Threat intelligence
The Threat Intelligence API manages your IOC (Indicator of Compromise) library — IPs, domains, file hashes, CVEs, and more — and exposes the curated global feeds that Sentinel uses for automated detection.
IOC types
| Name | Type | Required | Description |
|---|---|---|---|
| ip | string | No | Single IPv4 or IPv6 address. |
| cidr | string | No | IP range in CIDR notation. |
| domain | string | No | Malicious or suspicious domain. |
| url | string | No | Full URL to a malicious resource. |
| hash_md5 | string | No | MD5 file hash. |
| hash_sha1 | string | No | SHA-1 file hash. |
| hash_sha256 | string | No | SHA-256 file hash. |
| string | No | Malicious sender email address. | |
| cve | string | No | CVE identifier (e.g. CVE-2024-12345). |
| asn | string | No | Autonomous system number. |
List IOCs
bash
GET /v1/sentinel/threat-intel/iocs| Name | Type | Required | Description |
|---|---|---|---|
| filter[type] | string | No | Filter by IOC type. |
| filter[severity] | string | No | critical | high | medium | low | informational |
| filter[active] | boolean | No | true (default) returns active IOCs only. |
| search | string | No | Full-text search across IOC values. |
Add an IOC
bash
POST /v1/sentinel/threat-intel/iocs| Name | Type | Required | Description |
|---|---|---|---|
| value | string | Yes | The indicator value. |
| type | string | Yes | IOC type. |
| severity | string | No | Defaults to medium. |
| description | string | No | Context about this indicator. |
| source | string | No | manual | hld_pulse | misp | virustotal | custom |
| confidence | integer | No | Confidence score 0–100. Defaults to 80. |
| tags | array | No | String tags for filtering and correlation. |
| expires_at | string | No | ISO 8601. IOC is auto-deactivated after this date. |
bash
curl -X POST https://api.hldgroup.org/v1/sentinel/threat-intel/iocs \
-H "Authorization: Bearer hld_live_xxxx" \
-H "Content-Type: application/json" \
-d '{
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"type": "hash_sha256",
"severity": "critical",
"description": "LockBit ransomware staging binary — confirmed from incident inc_01hxyz.",
"source": "manual",
"confidence": 99,
"tags": ["ransomware", "lockbit", "staging"]
}'HLD Pulse feeds
Sentinel automatically ingests threat intelligence from HLD Pulse — our curated threat briefing and IOC platform. Pulse feeds are updated continuously and feed directly into Sentinel's detection engine.
bash
GET /v1/sentinel/threat-intel/feedsjson
{
"data": [
{
"id": "feed_hld_pulse",
"name": "HLD Pulse",
"type": "managed",
"ioc_count": 42819,
"last_updated_at": "2025-06-01T14:00:00Z",
"enabled": true
},
{
"id": "feed_cisa_kev",
"name": "CISA Known Exploited Vulnerabilities",
"type": "public",
"ioc_count": 1187,
"last_updated_at": "2025-06-01T12:00:00Z",
"enabled": true
}
]
}Note:IOCs added via the API are automatically matched against active incidents and enrolled devices. High-confidence matches generate alerts within 60 seconds of IOC creation.