{"openapi":"3.0.3","info":{"title":"SOC Defenders Threat Intelligence API","description":"# Overview\n\nThe SOC Defenders Threat Intelligence API provides programmatic access to aggregated threat intelligence from 30+ cybersecurity sources. Export IOCs (Indicators of Compromise) in various formats including JSON, CSV, STIX 2.1, MISP, CEF, and OpenIOC.\n\n## Authentication\n\nAll API endpoints require authentication using an API key. Include your key in one of these ways:\n\n- **Authorization Header** (recommended): `Authorization: Bearer sk_live_xxx`\n- **X-API-Key Header**: `X-API-Key: sk_live_xxx`\n- **Query Parameter**: `?api_key=sk_live_xxx`\n\n## Rate Limiting\n\nRate limits vary by tier. When limits are exceeded, the API returns a 429 status code.\n\n| Tier | Requests/min | Requests/day | Lookback |\n|------|-------------|--------------|----------|\n| Free | 10 | 1,000 | 1 day |\n| Pro | 100 | 50,000 | 30 days |\n| Enterprise | 1,000 | 1,000,000 | 365 days |\n\nRate limit headers are included in all responses:\n- `X-RateLimit-Limit`: Maximum requests per minute\n- `X-RateLimit-Remaining`: Requests remaining in current window\n- `X-RateLimit-Reset`: Unix timestamp when the limit resets\n\n## Error Handling\n\nAll errors follow a consistent format:\n\n```json\n{\n  \"error\": {\n    \"code\": \"error_code\",\n    \"message\": \"Human readable message\",\n    \"details\": {},\n    \"request_id\": \"req_abc123\"\n  }\n}\n```\n\n## STIX/TAXII Support\n\nFor STIX 2.1 and TAXII 2.1 integration, see the TAXII endpoints section. TAXII endpoints are available at `/api/taxii2/`.","version":"1.0.0","contact":{"name":"SOC Defenders Support","url":"https://socdefenders.ai/contact","email":"support@socdefenders.ai"},"license":{"name":"Proprietary","url":"https://socdefenders.ai/terms"}},"servers":[{"url":"https://socdefenders.ai","description":"Production server"}],"tags":[{"name":"IOCs","description":"Indicators of Compromise endpoints"},{"name":"Statistics","description":"Feed and IOC statistics"},{"name":"API Keys","description":"API key management (requires session auth)"},{"name":"TAXII","description":"TAXII 2.1 threat intelligence sharing endpoints"},{"name":"Export Formats","description":"Specialized export format endpoints (MISP, CEF, OpenIOC)"}],"paths":{"/api/v1/iocs":{"get":{"tags":["IOCs"],"summary":"List IOCs","description":"Retrieve IOCs (Indicators of Compromise) from the threat feed. Supports filtering by type, category, confidence, and time range.","operationId":"listIOCs","security":[{"ApiKeyAuth":[]},{"BearerAuth":[]}],"parameters":[{"name":"type","in":"query","description":"Filter by IOC type","schema":{"type":"string","enum":["ipv4","ipv6","domain","url","md5","sha1","sha256","sha512","email","cve","mitre_attack"]}},{"name":"category","in":"query","description":"Filter by source category","schema":{"type":"string","enum":["news","research","threat-intel","vendor","government"]}},{"name":"confidence","in":"query","description":"Filter by confidence level","schema":{"type":"string","enum":["high","medium","low"]}},{"name":"since","in":"query","description":"Return IOCs seen since this date (ISO8601 format). Subject to tier lookback limits.","schema":{"type":"string","format":"date-time"},"example":"2024-12-01T00:00:00Z"},{"name":"until","in":"query","description":"Return IOCs seen until this date (ISO8601 format)","schema":{"type":"string","format":"date-time"}},{"name":"limit","in":"query","description":"Maximum number of results (subject to tier limits: Free=100, Pro=1000, Enterprise=10000)","schema":{"type":"integer","minimum":1,"maximum":10000,"default":100}},{"name":"offset","in":"query","description":"Number of results to skip for pagination","schema":{"type":"integer","minimum":0,"default":0}},{"name":"format","in":"query","description":"Output format","schema":{"type":"string","enum":["json","csv","txt"],"default":"json"}},{"name":"include_context","in":"query","description":"Include