sikkerapi.com
  • Home
  • Single ReportBulk Report
  • Pricing
  • Blog
  • API OverviewIP CheckBlacklistReportBulk ReportTAXII FeedConfidence LevelData RetentionCLI ToolSikkerGuard
    IntegrationsFail2BanCSF FirewallNginxiptables / ipset
  • Email LookupUsername LookupDetection Catalog
  • Top CountriesTop ASNsTop ProtocolsTop IPs
    SMTP Wall of FameBehind The ScenesRange Alerts Guide
Log inSign up
Loading
© 2026 SikkerAPI
ProductPricingDocsReportThreat MapStatus
ResourcesBlogFAQAboutContactComparisons
LegalTermsPrivacyRemove Me

TAXII 2.1 Feed

STIX 2.1 Threat Intelligence · Back to Overview

SikkerAPI provides a free STIX 2.1 threat intelligence feed served over the TAXII 2.1 protocol. Every malicious IP detected by our honeypot network is published as a STIX Indicator with confidence scores, behavioral labels, and MITRE ATT&CK references. Connect your SIEM — Splunk, Microsoft Sentinel, Elastic Security, or IBM QRadar — and start receiving automated IP reputation updates.

01

Overview

SikkerAPI provides a TAXII 2.1 compatible endpoint that serves threat intelligence as STIX 2.1 indicators. This allows direct integration with SIEMs and threat intelligence platforms that support TAXII, including Splunk, Microsoft Sentinel, Elastic Security, and QRadar.

Each observed IP in our database is represented as a STIX Indicator with a risk-based confidence score, behavioral labels, MITRE ATT&CK references, and kill chain phase mappings.

Discovery and collection metadata endpoints are public. Object endpoints require an API key.

Discovery
curl "https://api.sikkerapi.com/taxii2/" \
  -H "Accept: application/taxii+json;version=2.1"
import requests

response = requests.get(
    "https://api.sikkerapi.com/taxii2/",
    headers={"Accept": "application/taxii+json;version=2.1"}
)

discovery = response.json()
print(f"Title: {discovery['title']}")
const response = await fetch(
  "https://api.sikkerapi.com/taxii2/",
  {
    headers: {
      "Accept": "application/taxii+json;version=2.1"
    }
  }
);

const discovery = await response.json();
console.log(`Title: ${discovery.title}`);
<?php
$ch = curl_init("https://api.sikkerapi.com/taxii2/");
curl_setopt_array($ch, [
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HTTPHEADER => [
        "Accept: application/taxii+json;version=2.1"
    ]
]);

$response = curl_exec($ch);
$data = json_decode($response, true);
echo "Title: " . $data['title'];
package main

import (
    "encoding/json"
    "fmt"
    "net/http"
)

func main() {
    req, _ := http.NewRequest("GET",
        "https://api.sikkerapi.com/taxii2/", nil)
    req.Header.Set("Accept", "application/taxii+json;version=2.1")

    client := &http.Client{}
    resp, _ := client.Do(req)
    defer resp.Body.Close()

    var data map[string]interface{}
    json.NewDecoder(resp.Body).Decode(&data)
    fmt.Printf("Title: %v\n", data["title"])
}
import java.net.http.*;
import java.net.URI;

HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
    .uri(URI.create("https://api.sikkerapi.com/taxii2/"))
    .header("Accept", "application/taxii+json;version=2.1")
    .build();

