SIEM integration

This API service allows configuring global account settings for the ThreatList SIEM integration feature.


ThreatList is an optional feature of the ThreatSTOP platform which enables integration with SIEM applications, typically to enrich connection logs, IDS/IPS logs and DNS Server logs with the Threat Intelligence from ThreatSTOP’s database.

Enabling Threatlist triggers the generation of CSV files containing a dump of selected policies in a format suitable for import by most SIEM (CSV) or IDS/IPS (Suricata format). The files are published to a SFTP service.

More information about the service itself is available on the Product documentation.

The Threatlist API service is used to configure or retrieve global settings for the feature:

  • Output format selection
  • Customization of the record format
  • SSH public key for SFTP access

Once enabled at the account level, the ThreatList output is configurable on a per-policy basis using the Policy Service:

  • enable Threatlist output for a policy
  • configure the type of IOCs to be output (IPs and subnets vs domains) and whether to output them in a single file (“combined” format) or in separate files (“split” format).


Although separate from the Platform REST API (different request and data formats), ThreatSTOP also offers a STIX/TAXII endpoint to retrieve target contents for SIEM integration purposes.

The output of the STIX endpoint is significantly larger than the ThreatList output and more complex to process. If your SIEM supports the CSV and IDS formats offered by Threatlist, the integration is simpler than using STIX.

The STIX/TAXII endpoint is documented here. It shares the same credentials as the Platform API.