Documentation Index
Fetch the complete documentation index at: https://docs.mnemom.ai/llms.txt
Use this file to discover all available pages before exploring further.
IoCs
An IoC in the AEGIS context is a behavioral fingerprint, substrate signature, or technique identifier that AEGIS has published to the network because the cross-tenant aggregator promoted a Managed Rule against it. The IoC feed lives atGET /v1/trust/iocs and is encoded as a STIX 2.1 bundle.
The feed is the L5 layer of the Protection Network — the public transparency surface that lets external SIEMs, threat-intel platforms, and partner networks consume the same indicators AEGIS pushes to every gateway internally.
The STIX 2.1 wire format
Every IoC row maps to a STIX 2.1indicator SDO. Mnemom-specific metadata is carried in a single property-extension per indicator, identified by a stable extension-definition ID:
mnemom_type, mnemom_value, mnemom_tlp, mnemom_synthetic, mnemom_related_advisory_id. STIX consumers that do not understand the extension MUST ignore it per STIX 2.1 §11.
The full wire format — bundle shape, indicator SDO shape, IoC type → STIX pattern mapping, confidence numeric mapping, endpoint behavior — is specified at /specifications/ioc-stix-mapping. This concept page covers the conceptual surface; the spec covers the wire.
The IoC type taxonomy
Mnemom’s IoC types and their STIX 2.1 pattern surface:| Mnemom IoC type | STIX pattern | What it represents |
|---|---|---|
sha256 | [file:hashes.'SHA-256' = '<value>'] | File / artifact hash |
domain | [domain-name:value = '<value>'] | DNS name |
url | [url:value = '<value>'] | URL |
substrate_fingerprint | (no STIX pattern emitted) | An AI substrate identity flagged for behavioral deviation. See Substrate fingerprint. |
technique_id | (no STIX pattern emitted) | A MITRE ATT&CK or MITRE ATLAS technique identifier |
substrate_fingerprint and technique_id indicators, the value is carried in the Mnemom extension’s mnemom_type and mnemom_value fields. STIX 2.1’s standard pattern grammar does not have native predicates for these, so consumers that want to match on them should read the extension fields directly.
Empty-by-design at GA — the calm-at-GA contract
If at GA the network is genuinely calm, the thermometer says calm, the advisory list shows the synthetic seed post-mortem, the IoC feed is empty. That’s not a stub — that’s the system telling the truth.At GA the bundle is
{ "type": "bundle", "id": "bundle--<uuid>", "objects": [] }. Customers polling the feed see an empty objects array; the field is reliable.
When AEGIS publishes a real IoC, it carries mnemom_synthetic: false in the Mnemom extension. The synthetic flag is the field customers can rely on to distinguish real published indicators from any documentation-only or test-seed entries. See AEGIS — calm-at-GA contract.
Consumption
The feed is consumable by any STIX 2.1-aware tool (MISP, OpenCTI, Anomali, ThreatConnect, custom pipelines). Customer integration is documented end-to-end in the IoC feed consumption guide, including:- Authentication (
X-Mnemom-Api-Key) - Query filters (
?type=,?after=,?limit=) - Pagination via the
next_afterbundle-level extension - Refresh cadence (recommended 5-15 minutes via cron; rate limit 1 req/sec/IP, KV-backed)
- Mapping Mnemom IoC types into downstream tooling
/specifications/ioc-stix-mapping; the runnable how-to is the guide.
Webhooks
A new IoC insertion fires theioc.added webhook. Subscribe via Webhooks; see the catalog entry on the Webhook events page.
See also
- AEGIS — protection-layer framing
- Advisories — the related per-incident transparency surface that IoC entries may reference via
mnemom_related_advisory_id - Managed Rules — the rule plane that promotions feed indicators from
- Substrate fingerprint — the AI substrate identity that surfaces as one IoC type
- Transparency log — the parallel transparency surface for AAP attestation evidence
- IoC STIX mapping — wire format specification
- IoC feed consumption guide — runnable integration how-to