HttpResponse<String> response = client.send(request,
    HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
using System.Net.Http;

var client = new HttpClient();
client.DefaultRequestHeaders.Accept.ParseAdd(
    "application/taxii+json;version=2.1");

var response = await client.GetAsync(
    "https://api.sikkerapi.com/taxii2/");
var content = await response.Content.ReadAsStringAsync();
Console.WriteLine(content);
import java.net.http.*
import java.net.URI

val client = HttpClient.newHttpClient()
val request = HttpRequest.newBuilder()
    .uri(URI.create("https://api.sikkerapi.com/taxii2/"))
    .header("Accept", "application/taxii+json;version=2.1")
    .build()

val response = client.send(request, HttpResponse.BodyHandlers.ofString())
println(response.body())
require 'net/http'
require 'json'

uri = URI("https://api.sikkerapi.com/taxii2/")
request = Net::HTTP::Get.new(uri)
request["Accept"] = "application/taxii+json;version=2.1"

response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
  http.request(request)
end

data = JSON.parse(response.body)
puts "Title: #{data['title']}"
use reqwest::header::{ACCEPT, HeaderMap};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let mut headers = HeaderMap::new();
    headers.insert(ACCEPT, "application/taxii+json;version=2.1".parse()?);

    let client = reqwest::Client::new();
    let resp = client
        .get("https://api.sikkerapi.com/taxii2/")
        .headers(headers)
        .send()
        .await?
        .json::<serde_json::Value>()
        .await?;

    println!("Title: {}", resp["title"]);
    Ok(())
}
02

Endpoints

All TAXII responses use the content type application/taxii+json;version=2.1.

MethodEndpointAuthDescription
GET/taxii2/NoneTAXII discovery document.
GET/taxii2/collections/NoneList available collections.
GET/taxii2/collections/{id}/NoneCollection metadata.
GET/taxii2/collections/{id}/objects/API KeyPaginated STIX indicator feed.
GET/taxii2/collections/{id}/objects/{ip}/API KeySingle IP as STIX bundle.

The collection ID is sikker-threat-intel.

Discovery Response
{
  "title": "SikkerNet TAXII Server",
  "description": "TAXII 2.1 interface for SikkerNet threat intelligence",
  "default": "/taxii2/collections/sikker-threat-intel/"
}
Collection
{
  "id": "sikker-threat-intel",
  "title": "SikkerNet Threat Intelligence",
  "description": "IP reputation indicators from SikkerNet honeypot network",
  "can_read": true,
  "can_write": false,
  "media_types": ["application/stix+json;version=2.1"]
}
03

Paginated Feed

The objects endpoint returns STIX indicators in a TAXII envelope with cursor-based pagination. Use the next value from each response to fetch subsequent pages.

ParameterTypeDescription
added_afterstringISO 8601 timestamp. Only return indicators updated after this time.
limitintegerPage size (default 100, max 1000).
nextstringOpaque cursor from previous response for pagination.

The envelope includes more: true when additional pages are available. The first page includes the SikkerNet identity object; subsequent pages contain only indicators.

Feed request
curl "https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/?limit=10" \
  -H "Authorization: Bearer sk_free_..." \
  -H "Accept: application/taxii+json;version=2.1"
import requests

response = requests.get(
    "https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/",
    headers={
        "Authorization": "Bearer sk_free_...",
        "Accept": "application/taxii+json;version=2.1"
    },
    params={"limit": 10}
)

envelope = response.json()
for obj in envelope.get("objects", []):
    if obj["type"] == "indicator":
        print(f"{obj['name']} (confidence: {obj['confidence']})")

# Paginate using the 'next' cursor
if envelope.get("more"):
    next_cursor = envelope["next"]
    print(f"Next page cursor: {next_cursor}")
const response = await fetch(
  "https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/?limit=10",
  {
    headers: {
      "Authorization": "Bearer sk_free_...",
      "Accept": "application/taxii+json;version=2.1"
    }
  }
);

const envelope = await response.json();
for (const obj of envelope.objects ?? []) {
  if (obj.type === "indicator") {
    console.log(`${obj.name} (confidence: ${obj.confidence})`);
  }
}

// Paginate using the 'next' cursor
if (envelope.more) {
  console.log(`Next page cursor: ${envelope.next}`);
}
<?php
$ch = curl_init("https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/?limit=10");
curl_setopt_array($ch, [
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HTTPHEADER => [
        "Authorization: Bearer sk_free_...",
        "Accept: application/taxii+json;version=2.1"
    ]
]);

