# SOC Defenders ## Docs - [Get full details for one API key](https://docs.socdefenders.ai/api-reference/api-keys/get-full-details-for-one-api-key.md): Returns the full metadata + lightweight usage summary for one API key. For deep analytics (latency percentiles, status-code breakdown, time series), use the [usage endpoint](#operation/getAPIKeyUsage). - [List your API keys](https://docs.socdefenders.ai/api-reference/api-keys/list-your-api-keys.md): Returns all API keys belonging to the authenticated user. Used by the SOC Defenders dashboard to populate the key-management UI. - [Mint a new API key](https://docs.socdefenders.ai/api-reference/api-keys/mint-a-new-api-key.md): Generates a new API key. **The full secret is returned exactly once** — save it immediately; subsequent reads only return the prefix. - [Revoke an API key](https://docs.socdefenders.ai/api-reference/api-keys/revoke-an-api-key.md): Revokes an API key — requests made with it from this point on return `401 invalid_api_key`. **This action cannot be undone**: revoked keys cannot be reactivated; create a new key instead. - [Usage analytics and rate-limit budget for an API key](https://docs.socdefenders.ai/api-reference/api-keys/usage-analytics-and-rate-limit-budget-for-an-api-key.md): Detailed usage analytics for a specific API key, scoped to the authenticated user. Use this to: - [GET /api/v1/articles/{id} — single article with expansions](https://docs.socdefenders.ai/api-reference/articles/get.md): Retrieve a single article by ID with all enrichment expansions: extracted IOCs, CVEs, threat actors, MITRE ATT&CK techniques, and an AI summary. Free tier. - [GET /api/v1/articles — list threat intelligence articles](https://docs.socdefenders.ai/api-reference/articles/list.md): Retrieve aggregated cybersecurity articles from 30+ feeds, with filtering, full-text search, cursor pagination, and IOC/CVE expansions. Free tier. - [List, search, and bulk-export aggregated cybersecurity news](https://docs.socdefenders.ai/api-reference/articles/list-search-and-bulk-export-aggregated-cybersecurity-news.md): The workhorse endpoint for the News API. One URL gives you list, filter, full-text search, delta polling, and bulk export — composed via query parameters. - [Retrieve a single article with full expansions](https://docs.socdefenders.ai/api-reference/articles/retrieve-a-single-article-with-full-expansions.md): Fetches one article by UUID with **all expansions enabled by default** (`iocs`, `cves`, `threat_actors`, `mitre`). Use `?expand=mitre` to opt out of the heavy expansions if you just need the article body. - [API key authentication for the SOC Defenders API](https://docs.socdefenders.ai/api-reference/authentication.md): Authenticate every SOC Defenders API request with an API key. Pass it as a Bearer token or X-API-Key header. Keys are managed in Settings → API Keys. - [Generate deployable Sigma detection rules](https://docs.socdefenders.ai/api-reference/detection-rules/generate-deployable-sigma-detection-rules.md): Generates ready-to-deploy [Sigma](https://github.com/SigmaHQ/sigma) detection rules from recent IOCs. - [Export IOCs as a STIX 2.1 bundle](https://docs.socdefenders.ai/api-reference/export-formats/export-iocs-as-a-stix-21-bundle.md): Generates a STIX 2.1 bundle of Indicator SDOs (Structured Data Objects) for direct download. Use this when you want a one-shot bundle; for streaming/polling integrations use the [TAXII 2.1 endpoints](#tag/TAXII) instead. - [Export IOCs as CEF or RFC 5424 Syslog events](https://docs.socdefenders.ai/api-reference/export-formats/export-iocs-as-cef-or-rfc-5424-syslog-events.md): Stream IOCs as either CEF (Common Event Format, ArcSight-compatible) or RFC 5424 Syslog. Designed to be piped into a SIEM ingestion pipeline. - [Export IOCs as Mandiant OpenIOC 1.0 XML](https://docs.socdefenders.ai/api-reference/export-formats/export-iocs-as-mandiant-openioc-10-xml.md): Generates an [OpenIOC 1.0](https://github.com/mandiant/OpenIOC_1.0) XML document — the format Mandiant introduced and still used by FireEye HX, several EDR products, and some commercial threat intel tools. - [Export IOCs as MISP JSON event](https://docs.socdefenders.ai/api-reference/export-formats/export-iocs-as-misp-json-event.md): Export IOCs as a MISP-format JSON event ready for import into the [MISP threat intelligence platform](https://www.misp-project.org/). - [GET /api/v1/iocs — list indicators of compromise](https://docs.socdefenders.ai/api-reference/iocs/list.md): Retrieve a paginated list of IOCs filtered by type, category, confidence, industry, and time range. Returns JSON with meta and data fields. Free tier. - [List IOCs (Indicators of