> ## Documentation Index
> Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Generate deployable Sigma detection rules

> Generates ready-to-deploy [Sigma](https://github.com/SigmaHQ/sigma) detection rules from recent IOCs.

## What you get

Multi-document YAML (`text/yaml`) — one rule per IOC, separated by `---`:

- **network_connection** logsource for IPv4/IPv6 (matches `DestinationIp`)
- **dns** logsource for domains (matches `QueryName`)
- **proxy** logsource for URLs (matches `c-uri`)
- **process_creation** logsource for file hashes (matches `Hashes`)

## Why deterministic IDs

Every rule's UUID is derived deterministically from the IOC value + type. Re-running this endpoint with overlapping IOCs produces the **same rule IDs**, so your SIEM rule repo doesn't churn version control history when you periodically refresh the feed.

## Convert to your SIEM's native language

The output is vanilla Sigma — use `sigma convert` to target Splunk SPL, Elasticsearch DSL, Sentinel KQL, etc.:

```bash
curl ... -o socdefenders.yml
sigma convert -t splunk socdefenders.yml > rules.spl
```

Requires the **Pro plan** (`read:iocs` scope).



## OpenAPI

````yaml https://socdefenders.ai/api/openapi.json get /api/v1/iocs/sigma
openapi: 3.0.3
info:
  title: SOC Defenders Threat Intelligence API
  description: >-
    # Overview


    The SOC Defenders Threat Intelligence API provides programmatic access to
    aggregated threat intelligence from 30+ cybersecurity sources. Export IOCs
    (Indicators of Compromise) in various formats including JSON, CSV, STIX 2.1,
    MISP, CEF, and OpenIOC.


    ## Authentication


    All API endpoints require authentication using an API key. Include your key
    in one of these ways:


    - **Authorization Header** (recommended): `Authorization: Bearer
    sk_live_xxx`

    - **X-API-Key Header**: `X-API-Key: sk_live_xxx`

    - **Query Parameter**: `?api_key=sk_live_xxx`


    ## Rate Limiting


    Rate limits vary by tier. When limits are exceeded, the API returns a 429
    status code.


    | Tier | Requests/min | Requests/day | Lookback | Formats |

    |------|-------------|--------------|----------|---------|

    | Free | 10 | 1,000 | 1 day | JSON / CSV |

    | Pro ($299/mo) | 1,000 | 1,000,000 | 365 days | All (STIX, TAXII, MISP,
    CEF, OpenIOC, Sigma) |


    Rate limit headers are included in all responses:

    - `X-RateLimit-Limit`: Maximum requests per minute

    - `X-RateLimit-Remaining`: Requests remaining in current window

    - `X-RateLimit-Reset`: Unix timestamp when the limit resets


    ## Error Handling


    All errors follow a consistent format:


    ```json

    {
      "error": {
        "code": "error_code",
        "message": "Human readable message",
        "details": {},
        "request_id": "req_abc123"
      }
    }

    ```


    ## STIX/TAXII Support


    For STIX 2.1 and TAXII 2.1 integration, see the TAXII endpoints section.
    TAXII endpoints are available at `/api/taxii2/`.
  version: 1.0.0
  contact:
    name: SOC Defenders Support
    url: https://socdefenders.ai/contact
    email: support@socdefenders.ai
  license:
    name: Proprietary
    url: https://socdefenders.ai/terms
servers:
  - url: https://socdefenders.ai
    description: Production server
security: []
tags:
  - name: IOCs
    description: Indicators of Compromise endpoints
  - name: Statistics
    description: Feed and IOC statistics
  - name: API Keys
    description: API key management (requires session auth)
  - name: TAXII
    description: TAXII 2.1 threat intelligence sharing endpoints
  - name: Export Formats
    description: Specialized export format endpoints (MISP, CEF, OpenIOC)
  - name: Articles
    description: >-
      Aggregated news articles from 30+ cybersecurity sources, with rich
      filtering and bulk-export support
  - name: Lookup
    description: >-
      Single-IOC enrichment lookup. Auto-detects type, aggregates reporting
      sources, returns AI risk + MITRE techniques + hunting queries. Free-tier
      friendly.
  - name: Detection Rules
    description: >-
      Generate ready-to-deploy SIEM detection rules from recent IOCs. Sigma
      rules ship as multi-document YAML covering network / DNS / proxy /
      process_creation logsources.
paths:
  /api/v1/iocs/sigma:
    get:
      tags:
        - Detection Rules
      summary: Generate deployable Sigma detection rules
      description: >-
        Generates ready-to-deploy [Sigma](https://github.com/SigmaHQ/sigma)
        detection rules from recent IOCs.


        ## What you get


        Multi-document YAML (`text/yaml`) — one rule per IOC, separated by
        `---`:


        - **network_connection** logsource for IPv4/IPv6 (matches
        `DestinationIp`)

        - **dns** logsource for domains (matches `QueryName`)

        - **proxy** logsource for URLs (matches `c-uri`)

        - **process_creation** logsource for file hashes (matches `Hashes`)


        ## Why deterministic IDs


        Every rule's UUID is derived deterministically from the IOC value +
        type. Re-running this endpoint with overlapping IOCs produces the **same
        rule IDs**, so your SIEM rule repo doesn't churn version control history
        when you periodically refresh the feed.


        ## Convert to your SIEM's native language


        The output is vanilla Sigma — use `sigma convert` to target Splunk SPL,
        Elasticsearch DSL, Sentinel KQL, etc.:


        ```bash

        curl ... -o socdefenders.yml

        sigma convert -t splunk socdefenders.yml > rules.spl

        ```


        Requires the **Pro plan** (`read:iocs` scope).
      operationId: generateSigmaRules
      parameters:
        - name: type
          in: query
          description: >-
            Restrict to a single IOC type. Omit to generate a mixed-source rule
            pack.
          schema:
            type: string
            enum:
              - ipv4
              - ipv6
              - domain