$response = curl_exec($ch);
$envelope = json_decode($response, true);

foreach ($envelope['objects'] ?? [] as $obj) {
    if ($obj['type'] === 'indicator') {
        echo $obj['name'] . " (confidence: " . $obj['confidence'] . ")\n";
    }
}
package main

import (
    "encoding/json"
    "fmt"
    "net/http"
)

func main() {
    req, _ := http.NewRequest("GET",
        "https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/?limit=10", nil)
    req.Header.Set("Authorization", "Bearer sk_free_...")
    req.Header.Set("Accept", "application/taxii+json;version=2.1")

    client := &http.Client{}
    resp, _ := client.Do(req)
    defer resp.Body.Close()

    var envelope map[string]interface{}
    json.NewDecoder(resp.Body).Decode(&envelope)
    fmt.Printf("More pages: %v\n", envelope["more"])
}
import java.net.http.*;
import java.net.URI;

HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
    .uri(URI.create(
        "https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/?limit=10"))
    .header("Authorization", "Bearer sk_free_...")
    .header("Accept", "application/taxii+json;version=2.1")
    .build();

HttpResponse<String> response = client.send(request,
    HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
using System.Net.Http;
using System.Net.Http.Headers;

var client = new HttpClient();
client.DefaultRequestHeaders.Authorization =
    new AuthenticationHeaderValue("Bearer", "sk_free_...");
client.DefaultRequestHeaders.Accept.ParseAdd(
    "application/taxii+json;version=2.1");

var response = await client.GetAsync(
    "https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/?limit=10");
var content = await response.Content.ReadAsStringAsync();
Console.WriteLine(content);
import java.net.http.*
import java.net.URI

val client = HttpClient.newHttpClient()
val request = HttpRequest.newBuilder()
    .uri(URI.create(
        "https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/?limit=10"))
    .header("Authorization", "Bearer sk_free_...")
    .header("Accept", "application/taxii+json;version=2.1")
    .build()

val response = client.send(request, HttpResponse.BodyHandlers.ofString())
println(response.body())
require 'net/http'
require 'json'

uri = URI("https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/?limit=10")
request = Net::HTTP::Get.new(uri)
request["Authorization"] = "Bearer sk_free_..."
request["Accept"] = "application/taxii+json;version=2.1"

response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
  http.request(request)
end

envelope = JSON.parse(response.body)
puts "More pages: #{envelope['more']}"
use reqwest::header::{ACCEPT, AUTHORIZATION, HeaderMap};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let mut headers = HeaderMap::new();
    headers.insert(AUTHORIZATION, "Bearer sk_free_...".parse()?);
    headers.insert(ACCEPT, "application/taxii+json;version=2.1".parse()?);

    let client = reqwest::Client::new();
    let resp = client
        .get("https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/?limit=10")
        .headers(headers)
        .send()
        .await?
        .json::<serde_json::Value>()
        .await?;

    println!("More pages: {}", resp["more"]);
    Ok(())
}
With added_after filter
curl "https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/?added_after=2026-02-01T00:00:00Z&limit=50" \
  -H "Authorization: Bearer sk_free_..." \
  -H "Accept: application/taxii+json;version=2.1"
import requests

response = requests.get(
    "https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/",
    headers={
        "Authorization": "Bearer sk_free_...",
        "Accept": "application/taxii+json;version=2.1"
    },
    params={
        "added_after": "2026-02-01T00:00:00Z",
        "limit": 50
    }
)

envelope = response.json()
print(f"Indicators: {len(envelope.get('objects', []))}")
print(f"More pages: {envelope.get('more', False)}")
const params = new URLSearchParams({
  added_after: "2026-02-01T00:00:00Z",
  limit: "50"
});

const response = await fetch(
  `https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/?${params}`,
  {
    headers: {
      "Authorization": "Bearer sk_free_...",
      "Accept": "application/taxii+json;version=2.1"
    }
  }
);

const envelope = await response.json();
console.log(`Indicators: ${envelope.objects?.length ?? 0}`);
console.log(`More pages: ${envelope.more}`);
<?php
$params = http_build_query([
    'added_after' => '2026-02-01T00:00:00Z',
    'limit' => 50
]);

