> ## Documentation Index
> Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# GET /api/v1/iocs/sigma — generate Sigma detection rules

> Export current IOCs as deployable Sigma YAML detection rules, one per indicator. Compatible with any SIEM that supports Sigma. Requires Pro.

The `/api/v1/iocs/sigma` endpoint exports IOCs from the SOC Defenders feed as multi-document Sigma YAML — one detection rule per indicator. Each rule targets a specific log source and detection pattern for the corresponding IOC type, and includes MITRE ATT\&CK tags where applicable. The output is compatible with `sigmac`, `pySigma`, and any SIEM that supports the Sigma standard, including Splunk, Microsoft Sentinel, Elastic, and QRadar. Apply filters to scope the export to a specific IOC type, time window, or confidence level.

## Request

**Method:** `GET`\
**URL:** `https://socdefenders.ai/api/v1/iocs/sigma`\
**Auth:** Required — `Authorization: Bearer sk_live_YOUR_KEY`\
**Tier:** Pro\
**Content-Type:** `application/yaml` (multi-document YAML)

<Note>
  This endpoint requires a Pro subscription. Requests made with a Free-tier key will receive a `403 Forbidden` response.
</Note>

## Query parameters

<ParamField query="type" type="string">
  Filter by IOC type. One of: `ipv4`, `ipv6`, `domain`, `url`, `md5`, `sha1`, `sha256`, `cve`, `mitre-attack`, `email`.
</ParamField>

<ParamField query="since" type="string">
  ISO 8601 timestamp. Returns rules only for IOCs added or updated after this time (e.g. `2024-01-01T00:00:00Z`).
</ParamField>

<ParamField query="confidence" type="string">
  Filter by confidence level. One of: `high`, `medium`, `low`.
</ParamField>

<ParamField query="industry" type="string">
  Filter by CISA sector name (e.g. `energy`, `healthcare`, `financial-services`).
</ParamField>

<ParamField query="limit" type="integer" default="100">
  Maximum number of Sigma rules to return. Pro tier: up to 10,000.
</ParamField>

## Example request

```bash theme={null}
curl -H "Authorization: Bearer sk_live_YOUR_KEY" \
  "https://socdefenders.ai/api/v1/iocs/sigma?type=ipv4" \
  -o ioc-rules.yml
```

## Response

The response body is a multi-document YAML file. Each YAML document (separated by `---`) is a complete, standalone Sigma rule for one IOC.

```yaml theme={null}
title: SOC Defenders IOC - Malicious IP 192.0.2.1
id: <uuid>
status: experimental
description: Detects network connection to known malicious IP from SOC Defenders feed
references:
  - https://socdefenders.ai
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationIp: '192.0.2.1'
  condition: selection
falsepositives:
  - Unknown
level: high
tags:
  - attack.command_and_control
```

### Rule fields

<ResponseField name="title" type="string">
  Human-readable rule title, including the IOC value.
</ResponseField>

<ResponseField name="id" type="string">
  Unique UUID for this Sigma rule. Stable across exports for the same IOC.
</ResponseField>

<ResponseField name="status" type="string">
  Rule maturity status. Exported rules are `experimental`.
</ResponseField>

<ResponseField name="description" type="string">
  Plain-text description of what the rule detects and its data source.
</ResponseField>

<ResponseField name="references" type="array">
  List of reference URLs. Always includes `https://socdefenders.ai`.
</ResponseField>

<ResponseField name="logsource" type="object">
  Sigma log source definition specifying the category and product the rule targets.

  <Expandable title="properties">
    <ResponseField name="logsource.category" type="string">
      Log category (e.g. `network_connection`, `process_creation`, `dns`).
    </ResponseField>

    <ResponseField name="logsource.product" type="string">
      Target product or platform (e.g. `windows`, `linux`).
    </ResponseField>
  </Expandable>
</ResponseField>

<ResponseField name="detection" type="object">
  Sigma detection logic, including field-value match criteria and the condition expression.
</ResponseField>

<ResponseField name="level" type="string">
  Severity level for the rule. One of: `critical`, `high`, `medium`, `low`, `informational`.
</ResponseField>

<ResponseField name="tags" type="array">
  MITRE ATT\&CK tags associated with the rule (e.g. `attack.command_and_control`).
</ResponseField>

## Error responses

If your API key is missing, invalid, or from a Free-tier account, the API returns an error response:

```json theme={null}
{
  "error": {
    "code": "missing_api_key",
    "message": "API key is required. Include it in the Authorization header as \"Bearer sk_live_...\" or in the X-API-Key header.",
    "request_id": "req_..."
  }
}
```

See [Authentication](/api-reference/authentication) for the full error code reference.
