curl -H "Authorization: Bearer sk_live_..." \
"https://socdefenders.ai/api/v1/iocs/sigma?type=domain&confidence=high&limit=50" \
-o socdefenders-domains.yml"title: SOC Defenders — Malicious Domain c2.example.com\nid: 8f3a4d1e-7b2c-5a9e-9f6d-3a8b1c7e2f4d\nstatus: experimental\ndescription: Detects DNS queries to c2.example.com, observed in \"New botnet observed beaconing\"\nreferences:\n - https://socdefenders.ai/threats/6fc99fbc-2c24-4ce2-8b42-48065d4976e7\nauthor: SOC Defenders Threat Intelligence Feed\ndate: 2026-05-17\ntags:\n - attack.command_and_control\n - attack.t1071\nlogsource:\n category: dns\ndetection:\n selection:\n QueryName|endswith: 'c2.example.com'\n condition: selection\nlevel: high\nfalsepositives:\n - Legitimate use of the domain (rare for indicators in this feed; verify in context).\n---\ntitle: SOC Defenders — Malicious SHA256\nid: a1b2c3d4-e5f6-7890-abcd-ef1234567890\n..."Generates ready-to-deploy Sigma detection rules from recent IOCs.
Multi-document YAML (text/yaml) — one rule per IOC, separated by ---:
DestinationIp)QueryName)c-uri)Hashes)Every rule’s UUID is derived deterministically from the IOC value + type. Re-running this endpoint with overlapping IOCs produces the same rule IDs, so your SIEM rule repo doesn’t churn version control history when you periodically refresh the feed.
The output is vanilla Sigma — use sigma convert to target Splunk SPL, Elasticsearch DSL, Sentinel KQL, etc.:
curl ... -o socdefenders.yml
sigma convert -t splunk socdefenders.yml > rules.spl
Requires the Pro plan (read:iocs scope).
curl -H "Authorization: Bearer sk_live_..." \
"https://socdefenders.ai/api/v1/iocs/sigma?type=domain&confidence=high&limit=50" \
-o socdefenders-domains.yml"title: SOC Defenders — Malicious Domain c2.example.com\nid: 8f3a4d1e-7b2c-5a9e-9f6d-3a8b1c7e2f4d\nstatus: experimental\ndescription: Detects DNS queries to c2.example.com, observed in \"New botnet observed beaconing\"\nreferences:\n - https://socdefenders.ai/threats/6fc99fbc-2c24-4ce2-8b42-48065d4976e7\nauthor: SOC Defenders Threat Intelligence Feed\ndate: 2026-05-17\ntags:\n - attack.command_and_control\n - attack.t1071\nlogsource:\n category: dns\ndetection:\n selection:\n QueryName|endswith: 'c2.example.com'\n condition: selection\nlevel: high\nfalsepositives:\n - Legitimate use of the domain (rare for indicators in this feed; verify in context).\n---\ntitle: SOC Defenders — Malicious SHA256\nid: a1b2c3d4-e5f6-7890-abcd-ef1234567890\n..."Documentation Index
Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt
Use this file to discover all available pages before exploring further.
API key in X-API-Key header
Restrict to a single IOC type. Omit to generate a mixed-source rule pack.
ipv4, ipv6, domain, url, md5, sha1, sha256 "domain"
Only emit rules for IOCs at this confidence level. Default emits all confidences.
high, medium, low "high"
Generate rules for IOCs first seen after this ISO 8601 timestamp. Defaults to last 7 days.
"2026-05-10T00:00:00Z"
Maximum number of rules to generate (1–1000).
1 <= x <= 100050
Multi-document Sigma YAML — one rule per IOC, separated by ---. Save to a .yml file and drop into your SIEM rules repo.
The response is of type string.