context/description for each IOC","schema":{"type":"boolean","default":true}}],"responses":{"200":{"description":"Successful response","headers":{"X-RateLimit-Limit":{"description":"Rate limit ceiling for this endpoint","schema":{"type":"integer"}},"X-RateLimit-Remaining":{"description":"Remaining requests in current window","schema":{"type":"integer"}},"X-RateLimit-Reset":{"description":"Unix timestamp when limit resets","schema":{"type":"integer"}}},"content":{"application/json":{"schema":{"$ref":"#/components/schemas/IOCListResponse"},"example":{"meta":{"total":1523,"limit":100,"offset":0,"generated_at":"2024-12-09T10:30:00Z","feed_version":"1.0","source":"SOC Defenders","filters":{"type":"all","category":"all","confidence":"all","since":"2024-12-08T00:00:00Z","until":"2024-12-09T10:30:00Z"}},"data":[{"id":"123e4567-e89b-12d3-a456-426614174000","type":"ipv4","value":"192.168.1.1","confidence":"high","first_seen":"2024-12-08T14:30:00Z","last_seen":"2024-12-09T08:15:00Z","source":{"article_id":"abc123","article_title":"New APT Campaign Targeting Financial Sector","article_url":"https://socdefenders.ai/item/abc123","feed_name":"Krebs on Security","category":"news"},"context":"C2 server used in APT28 campaign","tags":["apt28","c2","financial"],"mitre_techniques":["T1071","T1059"]}],"links":{"self":"https://socdefenders.ai/api/v1/iocs?limit=100&offset=0","next":"https://socdefenders.ai/api/v1/iocs?limit=100&offset=100"}}},"text/csv":{"schema":{"type":"string"},"example":"id,type,value,confidence,first_seen,last_seen,source_article,source_feed,category,tags\n123e4567-e89b-12d3-a456-426614174000,ipv4,192.168.1.1,high,2024-12-08T14:30:00Z,2024-12-09T08:15:00Z,abc123,Krebs on Security,news,\"apt28,c2\""},"text/plain":{"schema":{"type":"string"},"example":"192.168.1.1\n10.0.0.1\nexample.com"}}},"400":{"$ref":"#/components/responses/BadRequest"},"401":{"$ref":"#/components/responses/Unauthorized"},"403":{"$ref":"#/components/responses/Forbidden"},"429":{"$ref":"#/components/responses/RateLimitExceeded"},"500":{"$ref":"#/components/responses/InternalError"}}}},"/api/v1/iocs/search":{"get":{"tags":["IOCs"],"summary":"Search IOCs","description":"Search for a specific IOC value. Returns exact matches and optionally related IOCs from the same source.","operationId":"searchIOCs","security":[{"ApiKeyAuth":[]},{"BearerAuth":[]}],"parameters":[{"name":"q","in":"query","required":true,"description":"Search query (IOC value to look up)","schema":{"type":"string","minLength":2},"example":"192.168.1.1"},{"name":"include_related","in":"query","description":"Include related IOCs from the same article/campaign","schema":{"type":"boolean","default":true}}],"responses":{"200":{"description":"Search results","content":{"application/json":{"schema":{"$ref":"#/components/schemas/SearchResponse"}}}},"400":{"$ref":"#/components/responses/BadRequest"},"401":{"$ref":"#/components/responses/Unauthorized"},"429":{"$ref":"#/components/responses/RateLimitExceeded"}}}},"/api/v1/iocs/stats":{"get":{"tags":["Statistics"],"summary":"Get IOC statistics","description":"Get aggregated statistics about IOCs including counts by type, category, confidence, and trending data.","operationId":"getIOCStats","security":[{"ApiKeyAuth":[]},{"BearerAuth":[]}],"responses":{"200":{"description":"IOC statistics","content":{"application/json":{"schema":{"$ref":"#/components/schemas/StatsResponse"}}}},"401":{"$ref":"#/components/responses/Unauthorized"},"403":{"$ref":"#/components/responses/Forbidden"},"429":{"$ref":"#/components/responses/RateLimitExceeded"}}}},"/api/v1/iocs/stix":{"get":{"tags":["Export Formats"],"summary":"Export IOCs as STIX 2.1","description":"Export IOCs in STIX 2.1 bundle format. Returns a STIX bundle containing Indicator objects for each IOC. For TAXII 2.1 server access, use the /api/taxii2/ endpoints