Sigma File Analysis
Sigma File Analysis
Runs Sigma rules against uploaded files to test your detections and find threats and suspicious activities. Supports both community rules and custom user-provided rules for comprehensive threat detection.
API Endpoint
POST /analysis/sigma/file
HTTP Headers
- Content-Type:
application/json - X-Cursed-Api-Token: API token for authentication
- X-Cursed-Api-Enc-Key: Encryption key for authenticated users (required if using encrypted files)
Request Method
POST
Parameters
Request Body (JSON):
| Parameter | Type | Required | Description |
|---|---|---|---|
file_ids | array | Yes | Array of file UUIDs to analyze (100 files maximum limit and up to 1 GB total) |
operation | string | Yes | Analysis operation ("run_rule" or "run_community_rules") |
rule | string | Conditional | Base64-encoded Sigma rule (required if operation is "run_rule") |
Request Body Schema
{
"file_ids": ["string (UUID)", "string (UUID)", ...],
"operation": "string (run_rule|run_community_rules)",
"rule": "string (base64-encoded, optional)"
}
Response Format
Success Response (200 OK):
{
"id": "job_id (UUID)",
"job_name": "string",
"message": "Job queued",
"category": "sigma"
}
Error Response (400 Bad Request):
No file IDs provided
Max Sigma File analysis size limit exceeded (1GB)
Failed to download file
Error Response (401 Unauthorized):
Unauthorized
Error Codes
| HTTP Status | Description |
|---|---|
| 200 | Success - Analysis job queued |
| 400 | Bad Request - Invalid parameters or file limit exceeded |
| 401 | Unauthorized - Missing authentication for private files |
| 413 | Payload Too Large - Files exceed 1GB total size limit |
| 500 | Internal Server Error - Server processing error |
Operation Types
| Operation | Description |
|---|---|
run_rule | Run a custom Sigma rule provided in the request |
run_community_rules | Run the built-in community Sigma rules |
Example cURL Commands
Run Community Rules
curl -X POST https://api.cursed.tools/analysis/sigma/file \
-H "Content-Type: application/json" \
-H "X-Cursed-Api-Token: your_api_token" \
-H "X-Cursed-Api-Enc-Key: your_encryption_key" \
-d '{
"file_ids": [
"123e4567-e89b-12d3-a456-426614174000",
"a72a10f9-b8b3-4ba5-bd15-9418a37a3202"
],
"operation": "run_community_rules"
}'
Run Custom Rule
curl -X POST https://api.cursed.tools/analysis/sigma/file \
-H "Content-Type: application/json" \
-H "X-Cursed-Api-Token: your_api_token" \
-H "X-Cursed-Api-Enc-Key: your_encryption_key" \
-d '{
"file_ids": ["123e4567-e89b-12d3-a456-426614174000"],
"operation": "run_rule",
"rule": "dGl0bGU6IEN1c3RvbSBTaWdtYSBSdWxlCnN0YXR1czogZXhwZXJpbWVudGFsCmRlc2NyaXB0aW9uOiBEZXRlY3QgbWFsaWNpb3VzIGFjdGl2aXR5"
}'
Example Response
{
"id": "987e6543-e89b-12d3-a456-426614174000",
"job_name": "Cosmic Dragon Analysis",
"message": "Job queued",
"category": "sigma"
}
Notes
- Maximum of 100 files can be analyzed in a single request
- Total file size limit is 1GB across all files
- Job results can be retrieved using the job status endpoint
- Authentication is required for private/encrypted files
- Community rules are maintained and updated regularly
- Custom rules must be valid Sigma format and base64-encoded
- Job names are auto-generated using creative memorable combinations
- Priority is determined by user subscription level
- Unauthenticated users can analyze public files only
- The analysis creates a background job that processes files asynchronously
Sigma Data Analysis
Runs Sigma rules against user-provided test data in real-time. Supports both custom rules and community rules for detection engineering and threat hunting rule validation.
Sigma Rules Retrieval
Retrieves specific Sigma rules from the community rule set by name. Allows users to fetch one or multiple rules for inspection, customization or context enrichment. This API endpoint is meant to only be supplemental and to perform lookups for rules that matches when the user desires to see more context on top of the rule metadata.