Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt

Use this file to discover all available pages before exploring further.

The /api/v1/iocs/sigma endpoint exports IOCs from the SOC Defenders feed as multi-document Sigma YAML — one detection rule per indicator. Each rule targets a specific log source and detection pattern for the corresponding IOC type, and includes MITRE ATT&CK tags where applicable. The output is compatible with sigmac, pySigma, and any SIEM that supports the Sigma standard, including Splunk, Microsoft Sentinel, Elastic, and QRadar. Apply filters to scope the export to a specific IOC type, time window, or confidence level.

Request

Method: GET
URL: https://socdefenders.ai/api/v1/iocs/sigma
Auth: Required — Authorization: Bearer sk_live_YOUR_KEY
Tier: Pro
Content-Type: application/yaml (multi-document YAML)
This endpoint requires a Pro subscription. Requests made with a Free-tier key will receive a 403 Forbidden response.

Query parameters

type
string
Filter by IOC type. One of: ipv4, ipv6, domain, url, md5, sha1, sha256, cve, mitre-attack, email.
since
string
ISO 8601 timestamp. Returns rules only for IOCs added or updated after this time (e.g. 2024-01-01T00:00:00Z).
confidence
string
Filter by confidence level. One of: high, medium, low.
industry
string
Filter by CISA sector name (e.g. energy, healthcare, financial-services).
limit
integer
default:"100"
Maximum number of Sigma rules to return. Pro tier: up to 10,000.

Example request

curl -H "Authorization: Bearer sk_live_YOUR_KEY" \
  "https://socdefenders.ai/api/v1/iocs/sigma?type=ipv4" \
  -o ioc-rules.yml

Response

The response body is a multi-document YAML file. Each YAML document (separated by ---) is a complete, standalone Sigma rule for one IOC. 
title: SOC Defenders IOC - Malicious IP 192.0.2.1
id: <uuid>
status: experimental
description: Detects network connection to known malicious IP from SOC Defenders feed
references:
  - https://socdefenders.ai
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationIp: '192.0.2.1'
  condition: selection
falsepositives:
  - Unknown
level: high
tags:
  - attack.command_and_control

Rule fields

title
string
Human-readable rule title, including the IOC value.
id
string
Unique UUID for this Sigma rule. Stable across exports for the same IOC.
status
string
Rule maturity status. Exported rules are experimental.
description
string
Plain-text description of what the rule detects and its data source.
references
array
List of reference URLs. Always includes https://socdefenders.ai.
logsource
object
Sigma log source definition specifying the category and product the rule targets.
detection
object
Sigma detection logic, including field-value match criteria and the condition expression.
level
string
Severity level for the rule. One of: critical, high, medium, low, informational.
tags
array
MITRE ATT&CK tags associated with the rule (e.g. attack.command_and_control).

Error responses

If your API key is missing, invalid, or from a Free-tier account, the API returns an error response: 
{
  "error": {
    "code": "missing_api_key",
    "message": "API key is required. Include it in the Authorization header as \"Bearer sk_live_...\" or in the X-API-Key header.",
    "request_id": "req_..."
  }
}
See Authentication for the full error code reference.