Generate deployable Sigma detection rules
Generates ready-to-deploy Sigma detection rules from recent IOCs.
What you get
Multi-document YAML (text/yaml) — one rule per IOC, separated by ---:
- network_connection logsource for IPv4/IPv6 (matches
DestinationIp) - dns logsource for domains (matches
QueryName) - proxy logsource for URLs (matches
c-uri) - process_creation logsource for file hashes (matches
Hashes)
Why deterministic IDs
Every rule’s UUID is derived deterministically from the IOC value + type. Re-running this endpoint with overlapping IOCs produces the same rule IDs, so your SIEM rule repo doesn’t churn version control history when you periodically refresh the feed.
Convert to your SIEM’s native language
The output is vanilla Sigma — use sigma convert to target Splunk SPL, Elasticsearch DSL, Sentinel KQL, etc.:
curl ... -o socdefenders.yml
sigma convert -t splunk socdefenders.yml > rules.spl
Requires the Pro plan (read:iocs scope).
Authorizations
API key in X-API-Key header
Query Parameters
Restrict to a single IOC type. Omit to generate a mixed-source rule pack.
ipv4, ipv6, domain, url, md5, sha1, sha256 "domain"
Only emit rules for IOCs at this confidence level. Default emits all confidences.
high, medium, low "high"
Generate rules for IOCs first seen after this ISO 8601 timestamp. Defaults to last 7 days.
"2026-05-10T00:00:00Z"
Maximum number of rules to generate (1–1000).
1 <= x <= 100050
Response
Multi-document Sigma YAML — one rule per IOC, separated by ---. Save to a .yml file and drop into your SIEM rules repo.
The response is of type string.