> ## Documentation Index
> Fetch the complete documentation index at: https://docs.socdefenders.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Generate Sigma detection rules from IOCs

> The SOC Defenders Sigma endpoint returns deployable YAML detection rules for each IOC, ready to import into any SIEM that supports Sigma. Requires Pro.

The SOC Defenders Sigma endpoint converts your filtered IOCs into deployable Sigma detection rules. Each IOC becomes its own YAML rule document, separated by `---` in the multi-document response. You can pipe the output directly into `sigmac` or `pySigma` to compile rules for your target SIEM without writing any detection logic manually.

<Note>
  Sigma export requires a Pro subscription. Upgrade at [socdefenders.ai](https://socdefenders.ai).
</Note>

## Endpoint

**`GET /api/v1/iocs/sigma`**

The response is a multi-document YAML file. Each document is a valid Sigma rule for one IOC, delimited by `---`.

## Authentication

Pass your API key as a Bearer token in the `Authorization` header.

## Query parameters

| Parameter    | Type   | Description                                                                                  |
| ------------ | ------ | -------------------------------------------------------------------------------------------- |
| `type`       | string | Filter by IOC type: `ipv4`, `ipv6`, `domain`, `url`, `md5`, `sha1`, `sha256`, `cve`, `email` |
| `since`      | string | ISO 8601 timestamp — return only IOCs added after this date                                  |
| `confidence` | string | `low`, `medium`, or `high`                                                                   |
| `industry`   | string | CISA Critical Infrastructure sector slug                                                     |

## Example request

```bash theme={null}
curl -s -H "Authorization: Bearer sk_live_YOUR_KEY" \
  "https://socdefenders.ai/api/v1/iocs/sigma?type=ipv4&confidence=high" \
  -o soc-defenders-rules.yml
```

## Sample Sigma rule output

The following shows a single rule document from the multi-document response:

```yaml theme={null}
title: SOC Defenders - Malicious IPv4 Indicator
id: f1e2d3c4-b5a6-7890-abcd-ef0987654321
status: experimental
description: Detects network activity involving a malicious IPv4 address identified by SOC Defenders threat intelligence.
references:
  - https://socdefenders.ai
author: SOC Defenders
date: 2026-05-17
tags:
  - attack.command-and-control
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationIp: '203.0.113.42'
  condition: selection
fields:
  - SourceIp
  - DestinationIp
  - DestinationPort
falsepositives:
  - Unknown
level: high
```

Each rule includes a unique `id`, references back to SOC Defenders, and maps to relevant MITRE ATT\&CK tags where available.

## Deploying Sigma rules to your SIEM

Sigma rules are backend-agnostic YAML. Use `sigmac` (legacy) or `pySigma` (recommended) to compile them into queries your SIEM understands.

<Steps>
  <Step title="Download the rule file">
    Run the curl example above to save all rules to a `.yml` file. Use the `type` and `confidence` filters to limit the output to IOCs relevant to your environment.
  </Step>

  <Step title="Install pySigma and your backend">
    Install the pySigma core library and the backend plugin for your SIEM:

    ```bash theme={null}
    pip install pysigma
    # Example: Splunk backend
    pip install pysigma-backend-splunk
    ```
  </Step>

  <Step title="Compile rules for your SIEM">
    Convert the multi-document YAML to your target query language. The example below targets Splunk:

    ```bash theme={null}
    sigma convert -t splunk soc-defenders-rules.yml
    ```

    Replace `-t splunk` with `-t qradar`, `-t elastic`, `-t sentinel`, or any other supported backend.
  </Step>

  <Step title="Import into your SIEM">
    Copy the compiled queries into your SIEM's detection or correlation rule editor. For automated pipelines, run the `sigma convert` step as part of your scheduled IOC refresh script.
  </Step>
</Steps>

<Tip>
  Schedule a cron job to fetch fresh rules with `since` set to your last run timestamp, then recompile and push updated rules to your SIEM. This keeps your detection logic synchronized with the latest SOC Defenders IOC feed.
</Tip>
