> SIEM Integration_
STIX 2.1, CEF & LEEF Support.
Direct SIEM Integration.
Feed credential exposure intelligence directly into your SIEM — Splunk, IBM QRadar, Microsoft Sentinel, ArcSight, and more. Native support for STIX 2.1, CEF, and LEEF formats with no custom parsing required.
OASIS STIX 2.1 Compliant
Fully standards-compliant bundles
Multi-Format Output
STIX 2.1, CEF, and LEEF formats
Incremental Sync
Timestamp-based filtering
Privacy Controls
Email hashing and confidence filtering
STIX Object Types
DarkStrata maps credential exposure data to standard STIX 2.1 objects
Report
Credential exposure alerts become STIX Report objects — container documents that group related indicators, identities, and relationships.
Indicator
Compromised credentials become STIX Indicators with patterns like [user-account:account_login = 'email'] for automated SIEM detection.
Identity
Compromised users become STIX Identity objects for correlation with Active Directory, Azure AD, and other identity systems.
Observed-Data
Splunk ES compatible format — credentials as observed-data objects with embedded user-account and domain-name SCOs.
Relationship
STIX Relationship objects connect indicators to identities, providing full context for threat analysis.
API Endpoints
RESTful API endpoints for exporting credential intelligence in STIX, CEF, and LEEF formats
| Endpoint | Format | Description |
|---|---|---|
/api/v1/stix/alerts | STIX 2.1 | Credential exposure alerts as STIX bundles (Splunk, threat intel platforms) |
/api/v1/stix/alerts/:id | STIX 2.1 | Single alert as complete STIX bundle |
/api/v1/stix/indicators | STIX 2.1 | All credential indicators as flat bundle (up to 500/page) |
/api/v1/siem/events | CEF LEEF | Credential events for ArcSight, Sentinel, QRadar, and other SIEMs |
/api/v1/siem/events/:alertId | CEF LEEF | Events for a specific alert in CEF or LEEF format |
Query Parameters
| Parameter | Type | Description |
|---|---|---|
since | ISO 8601 | Fetch data since this timestamp (incremental sync) |
detail | summary | full | Level of detail in response bundles |
include | CSV | Include additional objects: identities |
format | stix21 | splunk | cef | leef | Output format — splunk for observed-data, cef for ArcSight/Sentinel, leef for QRadar |
hash_emails | boolean | SHA-256 hash email addresses for privacy |
confidence_threshold | 0-100 | Minimum STIX confidence score to include |
page / limit | integer | Pagination (limits: 10-100 alerts, 100-500 indicators) |
Confidence Mapping
DarkStrata threat scores map to STIX confidence values
| DarkStrata Level | Severity | STIX Confidence |
|---|---|---|
| 1 | Info | 20 |
| 2 | Needs Review | 40 |
| 3 | Medium | 60 |
| 4 | High | 80 |
| 5 | Critical | 100 |
Custom Extension
DarkStrata-specific metadata in STIX property extension
{
"type": "extension-definition",
"id": "extension-definition--d6132570-7659-4922-9fc4-420e4f8cba63",
"spec_version": "2.1",
"created": "2025-01-01T00:00:00.000Z",
"modified": "2025-01-01T00:00:00.000Z",
"name": "DarkStrata Credential Exposure Extension",
"schema": "https://api.darkstrata.io/v1/stix/extensions/credential-exposure/v1",
"version": "1.0.0",
"extension_types": ["property-extension"],
"extension_properties": {
"x_darkstrata_credential": {
"source": "MALWARE | BREACH",
"flow": "INBOUND | OUTBOUND",
"service_url": "Domain where credentials were exposed",
"threat_score": "1-5 severity level",
"password_strength": "weak | medium | strong",
"credential_type": "EP (email/password) | UP (username/password)",
"discovered_at": "ISO 8601 timestamp",
"alert_id": "DarkStrata alert UUID (optional)",
"asset_hostname": "Monitored asset hostname (optional)"
}
}
}Example Bundle
Sample STIX 2.1 bundle for a credential exposure indicator
{
"type": "bundle",
"id": "bundle--f9b2fd53-4335-4b51-a84c-ef1234567890",
"objects": [
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--550e8400-e29b-41d4-a716-446655440001",
"created": "2025-01-15T09:00:00.000Z",
"modified": "2025-01-15T09:00:00.000Z",
"name": "Compromised credential: j.smith@acme.com on slack.com",
"description": "Email/password pair exposed via infostealer malware for slack.com.",
"indicator_types": ["compromised"],
"pattern": "[user-account:account_login = 'j.smith@acme.com']",
"pattern_type": "stix",
"valid_from": "2025-01-14T00:00:00.000Z",
"confidence": 80,
"labels": ["darkstrata", "credential-exposure", "source:malware", "flow:outbound", "severity-high"],
"extensions": {
"extension-definition--d6132570-7659-4922-9fc4-420e4f8cba63": {
"extension_type": "property-extension",
"x_darkstrata_credential": {
"source": "MALWARE",
"flow": "OUTBOUND",
"service_url": "https://slack.com",
"threat_score": 4,
"password_strength": "weak",
"credential_type": "EP",
"discovered_at": "2025-01-14T00:00:00.000Z"
}
}
}
},
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--550e8400-e29b-41d4-a716-446655440002",
"created": "2025-01-15T09:00:00.000Z",
"modified": "2025-01-15T09:00:00.000Z",
"name": "j.smith@acme.com",
"identity_class": "individual",
"sectors": ["corporate"]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--550e8400-e29b-41d4-a716-446655440003",
"created": "2025-01-15T09:00:00.000Z",
"modified": "2025-01-15T09:00:00.000Z",
"relationship_type": "indicates",
"source_ref": "indicator--550e8400-e29b-41d4-a716-446655440001",
"target_ref": "identity--550e8400-e29b-41d4-a716-446655440002"
}
]
}Platform Compatibility
Works with major SIEM and threat intelligence platforms
Splunk ES
STIX 2.1
IBM QRadar
LEEF (native)Sentinel
CEF / TAXIIArcSight
CEF
Elastic
STIX integrationOpenCTI
STIX nativeTAXII 2.1 Coming Soon
TAXII 2.1 server endpoints are in development for automated threat intelligence feeds. This will enable direct connector integration with Microsoft Sentinel and other platforms that support TAXII polling.
Ready to Integrate Your SIEM?
Start exporting credential intelligence in STIX, CEF, or LEEF format today