GET /v1/trust/iocs, and the mapping from Mnemom’s internal indicator types to STIX 2.1 Stix Domain Objects.
The bundle conforms to OASIS STIX 2.1 and is consumable by any STIX 2.1-aware tool (MISP, OpenCTI, Anomali, ThreatConnect, custom pipelines). Mnemom-specific metadata is carried in a single property-extension per indicator, identified by a stable extension-definition ID; STIX consumers that do not understand the extension are required by spec to ignore it.
The canonical implementation is mnemom-api/src/trust/iocs.ts.
1. Bundle structure
Pagination
When the response carries?limit rows and there are further rows available, the bundle includes a Mnemom extension next_after at the bundle level whose value is the ISO-8601 last_seen_at timestamp of the final indicator in the bundle. Resume by passing that value as ?after= on the next request. STIX consumers that do not understand the extension ignore it.
2. Indicator SDO shape
Every IoC row is mapped to a STIX 2.1indicator SDO with the following shape:
Confidence mapping
The IoC row’s qualitative confidence is mapped to the STIX 2.1 numeric confidence scale (§3.7):3. IoC type → STIX pattern mapping
The
substrate_fingerprint and technique_id types do not emit STIX patterns because the standard STIX pattern grammar does not have native predicates for them. STIX-aware consumers that want to match on these types should read the extension fields directly.
4. TLP encoding
Mnemom’s traffic-light protocol (TLP) value is mapped to STIX 2.1 marking-definition references and also surfaced verbatim in the Mnemom extension:
(Specific marking-definition UUIDs follow OASIS-published TLP markings; consumers SHOULD resolve them against the canonical OASIS TLP markers.)
5. The Mnemom extension definition
The Mnemom property-extension is identified by the stable extension-definition ID:property-extension per STIX 2.1 §11.4, attached at the per-indicator level. Field names are stable:
6. Example — calm-at-GA bundle (empty objects)
At GA, the bundle is empty by design per the calm-at-GA contract.7. Example — one synthetic indicator
Calibrated to be clearly synthetic and not mistakeable for a real attack pattern.8. Endpoint behavior
The IoC feed is served atGET /v1/trust/iocs.
Ordering:
last_seen_at DESC. Pagination via ?after=<last value seen> is the canonical resume pattern; the next_after bundle-level extension (§1) surfaces the cursor for the next call.
Auth: customer API key via X-Mnemom-Api-Key: $MNEMOM_KEY.
Rate limit: 1 request per second per IP (KV-backed; fail-open if the rate-limit KV namespace is unbound). Cloudflare Workers KV has a 60 s minimum TTL, so the effective practical bound is closer to 1 request per minute per IP. Recommended polling cadence: every 5-15 minutes via cron. See the IoC feed consumption guide for a runnable integration.
9. Bundle-level signing
At GA, the STIX bundle is not cryptographically signed. The IoC entries themselves are produced from rows in the internal
iocs table. The Managed Rule envelope signing chain (see Managed rule envelope schema) protects the Managed Rule pipeline; the IoC bundle is a derived view of network-level signal output.Customers wanting cryptographic attestation for cross-tenant detection content should rely on the append-only audit chain (recipe_review_actions) plus the recipe.promoted and advisory.published webhook events plus the published /trust/slos commitments.See also
- IoCs — concept page for the IoC feed
- IoC feed consumption guide — runnable how-to
- AEGIS — protection-layer framing
- Advisories — published per-incident summaries (the
mnemom_related_advisory_idtarget) - Managed rule envelope schema — wire format for the signed rule plane
- Substrate fingerprint — what
substrate_fingerprintIoC values represent