Native STIX 2.1 Support.
Direct SIEM Integration.
DarkStrata is the only credential exposure platform with native STIX/TAXII support. Feed structured threat intelligence directly into your SIEM without custom parsing or transformation.
OASIS STIX 2.1 Compliant
Fully standards-compliant bundles
Splunk ES Compatible
Observed-data format for Splunk
Incremental Sync
Timestamp-based filtering
Privacy Controls
Email hashing and confidence filtering
STIX Object Types
DarkStrata maps credential exposure data to standard STIX 2.1 objects
Report
Credential exposure alerts become STIX Report objects — container documents that group related indicators, identities, and relationships.
Indicator
Compromised credentials become STIX Indicators with patterns like [user-account:account_login = 'email'] for automated SIEM detection.
Identity
Compromised users become STIX Identity objects for correlation with Active Directory, Azure AD, and other identity systems.
Observed-Data
Splunk ES compatible format — credentials as observed-data objects with embedded user-account and domain-name SCOs.
Relationship
STIX Relationship objects connect indicators to identities, providing full context for threat analysis.
STIX Endpoints
RESTful API endpoints for exporting STIX bundles
| Endpoint | Method | Description |
|---|---|---|
/api/v1/stix/alerts | GET | List credential exposure alerts as STIX bundles with pagination |
/api/v1/stix/alerts/:id | GET | Single alert as complete STIX bundle |
/api/v1/stix/indicators | GET | All credential indicators as flat bundle (up to 500/page) |
Query Parameters
| Parameter | Type | Description |
|---|---|---|
since | ISO 8601 | Fetch data since this timestamp (incremental sync) |
detail | summary | full | Level of detail in response bundles |
include | CSV | Include additional objects: identities |
format | stix21 | splunk | Output format — use splunk for observed-data |
hash_emails | boolean | SHA-256 hash email addresses for privacy |
confidence_threshold | 0-100 | Minimum STIX confidence score to include |
page / limit | integer | Pagination (limits: 10-100 alerts, 100-500 indicators) |
Confidence Mapping
DarkStrata threat scores map to STIX confidence values
| DarkStrata Level | Severity | STIX Confidence |
|---|---|---|
| 1 | Info | 20 |
| 2 | Needs Review | 40 |
| 3 | Medium | 60 |
| 4 | High | 80 |
| 5 | Critical | 100 |
Custom Extension
DarkStrata-specific metadata in STIX property extension
{
"type": "extension-definition",
"id": "extension-definition--d6132570-7659-4922-9fc4-420e4f8cba63",
"spec_version": "2.1",
"created": "2025-01-01T00:00:00.000Z",
"modified": "2025-01-01T00:00:00.000Z",
"name": "DarkStrata Credential Exposure Extension",
"schema": "https://api.darkstrata.io/v1/stix/extensions/credential-exposure/v1",
"version": "1.0.0",
"extension_types": ["property-extension"],
"extension_properties": {
"x_darkstrata_credential": {
"source": "MALWARE | BREACH",
"flow": "INBOUND | OUTBOUND",
"service_url": "Domain where credentials were exposed",
"threat_score": "1-5 severity level",
"password_strength": "weak | medium | strong",
"credential_type": "EP (email/password) | UP (username/password)",
"discovered_at": "ISO 8601 timestamp",
"alert_id": "DarkStrata alert UUID (optional)",
"asset_hostname": "Monitored asset hostname (optional)"
}
}
}source
MALWARE for infostealer logs, BREACH for data breaches and leaks.
flow
OUTBOUND when employee credentials leaked, INBOUND when customer credentials exposed on your domain.
threat_score
1-5 severity rating based on password strength, source recency, and credential type.
Example Bundle
Sample STIX 2.1 bundle for a credential exposure indicator
{
"type": "bundle",
"id": "bundle--f9b2fd53-4335-4b51-a84c-ef1234567890",
"objects": [
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--550e8400-e29b-41d4-a716-446655440001",
"created": "2025-01-15T09:00:00.000Z",
"modified": "2025-01-15T09:00:00.000Z",
"name": "Compromised credential: [email protected] on slack.com",
"description": "Email/password pair exposed via infostealer malware for slack.com.",
"indicator_types": ["compromised"],
"pattern": "[user-account:account_login = '[email protected]']",
"pattern_type": "stix",
"valid_from": "2025-01-14T00:00:00.000Z",
"confidence": 80,
"labels": ["darkstrata", "credential-exposure", "source:malware", "flow:outbound", "severity-high"],
"extensions": {
"extension-definition--d6132570-7659-4922-9fc4-420e4f8cba63": {
"extension_type": "property-extension",
"x_darkstrata_credential": {
"source": "MALWARE",
"flow": "OUTBOUND",
"service_url": "https://slack.com",
"threat_score": 4,
"password_strength": "weak",
"credential_type": "EP",
"discovered_at": "2025-01-14T00:00:00.000Z"
}
}
}
},
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--550e8400-e29b-41d4-a716-446655440002",
"created": "2025-01-15T09:00:00.000Z",
"modified": "2025-01-15T09:00:00.000Z",
"name": "[email protected]",
"identity_class": "individual",
"sectors": ["corporate"]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--550e8400-e29b-41d4-a716-446655440003",
"created": "2025-01-15T09:00:00.000Z",
"modified": "2025-01-15T09:00:00.000Z",
"relationship_type": "indicates",
"source_ref": "indicator--550e8400-e29b-41d4-a716-446655440001",
"target_ref": "identity--550e8400-e29b-41d4-a716-446655440002"
}
]
}Platform Compatibility
Works with major SIEM and threat intelligence platforms
Splunk ES
Observed-data formatSentinel
TAXII connector
Elastic
STIX integrationOpenCTI
STIX nativeTAXII 2.1 Coming Soon
TAXII 2.1 server endpoints are in development for automated threat intelligence feeds. This will enable direct connector integration with Microsoft Sentinel and other platforms that support TAXII polling.
Ready to Integrate Your SIEM?
Start exporting credential intelligence in STIX format today