Integration reference
IOC formats & endpoints
The same IOC data — IPs, domains, hashes, emails, crypto wallets, threat actors — is exposed in 11 different ways across REST, STIX, MISP and the CLI. Start here.
If you're building a SIEM block-list job…
Poll /api/iocs/feed on a 15-minute schedule. Inline response, cache-aware.
curl ".../api/iocs/feed?confidence=confirmed&format=txt&token=…"
If you're plugging into MISP…
Point MISP at /misp/ (public, 10 events) or /api/misp/?token=… (50).
MISP feed URL: https://threatcluster.io/api/misp/?token=…
If you want one threat's full STIX bundle…
/api/threats/{id}/stix emits Report + Actors + Malware + AttackPatterns + Indicators with relationships.
curl ".../api/threats/abcd1234/stix?tlp=clear"
Full matrix
| Endpoint | Format | Auth | Tier | Default confidence | Intended use |
|---|---|---|---|---|---|
/api/iocs/feed |
txt · csv · json · stix | Feed token or session | Researcher+ | confirmed | SIEM / firewall / TIP polling. Caches 15 min. Set ?defang=true for safe-share. |
/api/iocs/export |
txt · csv · json | Feed token or session | Researcher+ | all | Triggered download. Filter ?confidence=, ?hours=, ?types=. |
/api/iocs/lookup?value=… |
json | public | Public | — | Reverse lookup: which clusters mention this IOC. Case-insensitive. |
/api/threats/{id}/iocs |
txt · csv · json | public | Public | all (excludes false_positive) |
Per-cluster export. Optional ?defang=true. |
/api/threats/{id}/stix |
STIX 2.1 Bundle | public | Public | — | Full bundle: Report, ThreatActor, Malware, AttackPattern, Vulnerability, Indicator, Relationships. TLP-marked. |
/api/threats/{id}/attack-navigator |
ATT&CK Navigator layer | public | Public | — | Drop into MITRE Navigator (mitre-attack.github.io/attack-navigator). |
/misp/manifest.json |
MISP feed manifest | public | Public · 10 events | — | Public MISP feed. Add /misp/{event_uuid}.json per event, /misp/hashes.csv for bulk hashes. |
/api/misp/manifest.json?token=… |
MISP feed manifest | token | Researcher+ · 50 events · ?since= backfill |
— | Authenticated MISP feed. Supports historical replay via ?since=YYYY-MM-DD or ?days=N. |
/api/public/v1/iocs/feed |
txt · csv · json · stix | API key (X-API-Key) | Business+ | confirmed | Public-API mirror of /api/iocs/feed. Same params, scope iocs:read. |
/api/public/v1/iocs/export |
txt · csv · json | API key | Business+ | confirmed | Public-API bulk export. |
/api/public/v1/threats/{id}/iocs |
txt · csv · json | API key | Business+ | — | Per-cluster IOCs via public API. |
/api/public/v1/threats/{id}/stix |
STIX 2.1 Bundle | API key | Business+ | — | Per-cluster STIX bundle via public API. |
Confidence levels
confirmed (default)Validated by the offline classifier with high/medium/low confidence. Excludes pending and false-positive.
pendingFreshly extracted from articles but not yet validated. Returned in the X-IOC-Pending-Count header on every response so consumers can see the lag.
high / medium / lowIndividual filters for slicing the validated set.
false_positiveClassifier-rejected indicators (legitimate domains, security-vendor IPs, etc.). Excluded from every default response.