Compromise)](https://docs.socdefenders.ai/api-reference/iocs/list-iocs-indicators-of-compromise.md): The primary IOC export endpoint. Returns indicators of compromise — IPs, domains, URLs, file hashes, email addresses, CVEs, and MITRE ATT&CK technique IDs — extracted from articles and ingested from threat feeds (URLhaus, Feodo Tracker, ThreatFox). - [GET /api/v1/lookup — enrich a single IOC](https://docs.socdefenders.ai/api-reference/iocs/lookup.md): Enrich a single IP, domain, URL, or file hash with AI risk scoring, MITRE ATT&CK techniques, and auto-generated Splunk and KQL hunting queries. Free tier. - [GET /api/v1/iocs/search — search for a specific IOC](https://docs.socdefenders.ai/api-reference/iocs/search.md): Search for a specific indicator value across the entire SOC Defenders IOC feed. Returns matching entries with enrichment data. Free tier. - [Search for a specific IOC value](https://docs.socdefenders.ai/api-reference/iocs/search-for-a-specific-ioc-value.md): Look up a specific IOC (IP, domain, hash, URL, CVE, etc.) and get back every record from across the feed plus related indicators from the same article or campaign. - [GET /api/v1/iocs/sigma — generate Sigma detection rules](https://docs.socdefenders.ai/api-reference/iocs/sigma.md): Export current IOCs as deployable Sigma YAML detection rules, one per indicator. Compatible with any SIEM that supports Sigma. Requires Pro. - [GET /api/v1/iocs/stats — IOC feed statistics](https://docs.socdefenders.ai/api-reference/iocs/stats.md): Retrieve total IOC counts broken down by type, category, and source feed for analytics dashboards and monitoring. Requires Pro subscription. - [GET /api/v1/iocs/stix — export as STIX 2.1 bundle](https://docs.socdefenders.ai/api-reference/iocs/stix.md): Download current IOCs as a STIX 2.1 bundle containing Indicator and Identity objects. Supports the same filters as the main IOC endpoint. Requires Pro. - [Single-IOC enrichment with AI risk + hunting queries](https://docs.socdefenders.ai/api-reference/lookup/single-ioc-enrichment-with-ai-risk-+-hunting-queries.md): VirusTotal-style enrichment for one indicator. Auto-detects the type from the value (no need to pass `type=` unless overriding). - [SOC Defenders REST API overview](https://docs.socdefenders.ai/api-reference/overview.md): The SOC Defenders API provides programmatic access to IOC feeds, article aggregation, CVE data, and TAXII threat intelligence. Base URL and available endpoints. - [API pricing and subscription tiers](https://docs.socdefenders.ai/api-reference/pricing.md): SOC Defenders offers a Free tier with 1,000 requests/day and a Pro subscription at $299/month with 1M requests/day, STIX, TAXII, MISP, and all export formats. - [Rate limits and request quotas](https://docs.socdefenders.ai/api-reference/rate-limits.md): SOC Defenders enforces per-minute and per-day rate limits based on your subscription tier. Free allows 10 req/min; Pro allows 1,000 req/min. - [Aggregated IOC statistics and trends](https://docs.socdefenders.ai/api-reference/statistics/aggregated-ioc-statistics-and-trends.md): Pre-computed aggregations over the entire IOC corpus. Backed by the `iocs_stats_cache` table (refreshed every 10 minutes via pg_cron) — sub-millisecond response time. - [GET /api/taxii2/api/collections — list TAXII collections](https://docs.socdefenders.ai/api-reference/taxii/collections.md): List all available TAXII 2.1 collections on the SOC Defenders server, including all IOCs, IP-only, hash-only, and CVE collections. Requires Pro. - [Fetch STIX 2.1 objects from a TAXII collection](https://docs.socdefenders.ai/api-reference/taxii/fetch-stix-21-objects-from-a-taxii-collection.md): Returns a STIX 2.1 bundle of objects in the requested collection. This is the workhorse pull endpoint for TAXII clients. - [List available TAXII collections](https://docs.socdefenders.ai/api-reference/taxii/list-available-taxii-collections.md): Returns the set of TAXII collections (logical streams of STIX objects). Each collection has a stable UUID consumers reference when fetching objects. - [GET /api/taxii2/collections/{id}/objects — STIX objects](https://docs.socdefenders.ai/api-reference/taxii/objects.md): Retrieve paginated STIX 2.1 objects from a named TAXII collection. Supports added_after for delta polling and limit for page size. Requires Pro subscription. - [TAXII 2.1 server overview and discovery](https://docs.socdefenders.ai/api-reference/taxii/overview.md): SOC Defenders provides a TAXII 2.1 server for automated threat feed polling. Discover the API root and available collections at /api/taxii2/. - [TAXII 2.1 API root metadata](https://docs.socdefenders.ai/api-reference/taxii/taxii-21-api-root-metadata.md): API root