instead.","operationId":"exportSTIX","security":[{"ApiKeyAuth":[]},{"BearerAuth":[]}],"parameters":[{"name":"type","in":"query","description":"Filter by IOC type","schema":{"type":"string","enum":["ipv4","ipv6","domain","url","md5","sha1","sha256","sha512","email","cve","mitre_attack"]}},{"name":"since","in":"query","description":"Return IOCs seen since this date (ISO8601). Limited by tier lookback period.","schema":{"type":"string","format":"date-time"}},{"name":"limit","in":"query","description":"Maximum number of STIX indicator objects","schema":{"type":"integer","default":100,"maximum":1000}},{"name":"format","in":"query","description":"Response format: \"bundle\" returns full STIX bundle, \"objects\" returns array of STIX objects only","schema":{"type":"string","enum":["bundle","objects"],"default":"bundle"}},{"name":"include_identity","in":"query","description":"Include SOC Defenders identity object in the bundle","schema":{"type":"boolean","default":true}},{"name":"include_tlp_markings","in":"query","description":"Include TLP (Traffic Light Protocol) marking definition objects in the bundle","schema":{"type":"boolean","default":false}},{"name":"tlp","in":"query","description":"Override TLP level for all IOCs. By default, TLP is assigned based on confidence: high=green, medium=amber, low=clear","schema":{"type":"string","enum":["clear","green","amber","amber+strict","red"]}}],"responses":{"200":{"description":"STIX 2.1 bundle with TLP markings","content":{"application/stix+json":{"schema":{"$ref":"#/components/schemas/STIXBundle"},"example":{"type":"bundle","id":"bundle--12345678-1234-1234-1234-123456789abc","objects":[{"type":"identity","spec_version":"2.1","id":"identity--f8e75d96-8e4c-4b1a-9e3d-4f8a7b6c5d3e","created":"2024-01-01T00:00:00.000Z","modified":"2024-12-09T10:30:00.000Z","name":"SOC Defenders","identity_class":"organization"},{"type":"indicator","spec_version":"2.1","id":"indicator--87654321-4321-4321-4321-abc123456789","created":"2024-12-08T14:30:00Z","modified":"2024-12-09T08:15:00Z","created_by_ref":"identity--f8e75d96-8e4c-4b1a-9e3d-4f8a7b6c5d3e","object_marking_refs":["marking-definition--bab4a63c-aed9-4cf5-a766-dfca5abac2bb"],"name":"Malicious IPv4 Address - 192.168.1.1","indicator_types":["malicious-activity"],"pattern":"[ipv4-addr:value = '192.168.1.1']","pattern_type":"stix","valid_from":"2024-12-08T14:30:00Z","confidence":85}]}}}},"401":{"$ref":"#/components/responses/Unauthorized"},"403":{"$ref":"#/components/responses/Forbidden"},"429":{"$ref":"#/components/responses/RateLimitExceeded"}}}},"/api/v1/iocs/misp":{"get":{"tags":["Export Formats"],"summary":"Export IOCs as MISP","description":"Export IOCs in MISP JSON format. Requires Enterprise tier.","operationId":"exportMISP","security":[{"ApiKeyAuth":[]},{"BearerAuth":[]}],"parameters":[{"name":"type","in":"query","description":"Filter by IOC type","schema":{"type":"string"}},{"name":"since","in":"query","description":"Return IOCs since this date (ISO8601)","schema":{"type":"string","format":"date-time"}},{"name":"limit","in":"query","description":"Maximum number of attributes","schema":{"type":"integer","default":100}}],"responses":{"200":{"description":"MISP event","content":{"application/json":{"schema":{"$ref":"#/components/schemas/MISPEvent"}}}},"401":{"$ref":"#/components/responses/Unauthorized"},"403":{"$ref":"#/components/responses/Forbidden"},"429":{"$ref":"#/components/responses/RateLimitExceeded"}}}},"/api/v1/iocs/cef":{"get":{"tags":["Export Formats"],"summary":"Export IOCs as CEF/Syslog","description":"Export IOCs in CEF (Common Event Format) or Syslog format. Requires Enterprise tier.","operationId":"exportCEF","security":[{"ApiKeyAuth":[]},{"BearerAuth":[]}],"parameters":[{"name":"format","in":"query","description":"Output format","schema":{"type":"string","enum":["cef","syslog"],"default":"cef"}},{"name":"since","in":"query","description":"Return IOCs since