$ch = curl_init(
    "https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/?" . $params);
curl_setopt_array($ch, [
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HTTPHEADER => [
        "Authorization: Bearer sk_free_...",
        "Accept: application/taxii+json;version=2.1"
    ]
]);

$response = curl_exec($ch);
$envelope = json_decode($response, true);
package main

import (
    "encoding/json"
    "fmt"
    "net/http"
    "net/url"
)

func main() {
    baseURL := "https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/"
    params := url.Values{}
    params.Add("added_after", "2026-02-01T00:00:00Z")
    params.Add("limit", "50")

    req, _ := http.NewRequest("GET", baseURL+"?"+params.Encode(), nil)
    req.Header.Set("Authorization", "Bearer sk_free_...")
    req.Header.Set("Accept", "application/taxii+json;version=2.1")

    client := &http.Client{}
    resp, _ := client.Do(req)
    defer resp.Body.Close()

    var envelope map[string]interface{}
    json.NewDecoder(resp.Body).Decode(&envelope)
    fmt.Printf("More pages: %v\n", envelope["more"])
}
import java.net.http.*;
import java.net.URI;

String url = "https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/" +
    "?added_after=2026-02-01T00:00:00Z&limit=50";

HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
    .uri(URI.create(url))
    .header("Authorization", "Bearer sk_free_...")
    .header("Accept", "application/taxii+json;version=2.1")
    .build();

HttpResponse<String> response = client.send(request,
    HttpResponse.BodyHandlers.ofString());
using System.Net.Http;
using System.Net.Http.Headers;

var client = new HttpClient();
client.DefaultRequestHeaders.Authorization =
    new AuthenticationHeaderValue("Bearer", "sk_free_...");
client.DefaultRequestHeaders.Accept.ParseAdd(
    "application/taxii+json;version=2.1");

var response = await client.GetAsync(
    "https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/" +
    "?added_after=2026-02-01T00:00:00Z&limit=50");
import java.net.http.*
import java.net.URI

val url = "https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/" +
    "?added_after=2026-02-01T00:00:00Z&limit=50"

val client = HttpClient.newHttpClient()
val request = HttpRequest.newBuilder()
    .uri(URI.create(url))
    .header("Authorization", "Bearer sk_free_...")
    .header("Accept", "application/taxii+json;version=2.1")
    .build()

val response = client.send(request, HttpResponse.BodyHandlers.ofString())
require 'net/http'

uri = URI("https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/")
uri.query = URI.encode_www_form(
  added_after: "2026-02-01T00:00:00Z", limit: 50
)

request = Net::HTTP::Get.new(uri)
request["Authorization"] = "Bearer sk_free_..."
request["Accept"] = "application/taxii+json;version=2.1"

response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
  http.request(request)
end
use reqwest::header::{ACCEPT, AUTHORIZATION, HeaderMap};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let mut headers = HeaderMap::new();
    headers.insert(AUTHORIZATION, "Bearer sk_free_...".parse()?);
    headers.insert(ACCEPT, "application/taxii+json;version=2.1".parse()?);

    let client = reqwest::Client::new();
    let resp = client
        .get("https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/")
        .query(&[("added_after", "2026-02-01T00:00:00Z"), ("limit", "50")])
        .headers(headers)
        .send()
        .await?;

    Ok(())
}
04

Single IP Lookup

GET/taxii2/collections/sikker-threat-intel/objects/{ip}/

Returns a STIX bundle containing the SikkerNet identity and a single indicator for the requested IP address. Returns 404 if the IP has no recorded activity.

