Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt

Use this file to discover all available pages before exploring further.

The SOC Defenders Sigma endpoint converts your filtered IOCs into deployable Sigma detection rules. Each IOC becomes its own YAML rule document, separated by --- in the multi-document response. You can pipe the output directly into sigmac or pySigma to compile rules for your target SIEM without writing any detection logic manually.
Sigma export requires a Pro subscription. Upgrade at socdefenders.ai.

Endpoint

GET /api/v1/iocs/sigma The response is a multi-document YAML file. Each document is a valid Sigma rule for one IOC, delimited by ---.

Authentication

Pass your API key as a Bearer token in the Authorization header.

Query parameters

ParameterTypeDescription
typestringFilter by IOC type: ipv4, ipv6, domain, url, md5, sha1, sha256, cve, email
sincestringISO 8601 timestamp — return only IOCs added after this date
confidencestringlow, medium, or high
industrystringCISA Critical Infrastructure sector slug

Example request

curl -s -H "Authorization: Bearer sk_live_YOUR_KEY" \
  "https://socdefenders.ai/api/v1/iocs/sigma?type=ipv4&confidence=high" \
  -o soc-defenders-rules.yml

Sample Sigma rule output

The following shows a single rule document from the multi-document response: 
title: SOC Defenders - Malicious IPv4 Indicator
id: f1e2d3c4-b5a6-7890-abcd-ef0987654321
status: experimental
description: Detects network activity involving a malicious IPv4 address identified by SOC Defenders threat intelligence.
references:
  - https://socdefenders.ai
author: SOC Defenders
date: 2026-05-17
tags:
  - attack.command-and-control
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationIp: '203.0.113.42'
  condition: selection
fields:
  - SourceIp
  - DestinationIp
  - DestinationPort
falsepositives:
  - Unknown
level: high
Each rule includes a unique id, references back to SOC Defenders, and maps to relevant MITRE ATT&CK tags where available.

Deploying Sigma rules to your SIEM

Sigma rules are backend-agnostic YAML. Use sigmac (legacy) or pySigma (recommended) to compile them into queries your SIEM understands.
1

Download the rule file

Run the curl example above to save all rules to a .yml file. Use the type and confidence filters to limit the output to IOCs relevant to your environment.
2

Install pySigma and your backend

Install the pySigma core library and the backend plugin for your SIEM:
pip install pysigma
# Example: Splunk backend
pip install pysigma-backend-splunk
3

Compile rules for your SIEM

Convert the multi-document YAML to your target query language. The example below targets Splunk:
sigma convert -t splunk soc-defenders-rules.yml
Replace -t splunk with -t qradar, -t elastic, -t sentinel, or any other supported backend.
4

Import into your SIEM

Copy the compiled queries into your SIEM’s detection or correlation rule editor. For automated pipelines, run the sigma convert step as part of your scheduled IOC refresh script.
Schedule a cron job to fetch fresh rules with since set to your last run timestamp, then recompile and push updated rules to your SIEM. This keeps your detection logic synchronized with the latest SOC Defenders IOC feed.