this date","schema":{"type":"string","format":"date-time"}},{"name":"limit","in":"query","description":"Maximum number of events","schema":{"type":"integer","default":100}}],"responses":{"200":{"description":"CEF or Syslog formatted events","content":{"text/plain":{"schema":{"type":"string"}}}},"401":{"$ref":"#/components/responses/Unauthorized"},"403":{"$ref":"#/components/responses/Forbidden"},"429":{"$ref":"#/components/responses/RateLimitExceeded"}}}},"/api/v1/iocs/openioc":{"get":{"tags":["Export Formats"],"summary":"Export IOCs as OpenIOC","description":"Export IOCs in OpenIOC XML format. Requires Enterprise tier.","operationId":"exportOpenIOC","security":[{"ApiKeyAuth":[]},{"BearerAuth":[]}],"parameters":[{"name":"since","in":"query","description":"Return IOCs since this date","schema":{"type":"string","format":"date-time"}},{"name":"limit","in":"query","description":"Maximum number of indicators","schema":{"type":"integer","default":100}}],"responses":{"200":{"description":"OpenIOC XML document","content":{"application/xml":{"schema":{"type":"string"}}}},"401":{"$ref":"#/components/responses/Unauthorized"},"403":{"$ref":"#/components/responses/Forbidden"},"429":{"$ref":"#/components/responses/RateLimitExceeded"}}}},"/api/v1/keys":{"get":{"tags":["API Keys"],"summary":"List your API keys","description":"List all API keys for the authenticated user. Requires session authentication (not API key).","operationId":"listAPIKeys","security":[{"CookieAuth":[]}],"responses":{"200":{"description":"List of API keys","content":{"application/json":{"schema":{"type":"object","properties":{"data":{"type":"array","items":{"$ref":"#/components/schemas/APIKeyInfo"}},"meta":{"type":"object","properties":{"total":{"type":"integer"}}}}}}}},"401":{"$ref":"#/components/responses/Unauthorized"}}},"post":{"tags":["API Keys"],"summary":"Create a new API key","description":"Create a new API key. The full key is only returned once - store it securely!","operationId":"createAPIKey","security":[{"CookieAuth":[]}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["name"],"properties":{"name":{"type":"string","maxLength":100,"description":"A friendly name for this key","example":"Production SIEM Integration"},"expires_in_days":{"type":"integer","minimum":1,"maximum":365,"description":"Number of days until key expires (optional)","example":90}}}}}},"responses":{"201":{"description":"API key created successfully","content":{"application/json":{"schema":{"type":"object","properties":{"data":{"$ref":"#/components/schemas/APIKeyCreated"},"meta":{"type":"object","properties":{"warning":{"type":"string","example":"Store this API key securely. It will not be shown again."}}}}}}}},"400":{"$ref":"#/components/responses/BadRequest"},"401":{"$ref":"#/components/responses/Unauthorized"}}}},"/api/v1/keys/{keyId}":{"get":{"tags":["API Keys"],"summary":"Get API key details","description":"Get details and usage statistics for a specific API key.","operationId":"getAPIKey","security":[{"CookieAuth":[]}],"parameters":[{"name":"keyId","in":"path","required":true,"description":"API key ID","schema":{"type":"string","format":"uuid"}}],"responses":{"200":{"description":"API key details","content":{"application/json":{"schema":{"type":"object","properties":{"data":{"$ref":"#/components/schemas/APIKeyDetails"}}}}}},"401":{"$ref":"#/components/responses/Unauthorized"},"404":{"$ref":"#/components/responses/NotFound"}}},"delete":{"tags":["API Keys"],"summary":"Revoke an API key","description":"Revoke an API key. This action cannot be undone.","operationId":"revokeAPIKey","security":[{"CookieAuth":[]}],"parameters":[{"name":"keyId","in":"path","required":true,"description":"API key ID","schema":{"type":"string","format":"uuid"}}],"requestBody":{"content":{"application/json":{"schema":{"type":"object","properties":{"reason":{"type":"string","description":"Reason for revocation (optional)"}}}}}},"responses":{"200":{"description":"API key revoked","content":{"application/json":{"schema":{"type":"object","properties":{"success":{"type":"boolean","example":true},"message":{"type":"string","example":"API key revoked successfully"}}}}}},"401":{"$ref":"#/components/responses/Unauthorized"},"404":{"$ref":"#/components/responses/NotFound"}}}},"/api/v1/keys/{keyId}/usage":{"get":{"tags":["API Keys"],"summary":"Get API key usage statistics","description":"Get detailed usage analytics for a specific API key including:\n- Request counts (total, successful, failed)\n- Success rate and average response time\n- Latency percentiles (p50, p95, p99)\n- Rate limit usage (per minute and per day)\n- Usage breakdown by endpoint and status code\n- Time series data for daily request volumes\n- 429 rate limit hits breakdown","operationId":"getAPIKeyUsage","security":[{"CookieAuth":[]}],"parameters":[{"name":"keyId","in":"path","required":true,"description":"API key ID","schema":{"type":"string","format":"uuid"}},{"name":"days","in":"query","description":"Number of days to look back (1-90, default 7)","schema":{"type":"integer","minimum":1,"maximum":90,"default":7}}],"responses":{"200":{"description":"API key usage statistics","content":{"application/json":{"schema":{"$ref":"#/components/schemas/APIKeyUsageStats"}}}},"401":{"$ref":"#/components/responses/Unauthorized"},"404":{"$ref":"#/components/responses/NotFound"}}}},"/api/taxii2/":{"get":{"tags":["TAXII"],"summary":"TAXII Discovery","description":"TAXII 2.1 discovery endpoint. Returns information about the TAXII server.","operationId":"taxiiDiscovery","responses":{"200":{"description":"TAXII discovery response","content":{"application/taxii+json;version=2.1":{"schema":{"$ref":"#/components/schemas/TAXIIDiscovery"}}}}}}},"/api/taxii2/api/":{"get":{"tags":["TAXII"],"summary":"TAXII API Root","description":"Get information about the TAXII API root.","operationId":"taxiiAPIRoot","security":[{"ApiKeyAuth":[]},{"BearerAuth":[]}],"responses":{"200":{"description":"API Root information","content":{"application/taxii+json;version=2.1":{"schema":{"$ref":"#/components/schemas/TAXIIAPIRoot"}}}}}}},"/api/taxii2/api/collections/":{"get":{"tags":["TAXII"],"summary":"List TAXII Collections","description":"List available TAXII collections.","operationId":"listTAXIICollections","security":[{"ApiKeyAuth":[]},{"BearerAuth":[]}],"responses":{"200":{"description":"List of collections","content":{"application/taxii+json;version=2.1":{"schema":{"$ref":"#/components/schemas/TAXIICollections"}}}}}}},"/api/taxii2/api/collections/{collectionId}/objects/":{"get":{"tags":["TAXII"],"summary":"Get STIX objects from collection","description":"Retrieve STIX 2.1 objects from a TAXII collection.","operationId":"getTAXIIObjects","security":[{"ApiKeyAuth":[]},{"BearerAuth":[]}],"parameters":[{"name":"collectionId","in":"path","required":true,"description":"Collection ID","schema":{"type":"string"}},{"name":"added_after","in":"query","description":"Return objects added after this timestamp","schema":{"type":"string","format":"date-time"}},{"name":"limit","in":"query","description":"Maximum number of objects to return","schema":{"type":"integer","default":100,"maximum":1000}},{"name":"type","in":"query","description":"Filter by STIX object type","schema":{"type":"string","example":"indicator"}}],"responses":{"200":{"description":"STIX bundle","headers":{"X-TAXII-Date-Added-First":{"description":"Timestamp of first object in response","schema":{"type":"string","format":"date-time"}},"X-TAXII-Date-Added-Last":{"description":"Timestamp of last object in response","schema":{"type":"string","format":"date-time"}}},"content":{"application/stix+json;version=2.1":{"schema":{"$ref":"#/components/schemas/STIXBundle"}}}},"401":{"$ref":"#/components/responses/Unauthorized"},"403":{"$ref":"#/components/responses/Forbidden"},"404":{"$ref":"#/components/responses/NotFound"}}}}},"components":{"securitySchemes":{"BearerAuth":{"type":"http","scheme":"bearer","description":"API