This is equivalent to the IP Check endpoint but formatted as STIX 2.1, making it suitable for SIEM ingestion pipelines.

Single IP
curl "https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/203.0.113.42/" \
  -H "Authorization: Bearer sk_free_..." \
  -H "Accept: application/taxii+json;version=2.1"
import requests

response = requests.get(
    "https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/203.0.113.42/",
    headers={
        "Authorization": "Bearer sk_free_...",
        "Accept": "application/taxii+json;version=2.1"
    }
)

bundle = response.json()
for obj in bundle.get("objects", []):
    if obj["type"] == "indicator":
        print(f"Pattern: {obj['pattern']}")
        print(f"Confidence: {obj['confidence']}")
const response = await fetch(
  "https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/203.0.113.42/",
  {
    headers: {
      "Authorization": "Bearer sk_free_...",
      "Accept": "application/taxii+json;version=2.1"
    }
  }
);

const bundle = await response.json();
const indicator = bundle.objects?.find(o => o.type === "indicator");
if (indicator) {
  console.log(`Pattern: ${indicator.pattern}`);
  console.log(`Confidence: ${indicator.confidence}`);
}
<?php
$ch = curl_init(
    "https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/203.0.113.42/");
curl_setopt_array($ch, [
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HTTPHEADER => [
        "Authorization: Bearer sk_free_...",
        "Accept: application/taxii+json;version=2.1"
    ]
]);

$response = curl_exec($ch);
$bundle = json_decode($response, true);

foreach ($bundle['objects'] ?? [] as $obj) {
    if ($obj['type'] === 'indicator') {
        echo "Pattern: " . $obj['pattern'] . "\n";
        echo "Confidence: " . $obj['confidence'] . "\n";
    }
}
package main

import (
    "encoding/json"
    "fmt"
    "net/http"
)

func main() {
    req, _ := http.NewRequest("GET",
        "https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/203.0.113.42/", nil)
    req.Header.Set("Authorization", "Bearer sk_free_...")
    req.Header.Set("Accept", "application/taxii+json;version=2.1")

    client := &http.Client{}
    resp, _ := client.Do(req)
    defer resp.Body.Close()

    var bundle map[string]interface{}
    json.NewDecoder(resp.Body).Decode(&bundle)
    fmt.Println(bundle)
}
import java.net.http.*;
import java.net.URI;

HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
    .uri(URI.create(
        "https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/203.0.113.42/"))
    .header("Authorization", "Bearer sk_free_...")
    .header("Accept", "application/taxii+json;version=2.1")
    .build();

HttpResponse<String> response = client.send(request,
    HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
using System.Net.Http;
using System.Net.Http.Headers;

var client = new HttpClient();
client.DefaultRequestHeaders.Authorization =
    new AuthenticationHeaderValue("Bearer", "sk_free_...");
client.DefaultRequestHeaders.Accept.ParseAdd(
    "application/taxii+json;version=2.1");

var response = await client.GetAsync(
    "https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/203.0.113.42/");
var content = await response.Content.ReadAsStringAsync();
Console.WriteLine(content);
import java.net.http.*
import java.net.URI

val client = HttpClient.newHttpClient()
val request = HttpRequest.newBuilder()
    .uri(URI.create(
        "https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/203.0.113.42/"))
    .header("Authorization", "Bearer sk_free_...")
    .header("Accept", "application/taxii+json;version=2.1")
    .build()

val response = client.send(request, HttpResponse.BodyHandlers.ofString())
println(response.body())
require 'net/http'
require 'json'

uri = URI("https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/203.0.113.42/")
request = Net::HTTP::Get.new(uri)
request["Authorization"] = "Bearer sk_free_..."
request["Accept"] = "application/taxii+json;version=2.1"