              - url
              - md5
              - sha1
              - sha256
            example: domain
        - name: confidence
          in: query
          description: >-
            Only emit rules for IOCs at this confidence level. Default emits all
            confidences.
          schema:
            type: string
            enum:
              - high
              - medium
              - low
            example: high
        - name: since
          in: query
          description: >-
            Generate rules for IOCs first seen after this ISO 8601 timestamp.
            Defaults to last 7 days.
          schema:
            type: string
            format: date-time
            example: '2026-05-10T00:00:00Z'
        - name: limit
          in: query
          description: Maximum number of rules to generate (1–1000).
          schema:
            type: integer
            minimum: 1
            maximum: 1000
            default: 100
            example: 50
      responses:
        '200':
          description: >-
            Multi-document Sigma YAML — one rule per IOC, separated by `---`.
            Save to a `.yml` file and drop into your SIEM rules repo.
          content:
            text/yaml:
              schema:
                type: string
              example: >-
                title: SOC Defenders — Malicious Domain c2.example.com

                id: 8f3a4d1e-7b2c-5a9e-9f6d-3a8b1c7e2f4d

                status: experimental

                description: Detects DNS queries to c2.example.com, observed in
                "New botnet observed beaconing"

                references:
                  - https://socdefenders.ai/threats/6fc99fbc-2c24-4ce2-8b42-48065d4976e7
                author: SOC Defenders Threat Intelligence Feed

                date: 2026-05-17

                tags:
                  - attack.command_and_control
                  - attack.t1071
                logsource:
                  category: dns
                detection:
                  selection:
                    QueryName|endswith: 'c2.example.com'
                  condition: selection
                level: high

                falsepositives:
                  - Legitimate use of the domain (rare for indicators in this feed; verify in context).
                ---

                title: SOC Defenders — Malicious SHA256

                id: a1b2c3d4-e5f6-7890-abcd-ef1234567890

                ...
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '429':
          $ref: '#/components/responses/RateLimitExceeded'
      security:
        - ApiKeyAuth: []
        - BearerAuth: []
      x-codeSamples:
        - lang: cURL
          label: High-confidence domain rules
          source: |-
            curl -H "Authorization: Bearer sk_live_..." \
              "https://socdefenders.ai/api/v1/iocs/sigma?type=domain&confidence=high&limit=50" \
              -o socdefenders-domains.yml
        - lang: bash
          label: Convert to Splunk SPL
          source: |-
            curl -sS -H "Authorization: Bearer sk_live_..." \
              "https://socdefenders.ai/api/v1/iocs/sigma?type=sha256&limit=100" \
              | sigma convert -t splunk - > hash-rules.spl
components:
  responses:
    Unauthorized:
      description: Authentication required or invalid
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            error:
              code: missing_api_key
              message: >-
                API key is required. Include it in the Authorization header as
                "Bearer sk_live_..."
              request_id: req_abc123
    Forbidden:
      description: Insufficient permissions or scope
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            error:
              code: insufficient_scope
              message: This endpoint requires the "read:stix" scope
              details:
                required_scope: read:stix
                your_scopes:
                  - read:iocs
                upgrade_url: https://socdefenders.ai/export#pricing
              request_id: req_abc123
    RateLimitExceeded:
      description: Rate limit exceeded
      headers:
        Retry-After:
          description: Seconds to wait before retrying
          schema:
            type: integer
        X-RateLimit-Limit:
          description: Rate limit ceiling
          schema:
            type: integer
        X-RateLimit-Remaining:
          description: Remaining requests (will be 0)
          schema:
            type: integer
        X-RateLimit-Reset:
          description: Unix timestamp when limit resets
          schema:
            type: integer
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            error:
              code: rate_limit_exceeded
              message: Rate limit exceeded. Please wait before making more requests.
              details:
                limit: 10
                reset_at: '2024-12-09T10:31:00Z'
                tier: free
                upgrade_url: https://socdefenders.ai/export#pricing
              request_id: req_abc123
  schemas:
    Error:
      type: object
      required:
        - error
      properties:
        error:
          type: object
          required:
            - code
            - message
            - request_id
          properties:
            code:
              type: string
              description: Error code for programmatic handling
            message:
              type: string
              description: Human-readable error message
            details:
              type: object
              description: Additional error details
            request_id:
              type: string
              description: Unique request identifier for support
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: X-API-Key
      description: API key in X-API-Key header
    BearerAuth:
      type: http
      scheme: bearer
      description: 'API key in Authorization header: `Authorization: Bearer sk_live_xxx`'

````