key in Authorization header: `Authorization: Bearer sk_live_xxx`"},"ApiKeyAuth":{"type":"apiKey","in":"header","name":"X-API-Key","description":"API key in X-API-Key header"},"CookieAuth":{"type":"apiKey","in":"cookie","name":"sb-access-token","description":"Session cookie (for API key management endpoints)"}},"schemas":{"IOC":{"type":"object","properties":{"id":{"type":"string","format":"uuid","description":"Unique IOC identifier"},"type":{"type":"string","enum":["ipv4","ipv6","domain","url","md5","sha1","sha256","sha512","email","cve","mitre_attack"],"description":"IOC type"},"value":{"type":"string","description":"The IOC value (IP, hash, domain, etc.)"},"confidence":{"type":"string","enum":["high","medium","low"],"description":"Confidence level"},"first_seen":{"type":"string","format":"date-time","description":"First observation timestamp"},"last_seen":{"type":"string","format":"date-time","description":"Most recent observation timestamp"},"source":{"type":"object","properties":{"article_id":{"type":"string","description":"Source article ID"},"article_title":{"type":"string","description":"Source article title"},"article_url":{"type":"string","format":"uri","description":"Link to source article"},"feed_name":{"type":"string","description":"Name of the source feed"},"category":{"type":"string","description":"Feed category"}}},"context":{"type":"string","description":"Additional context about the IOC"},"tags":{"type":"array","items":{"type":"string"},"description":"Tags associated with this IOC"},"mitre_techniques":{"type":"array","items":{"type":"string"},"description":"Related MITRE ATT&CK techniques"}}},"IOCListResponse":{"type":"object","properties":{"meta":{"type":"object","properties":{"total":{"type":"integer","description":"Total matching IOCs"},"limit":{"type":"integer","description":"Results per page"},"offset":{"type":"integer","description":"Current offset"},"generated_at":{"type":"string","format":"date-time"},"feed_version":{"type":"string"},"source":{"type":"string"},"filters":{"type":"object"}}},"data":{"type":"array","items":{"$ref":"#/components/schemas/IOC"}},"links":{"type":"object","properties":{"self":{"type":"string","format":"uri"},"next":{"type":"string","format":"uri"},"prev":{"type":"string","format":"uri"}}}}},"SearchResponse":{"type":"object","properties":{"meta":{"type":"object","properties":{"generated_at":{"type":"string","format":"date-time"},"feed_version":{"type":"string"},"source":{"type":"string"}}},"data":{"type":"object","properties":{"found":{"type":"boolean","description":"Whether any matches were found"},"query":{"type":"string","description":"The search query"},"matches":{"type":"array","items":{"$ref":"#/components/schemas/IOC"}},"relatedIOCs":{"type":"array","items":{"$ref":"#/components/schemas/IOC"}},"meta":{"type":"object","properties":{"total_matches":{"type":"integer"},"related_count":{"type":"integer"},"search_time_ms":{"type":"integer"}}}}}}},"StatsResponse":{"type":"object","properties":{"meta":{"type":"object"},"data":{"type":"object","properties":{"total_iocs":{"type":"integer"},"by_type":{"type":"object","additionalProperties":{"type":"integer"}},"by_category":{"type":"object","additionalProperties":{"type":"integer"}},"by_confidence":{"type":"object","additionalProperties":{"type":"integer"}},"last_24h":{"type":"object","properties":{"new_iocs":{"type":"integer"},"new_articles":{"type":"integer"}}},"last_7d":{"type":"object","properties":{"new_iocs":{"type":"integer"},"new_articles":{"type":"integer"},"trend":{"type":"string","enum":["up","down","stable"]}}},"sources":{"type":"object","properties":{"total":{"type":"integer"},"active":{"type":"integer"},"last_fetch":{"type":"string","format":"date-time","nullable":true}}},"top_mitre_techniques":{"type":"array","items