response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
  http.request(request)
end

bundle = JSON.parse(response.body)
puts bundle
use reqwest::header::{ACCEPT, AUTHORIZATION, HeaderMap};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let mut headers = HeaderMap::new();
    headers.insert(AUTHORIZATION, "Bearer sk_free_...".parse()?);
    headers.insert(ACCEPT, "application/taxii+json;version=2.1".parse()?);

    let client = reqwest::Client::new();
    let resp = client
        .get("https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/objects/203.0.113.42/")
        .headers(headers)
        .send()
        .await?
        .json::<serde_json::Value>()
        .await?;

    println!("{:#}", resp);
    Ok(())
}
05

STIX Indicator Format

Each IP is represented as a STIX 2.1 Indicator object with the following fields:

FieldTypeDescription
typestringAlways indicator.
idstringDeterministic UUID v5 (same IP always produces same ID).
patternstringSTIX pattern, e.g. [ipv4-addr:value = '1.2.3.4'].
confidenceintegerConfidence level (0-100), mapped directly from SikkerNet scoring.
indicator_typesarrayDerived from behavior severity: malicious-activity, anomalous-activity, or benign.
labelsarrayBehavior names (e.g. credential-stuffing, wget-download).
kill_chain_phasesarrayMITRE ATT&CK kill chain phases derived from protocols (e.g. initial-access, execution).
external_referencesarrayMITRE ATT&CK technique references for mapped behaviors.
valid_fromstringISO 8601 timestamp of earliest observed activity.
created_by_refstringReference to the SikkerNet identity object.
STIX Indicator
{
  "type": "indicator",
  "id": "indicator--a1b2c3d4-...",
  "spec_version": "2.1",
  "created": "2026-01-15T08:30:00.000Z",
  "modified": "2026-02-07T14:22:00.000Z",
  "name": "Suspicious IP: 203.0.113.42",
  "description": "IP 203.0.113.42 observed by SikkerNet...",
  "pattern": "[ipv4-addr:value = '203.0.113.42']",
  "pattern_type": "stix",
  "valid_from": "2026-01-15T08:30:00.000Z",
  "indicator_types": ["malicious-activity"],
  "confidence": 78,
  "labels": ["credential-stuffing", "wget-download"],
  "kill_chain_phases": [
    { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" }
  ],
  "external_references": [
    {
      "source_name": "SikkerNet",
      "url": "https://sikkerapi.com"
    },
    {
      "source_name": "mitre-attack",
      "external_id": "T1110.001",
      "url": "https://attack.mitre.org/techniques/T1110/001"
    }
  ],
  "created_by_ref": "identity--d3a2e6f1-..."
}
06

SIEM Integration

Configure your SIEM to poll the TAXII feed for automatic threat intelligence ingestion:

SIEMSetup
SplunkAdd a TAXII 2 data input under Settings > Data Inputs > Threat Intelligence. Set the collection URL to https://api.sikkerapi.com/taxii2/collections/sikker-threat-intel/.
Microsoft SentinelUse the Threat Intelligence - TAXII data connector. Set the API root to https://api.sikkerapi.com/taxii2/ and collection ID to sikker-threat-intel.
Elastic SecurityConfigure a Threat Intel Indicator Match rule pointing at the TAXII feed URL with your API key in the Authorization header.
QRadarAdd a TAXII 2.1 reference set via the Threat Intelligence app. Use the discovery URL to auto-detect collections.

Use the added_after parameter with your last poll timestamp for incremental updates. A typical polling interval is 15-60 minutes.

TAXII Envelope
{
  "more": true,
  "next": "1707300000000:203.0.113.42",
  "objects": [
    { "type": "identity", ... },
    { "type": "indicator", ... },
    { "type": "indicator", ... }
  ]
}

Get started — Connect your SIEM to real-time threat intelligence. Free tier includes 1,000 STIX indicators per day. Create free API key →