Sigma Data Analysis

Runs Sigma rules against user-provided test data in real-time. Supports both custom rules and community rules for detection engineering and threat hunting rule validation.

Sigma Data Analysis

Runs Sigma rules against user-provided test data in real-time. Supports both custom rules and community rules for detection engineering and threat hunting rule validation.

API Endpoint

POST /analysis/sigma/data

HTTP Headers

  • Content-Type: application/json
  • X-Cursed-Api-Token: API token for authentication

Request Method

POST

Parameters

Request Body (JSON):

ParameterTypeRequiredDescription
test_datastringYesBase64-encoded test data (JSON or XML format)
operationstringYesAnalysis operation ("run_rule" or "run_community_rules")
rulestringConditionalBase64-encoded Sigma rule (required if operation is "run_rule")

Request Body Schema

{
  "test_data": "string (base64-encoded)",
  "operation": "string (run_rule|run_community_rules)",
  "rule": "string (base64-encoded, conditional)"
}

Response Format

Success Response (200 OK):

{
  "results": {
    "type": "Table" | "Error",
    "data": "table_data" | "error_message",
    "category": "Sigma"
  }
}

Response Types

Table Result for Community Rules option

{
  "results": [
    {
      "type": "Table",
      "title": "Sigma Analysis",
      "data": [
        ["Rule", "Description", "Author", "Tags", "Level"],
        ["Process Creation via Taskmgr", "Detects the creation of a process via the Windows task manager", "Florian Roth (Nextron Systems)", "attack.defense_evasion,attack.t1036", "Low"]
      ],
      "category": "Sigma"
    }
  ]
}

Table Result for Custom Rule

{
  "results": [
    {
      "type": "Table",
      "title": "Sigma Analysis",
      "data": [
        ["Rule"],
        ["New Process Created Via Taskmgr.EXE"]
      ],
      "category": "Sigma"
    }
  ]
}

Error Result

{
  "results": [
    {
      "type": "Error",
      "message": "Invalid Sigma rule format"
    }
  ]
}

Error Response (400 Bad Request):

Invalid test data format

Error Response (401 Unauthorized):

Unauthorized

Error Response (422 Unprocessable Entity):

Rule is required

Error Codes

HTTP StatusDescription
200Success - Analysis completed
400Bad Request - Invalid test data format
401Unauthorized - Authentication required
422Unprocessable Entity - Missing or invalid rule
500Internal Server Error - Server processing error

Operation Types

OperationDescription
run_ruleRun a custom Sigma rule against the test data
run_community_rulesRun all community Sigma rules against the test data

Example cURL Commands

Run Custom Rule

curl -X POST https://api.cursed.tools/analysis/sigma/data \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -d '{
    "test_data": "ewogICJFdmVudElEIjogMSwKICAiUHJvY2Vzc05hbWUiOiAicG93ZXJzaGVsbC5leGUiLAogICJDb21tYW5kTGluZSI6ICJwb3dlcnNoZWxsIC1FbmNvZGVkQ29tbWFuZCBhQUIwQUhRQWNBQnoiLAogICJVc2VyIjogIlNZU1RFTSIsCiAgIlByb2Nlc3NJZCI6IDEyMzQsCiAgIlBhcmVudFByb2Nlc3NJZCI6IDU2NzgsCiAgIlRpbWVzdGFtcCI6ICIyMDI0LTAxLTE1VDEwOjMwOjAwWiIKfQ==",
    "operation": "run_rule",
    "rule": "dGl0bGU6IFN1c3BpY2lvdXMgUG93ZXJTaGVsbCBDb21tYW5kCmlkOiA4YzYzYzRlOC04YThiLTRkYjgtOWM3OS0wMTIzNDU2Nzg5YWIKc3RhdHVzOiB0ZXN0CmRlc2NyaXB0aW9uOiBEZXRlY3RzIHN1c3BpY2lvdXMgUG93ZXJTaGVsbCBjb21tYW5kcwphdXRob3I6IFNlY3VyaXR5IFRlYW0KZGF0ZTogMjAyNC8wMS8wMQp0YWdzOgogICAgLSBhdHRhY2suZXhlY3V0aW9uCiAgICAtIGF0dGFjay50MTA1OS4wMDEKbG9nc291cmNlOgogICAgY2F0ZWdvcnk6IHByb2Nlc3NfY3JlYXRpb24KICAgIHByb2R1Y3Q6IHdpbmRvd3MKZGV0ZWN0aW9uOgogICAgc2VsZWN0aW9uOgogICAgICAgIEltYWdlfGVuZHN3aXRoOiAnXFxwb3dlcnNoZWxsLmV4ZScKICAgICAgICBDb21tYW5kTGluZXxjb250YWluczoKICAgICAgICAgICAgLSAnLUVuY29kZWRDb21tYW5kJwogICAgICAgICAgICAtICctRXhlY3V0aW9uUG9saWN5IEJ5cGFzcycKICAgIGNvbmRpdGlvbjogc2VsZWN0aW9uCmZhbHNlcG9zaXRpdmVzOgogICAgLSBMZWdpdGltYXRlIFBvd2VyU2hlbGwgdXNhZ2UKbGV2ZWw6IG1lZGl1bQ=="
  }'