":{"type":"object","properties":{"id":{"type":"string"},"count":{"type":"integer"}}}},"top_cves":{"type":"array","items":{"type":"object","properties":{"id":{"type":"string"},"count":{"type":"integer"}}}}}}}},"STIXBundle":{"type":"object","properties":{"type":{"type":"string","enum":["bundle"]},"id":{"type":"string","pattern":"^bundle--[0-9a-f-]+$"},"objects":{"type":"array","items":{"type":"object"}}}},"MISPEvent":{"type":"object","properties":{"Event":{"type":"object","properties":{"info":{"type":"string"},"date":{"type":"string"},"threat_level_id":{"type":"string"},"analysis":{"type":"string"},"Attribute":{"type":"array","items":{"type":"object"}}}}}},"APIKeyInfo":{"type":"object","properties":{"id":{"type":"string","format":"uuid"},"name":{"type":"string"},"key_preview":{"type":"string","example":"sk_live_••••••••"},"tier":{"type":"string","enum":["free","pro","enterprise"]},"scopes":{"type":"array","items":{"type":"string"}},"rate_limit_per_minute":{"type":"integer"},"rate_limit_per_day":{"type":"integer"},"total_requests":{"type":"integer"},"last_used_at":{"type":"string","format":"date-time","nullable":true},"created_at":{"type":"string","format":"date-time"},"expires_at":{"type":"string","format":"date-time","nullable":true}}},"APIKeyCreated":{"allOf":[{"$ref":"#/components/schemas/APIKeyInfo"},{"type":"object","properties":{"key":{"type":"string","description":"The full API key. Only shown once!","example":"sk_live_abc123def456..."}}}]},"APIKeyDetails":{"allOf":[{"$ref":"#/components/schemas/APIKeyInfo"},{"type":"object","properties":{"usage":{"type":"object","properties":{"daily":{"type":"array","items":{"type":"object","properties":{"date":{"type":"string","format":"date"},"requests":{"type":"integer"},"errors":{"type":"integer"}}}}}}}}]},"APIKeyUsageStats":{"type":"object","properties":{"data":{"type":"object","properties":{"key":{"type":"object","properties":{"id":{"type":"string","format":"uuid"},"name":{"type":"string"},"tier":{"type":"string","enum":["free","pro","enterprise"]}}},"period":{"type":"object","properties":{"days":{"type":"integer"},"start":{"type":"string","format":"date-time"},"end":{"type":"string","format":"date-time"}}},"summary":{"type":"object","properties":{"totalRequests":{"type":"integer","description":"Total API requests in period"},"successfulRequests":{"type":"integer","description":"Requests with 2xx/3xx status"},"failedRequests":{"type":"integer","description":"Requests with 4xx/5xx status"},"successRate":{"type":"number","description":"Success rate as percentage (0-100)"},"avgResponseTime":{"type":"integer","description":"Average response time in milliseconds"},"totalIOCsReturned":{"type":"integer","description":"Total IOCs returned across all requests"}}},"latencyPercentiles":{"type":"object","description":"Response time percentiles in milliseconds","properties":{"p50":{"type":"integer","description":"Median response time"},"p95":{"type":"integer","description":"95th percentile response time"},"p99":{"type":"integer","description":"99th percentile response time"}}},"rateLimits":{"type":"object","properties":{"perMinute":{"type":"object","properties":{"limit":{"type":"integer"},"current":{"type":"integer"},"remaining":{"type":"integer"},"percentUsed":{"type":"number"}}},"perDay":{"type":"object","properties":{"limit":{"type":"integer"},"current":{"type":"integer"},"remaining":{"type":"integer"},"percentUsed":{"type":"number"}}}}},"rateLimitHits":{"type":"object","description":"429 rate limit responses breakdown","properties":{"total":{"type":"integer","description":"Total 429 