logs
| lookup threat_intel_by_domain query AS domain OUTPUT threat_key, confidence
| where isnotnull(threat_key)
| table _time, src_ip, domain, threat_key, confidence
| sort -_time
```