resource. Returns server limits + supported TAXII version. Required step before listing collections. - [TAXII 2.1 discovery endpoint](https://docs.socdefenders.ai/api-reference/taxii/taxii-21-discovery-endpoint.md): Entry point for TAXII 2.1 clients. Returns server metadata + a list of API roots. This is the URL you give your TAXII client (Splunk ES, Microsoft Sentinel, OpenCTI, MISP TAXII module). - [Authenticate with the SOC Defenders API](https://docs.socdefenders.ai/authentication.md): Generate SOC Defenders API keys in Settings, pass them via Authorization: Bearer or X-API-Key headers, and handle 401 authentication error responses. - [Stream IOCs via CEF and Syslog to your log pipeline](https://docs.socdefenders.ai/formats/cef-syslog.md): Use the SOC Defenders CEF endpoint to stream threat indicators in Common Event Format directly into your SIEM's log ingestion pipeline. Requires Pro. - [Export SOC Defenders IOCs as a MISP event](https://docs.socdefenders.ai/formats/misp.md): Download current IOCs as a MISP-compatible JSON event for import into your Malware Information Sharing Platform instance. Requires Pro. - [Export formats for threat intelligence data](https://docs.socdefenders.ai/formats/overview.md): SOC Defenders supports JSON, CSV, STIX 2.1, TAXII 2.1, MISP, CEF/Syslog, OpenIOC, and Sigma rules. Free and Pro format availability explained. - [Generate Sigma detection rules from IOCs](https://docs.socdefenders.ai/formats/sigma.md): The SOC Defenders Sigma endpoint returns deployable YAML detection rules for each IOC, ready to import into any SIEM that supports Sigma. Requires Pro. - [Export threat intel in STIX 2.1 and TAXII 2.1](https://docs.socdefenders.ai/formats/stix-taxii.md): Pull IOCs as STIX 2.1 indicator bundles or configure automated TAXII 2.1 feed polling for your SIEM. Both formats require a Pro subscription. - [Send SOC Defenders threat data to Elastic Security](https://docs.socdefenders.ai/integrations/elastic.md): Configure Elastic Security to ingest IOCs from SOC Defenders using the REST API or TAXII feed. Includes filebeat configuration and EQL detection examples. - [Connect SOC Defenders to Microsoft Sentinel](https://docs.socdefenders.ai/integrations/microsoft-sentinel.md): Import SOC Defenders threat indicators into Microsoft Sentinel via TAXII 2.1 or the REST API. Includes Defender TAXII connector configuration steps. - [Integrating SOC Defenders with your SIEM](https://docs.socdefenders.ai/integrations/siem-overview.md): Connect SOC Defenders threat intelligence to Splunk, Microsoft Sentinel, IBM QRadar, Elastic Security, or Google Chronicle using REST, TAXII 2.1, or CEF/Syslog. - [Ingest SOC Defenders IOCs into Splunk](https://docs.socdefenders.ai/integrations/splunk.md): Configure Splunk to pull threat indicators from SOC Defenders via the REST API or TAXII 2.1 feed. Includes example SPL hunting queries. - [SOC Defenders: Threat Intelligence Platform Overview](https://docs.socdefenders.ai/introduction.md): SOC Defenders aggregates cybersecurity news and IOCs from 30+ sources. Learn what the platform offers and how to get started as a customer. - [SOC Defenders community: karma, voting, and contributions](https://docs.socdefenders.ai/platform/community.md): Learn how to participate in the SOC Defenders security community — submit articles, upvote content, comment on threats, and build karma. - [Searching the CVE database with CISA KEV and EPSS](https://docs.socdefenders.ai/platform/cve-database.md): Browse and search the SOC Defenders CVE database, enriched with CISA Known Exploited Vulnerabilities status and EPSS exploit probability scores. - [Viewing threat intelligence by industry sector](https://docs.socdefenders.ai/platform/industry-threats.md): Filter SOC Defenders IOCs and threat articles by CISA Critical Infrastructure sector. Choose from 24-hour, 7-day, 30-day, or 90-day time windows. - [Looking up and enriching indicators of compromise](https://docs.socdefenders.ai/platform/ioc-lookup.md): Search any IP, domain, URL, file hash, or CVE in SOC Defenders for AI risk scoring, MITRE ATT&CK techniques, and auto-generated Splunk and KQL hunting queries. - [Filtering and browsing the threat news feed](https://docs.socdefenders.ai/platform/news-feed.md): Use the SOC Defenders news feed to discover cybersecurity articles filtered by category, severity, MITRE ATT&CK, threat actor, industry, and IOC presence. - [Get started with SOC Defenders](https://docs.socdefenders.ai/quickstart.md): Sign up for SOC Defenders, create an API key in Settings, and make your first IOC feed request with a working curl command in under five minutes. ## OpenAPI Specs - [openapi](https://socdefenders.ai/api/openapi.json)