Run Community Rules

curl -X POST https://api.cursed.tools/analysis/sigma/data \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -d '{
    "test_data": "ewogICJFdmVudElEIjogMSwKICAiUHJvY2Vzc05hbWUiOiAicG93ZXJzaGVsbC5leGUiLAogICJDb21tYW5kTGluZSI6ICJwb3dlcnNoZWxsIC1FbmNvZGVkQ29tbWFuZCBhQUIwQUhRQWNBQnoiLAogICJVc2VyIjogIlNZU1RFTSIsCiAgIlByb2Nlc3NJZCI6IDEyMzQsCiAgIlBhcmVudFByb2Nlc3NJZCI6IDU2NzgsCiAgIlRpbWVzdGFtcCI6ICIyMDI0LTAxLTE1VDEwOjMwOjAwWiIKfQ==",
    "operation": "run_community_rules"
  }'

Example Test Data Format

* IMPORTANT: You can run Sigma rules against nested JSON structures by accessing their properties like Event.EventData.Image. The module supports both flattened JSON events (community rule syntax) and nested ones

Nested JSON Format (Base64 encode it)

{
  "Event": {
    "#attributes": {
      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
    },
    "EventData": {
      "UtcTime": "2020-10-05 20:43:58.450",
      "ProcessId": 6636,
      "Image": "C:\\Windows\\System32\\cmd.exe",
      "CommandLine": "cmd.exe",
      "CurrentDirectory": "C:\\windows\\",
      "User": "LAPTOP-JU4M3I0E\\bouss",
      "ParentProcessId": 18404,
      "ParentImage": "C:\\Windows\\System32\\Taskmgr.exe",
      "ParentCommandLine": "C:\\windows\\system32\\taskmgr.exe"
    }
  }
}

JSON Format (Base64 encode it)

{
  "EventID": 1,
  "ProcessName": "powershell.exe",
  "CommandLine": "powershell -EncodedCommand aAB0AHQAcABz",
  "User": "SYSTEM",
  "ProcessId": 1234,
  "ParentProcessId": 5678,
  "Timestamp": "2024-01-15T10:30:00Z"
}

XML Format (Base64 encode it)

<Event>
  <EventID>1</EventID>
  <ProcessName>powershell.exe</ProcessName>
  <CommandLine>powershell -EncodedCommand aAB0AHQAcABz</CommandLine>
  <User>SYSTEM</User>
  <ProcessId>1234</ProcessId>
  <ParentProcessId>5678</ParentProcessId>
  <Timestamp>2024-01-15T10:30:00Z</Timestamp>
</Event>

Example Response (with Community Rules)

{
  "results": {
    "type": "Table",
    "title": "Sigma Analysis",
    "data": [
      ["Rule", "Description", "Author", "Tags", "Level"],
      ["process_execution_sysmon", "This is the description", "@Researcher", "mitre.t1000, sysmon", "high"]
      ["registry_modification_apt28", "This is the description", "@Researcher2", "mitre.t2000, mitre.t1000", "critical"]
    ],
    "category": "Sigma"
  }
}

Notes

  • Test data must be valid JSON or XML format and base64-encoded
  • XML format support is only available for Windows Event log data, JSON formatted data is preferentially chosen and supported with direct support for flattened JSON objects for Windows Event Log data, as well as Nested JSON ones for any other log format
  • Custom rules must be valid Sigma format and base64-encoded
  • Results are returned immediately and no job is created
  • Authentication is optional but affects rate limiting and priority execution
  • Invalid rule formats will return descriptive error messages
  • The endpoint supports both detection and validation use cases

Get Job Status API

Check analysis job progress and retrieve encrypted results for cybersecurity investigations.

Sigma File Analysis

Runs Sigma rules against uploaded files to test your detections and find threats and suspicious activities. Supports both community rules and custom user-provided rules for comprehensive threat detection.