Sigma Rules Retrieval

Retrieves specific Sigma rules from the community rule set by name. Allows users to fetch one or multiple rules for inspection, customization or context enrichment. This API endpoint is meant to only be supplemental and to perform lookups for rules that matches when the user desires to see more context on top of the rule metadata.

Sigma Rules Retrieval

Retrieves specific Sigma rules from the community rule set by name. Allows users to fetch one or multiple rules for inspection, customization or context enrichment. This API endpoint is meant to only be supplemental and to perform lookups for rules that matches when the user desires to see more context on top of the rule metadata.

API Endpoint

POST /analysis/sigma/rules

HTTP Headers

  • Content-Type: application/json
  • X-Cursed-Api-Token: API token for authentication (optional)

Request Method

POST

Parameters

Request Body (JSON):

ParameterTypeRequiredDescription
rule_namesarrayYesArray of Sigma rule names to retrieve

Request Body Schema

{
  "rule_names": ["string", "string", ...]
}

Response Format

Success Response (200 OK):

{
  "results": {
    "rule_name_1": ["rule_content_line_1", "rule_content_line_2", ...],
    "rule_name_2": ["rule_content_line_1", "rule_content_line_2", ...],
    ...
  }
}

Response Schema

The response contains a dictionary where:

  • Keys are the requested rule names
  • Values are arrays of strings representing the rule content line by line

Error Response (400 Bad Request):

Invalid rule names provided

Error Response (404 Not Found):

One or more rules not found

Error Response (500 Internal Server Error):

An error occurred while processing your request. If you would like to report it contact us via the feedback form on cursed.tools/feedback and quote the following ID: [uuid]

Error Codes

HTTP StatusDescription
200Success - Rules retrieved successfully
400Bad Request - Invalid rule names or empty request
404Not Found - One or more requested rules not found
500Internal Server Error - Server processing error

Example cURL Command

curl -X POST https://api.cursed.tools/analysis/sigma/rules \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -d '{
    "rule_names": [
      "process_creation_susp_powershell",
      "network_connection_suspicious",
      "file_creation_malware_temp"
    ]
  }'

Example with API Token

curl -X POST https://api.cursed.tools/analysis/sigma/rules \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -d '{
    "rule_names": ["process_creation_susp_powershell"]
  }'

Example Response

{
  "results": {
    "process_creation_susp_powershell": [
      "title: Suspicious PowerShell Process Creation",
      "id: 8c63c4e8-8a8b-4db8-9c79-0123456789ab",
      "status: test",
      "description: Detects suspicious PowerShell process creation",
      "references:",
      "    - https://example.com/reference",
      "author: Security Team",
      "date: 2024/01/01",
      "tags:",
      "    - attack.execution",
      "    - attack.t1059.001",
      "logsource:",
      "    category: process_creation",
      "    product: windows",
      "detection:",
      "    selection:",
      "        Image|endswith: '\\powershell.exe'",
      "        CommandLine|contains:",
      "            - '-EncodedCommand'",
      "            - '-ExecutionPolicy Bypass'",
      "    condition: selection",
      "falsepositives:",
      "    - Legitimate PowerShell usage",
      "level: medium"
    ],
    "network_connection_suspicious": [
      "title: Suspicious Network Connection",
      "id: 9d74c5f9-9b9c-4ec9-8d80-0123456789cd",
      "status: test",
      "description: Detects suspicious network connections",
      "author: Security Team",
      "date: 2024/01/01",
      "tags:",
      "    - attack.command_and_control",
      "    - attack.t1071",
      "logsource:",
      "    category: network_connection",
      "    product: windows",
      "detection:",
      "    selection:",
      "        DestinationPort:",
      "            - 4444",
      "            - 8080",
      "        DestinationHostname|contains:",
      "            - 'malicious.com'",
      "            - 'evil.org'",
      "    condition: selection",
      "falsepositives:",
      "    - Legitimate network traffic",
      "level: high"
    ]
  }
}

Notes

  • This endpoint is primarily for retrieving existing community rules that have provided matches in other Sigma endpoint results
  • Rules are returned as arrays of strings, with each string representing a line in the YAML rule
  • Authentication is optional but may be required for rate limiting purposes
  • The endpoint does not consume quota for authenticated users currently
  • Rule names must match exactly (case-sensitive)
  • Rules may have derivatives with the same name, so different versions may be returned (e.g. Process Creation rule for Sysmon and Security Audit log)
  • If any requested rule is not found, the entire request may fail
  • Rules are maintained and updated by the community
  • The response format allows for easy parsing and manipulation of rule content
  • Rules can be modified and used in custom Sigma analysis jobs
  • Rule names typically follow a pattern like category_subcategory_description

Sigma File Analysis

Runs Sigma rules against uploaded files to test your detections and find threats and suspicious activities. Supports both community rules and custom user-provided rules for comprehensive threat detection.

Event ID Lookup

Searches for information about Windows Event IDs. Provides details about event purposes, provider, OS version and log format version, as well as available data fields to help incident responders, detection engineers, threat hunters or system administrators get enriched context.