responses"},"byEndpoint":{"type":"array","items":{"type":"object","properties":{"endpoint":{"type":"string"},"count":{"type":"integer"}}}}}},"breakdown":{"type":"object","properties":{"byEndpoint":{"type":"array","items":{"type":"object","properties":{"endpoint":{"type":"string"},"count":{"type":"integer"},"avgTime":{"type":"integer"},"errors":{"type":"integer"},"errorRate":{"type":"number"}}}},"byStatusCode":{"type":"array","items":{"type":"object","properties":{"statusCode":{"type":"integer"},"count":{"type":"integer"},"percentage":{"type":"number"}}}}}},"timeSeries":{"type":"array","items":{"type":"object","properties":{"date":{"type":"string","format":"date"},"requests":{"type":"integer"},"errors":{"type":"integer"}}}}}}}},"TAXIIDiscovery":{"type":"object","properties":{"title":{"type":"string","example":"SOC Defenders TAXII Server"},"description":{"type":"string"},"contact":{"type":"string","format":"email"},"default":{"type":"string","format":"uri"},"api_roots":{"type":"array","items":{"type":"string","format":"uri"}}}},"TAXIIAPIRoot":{"type":"object","properties":{"title":{"type":"string"},"description":{"type":"string"},"versions":{"type":"array","items":{"type":"string"}},"max_content_length":{"type":"integer"}}},"TAXIICollections":{"type":"object","properties":{"collections":{"type":"array","items":{"type":"object","properties":{"id":{"type":"string"},"title":{"type":"string"},"description":{"type":"string"},"can_read":{"type":"boolean"},"can_write":{"type":"boolean"},"media_types":{"type":"array","items":{"type":"string"}}}}}}},"Error":{"type":"object","required":["error"],"properties":{"error":{"type":"object","required":["code","message","request_id"],"properties":{"code":{"type":"string","description":"Error code for programmatic handling"},"message":{"type":"string","description":"Human-readable error message"},"details":{"type":"object","description":"Additional error details"},"request_id":{"type":"string","description":"Unique request identifier for support"}}}}}},"responses":{"BadRequest":{"description":"Invalid request parameters","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"},"example":{"error":{"code":"invalid_parameter","message":"Invalid IOC type: invalid","details":{"valid_types":["ipv4","ipv6","domain","url","md5","sha1","sha256"]},"request_id":"req_abc123"}}}}},"Unauthorized":{"description":"Authentication required or invalid","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"},"example":{"error":{"code":"missing_api_key","message":"API key is required. Include it in the Authorization header as \"Bearer sk_live_...\"","request_id":"req_abc123"}}}}},"Forbidden":{"description":"Insufficient permissions or scope","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"},"example":{"error":{"code":"insufficient_scope","message":"This endpoint requires the \"read:stix\" scope","details":{"required_scope":"read:stix","your_scopes":["read:iocs"],"upgrade_url":"https://socdefenders.ai/export#pricing"},"request_id":"req_abc123"}}}}},"NotFound":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"},"example":{"error":{"code":"not_found","message":"The requested resource was not found","request_id":"req_abc123"}}}}},"RateLimitExceeded":{"description":"Rate limit exceeded","headers":{"Retry-After":{"description":"Seconds to wait before retrying","schema":{"type":"integer"}},"X-RateLimit-Limit":{"description":"Rate limit ceiling","schema":{"type":"integer"}},"X-RateLimit-Remaining":{"description":"Remaining requests (will be 0)","schema":{"type":"integer"}},"X-RateLimit-Reset":{"description":"Unix timestamp when limit resets","schema":{"type":"integer"}}},"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"},"example":{"error":{"code":"rate_limit_exceeded","message":"Rate limit exceeded. Please wait before making more requests.","details":{"limit":10,"reset_at":"2024-12-09T10:31:00Z","tier":"free","upgrade_url":"https://socdefenders.ai/export#pricing"},"request_id":"req_abc123"}}}}},"InternalError":{"description":"Internal server error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"},"example":{"error":{"code":"internal_error","message":"An internal error occurred. Please try again later.","request_id":"req_abc123"}}}}}}}}