CloudSigma Documentation
CloudSigma transforms cyber threat intelligence — blog posts, CVE advisories, or raw text — into validated Sigma detection rules ready for your SIEM.
How It Works
- Submit a threat intel URL, CVE ID, or raw text via the API or web UI
- Extract MITRE ATT&CK TTPs automatically using AI
- Generate Sigma rules grounded against a curated gold corpus of 475+ rules
- Validate rules with pySigma and convert to your SIEM’s native query language
- Deploy rules to Splunk, Sentinel, Elasticsearch, Chronicle, OpenSearch, or Google SecOps
Quick Links
- Generating Rules — URL, CVE, and text input modes explained
- API Reference — Base URL, authentication, endpoints, and error codes
- Supported Platforms — 13 platforms across cloud, endpoint, identity, and WAF
Supported Platforms
| Plane | Platforms |
|---|---|
| Cloud Audit Log | AWS CloudTrail, GCP Audit Log, Azure Activity Log |
| Endpoint | Windows/Sysmon, Windows Security, Windows PowerShell, Linux/auditd |
| Kubernetes | Kubernetes Audit |
| Identity Provider | Okta System Log, Entra ID Sign-in, Entra ID Audit |
| WAF | ModSecurity, AWS WAF |
SIEM Backends
Rules are converted to native queries for Splunk SPL, Microsoft Sentinel KQL, Elasticsearch Lucene, Google Chronicle UDM, OpenSearch DQL, and Google SecOps YARA-L.
Last updated on