Generate Rules


POST /v1/generate

Start a pipeline execution to generate Sigma detection rules from threat intelligence. The pipeline extracts MITRE ATT&CK TTPs, generates Sigma rules grounded against a gold corpus, validates them with pySigma, and converts them to SIEM-native queries.

Authentication

Requires Bearer token (JWT or API key).


Authorization: Bearer <token>

Request Body

Field	Type	Required	Description
`inputType`	string	Yes	One of: `url`, `cve`, `text`
`url`	string	If `inputType` is `url`	Threat advisory or blog URL
`cveId`	string	If `inputType` is `cve`	CVE identifier (e.g., `CVE-2025-1974`)
`text`	string	If `inputType` is `text`	Raw threat intelligence text (max 50,000 chars)
`options.targetProviders`	string[]	No	Target platforms. Default: all 13 platforms
`options.targetSiems`	string[]	No	SIEM backends for conversion. Default: all
`options.includeIocRules`	boolean	No	Generate IOC-based rules in addition to behavioral. Default: `true`
`options.force`	boolean	No	Skip cache and regenerate. Default: `false`

Provide exactly one of url, cveId, or text based on inputType.

Target Providers

Valid values for options.targetProviders:


aws, gcp, azure, windows-sysmon, windows-security, windows-powershell,
linux-auditd, kubernetes-audit, okta, entra-id-signin, entra-id-audit,
modsecurity, aws-waf

See Supported Platforms for details on each.

Target SIEMs

Valid values for options.targetSiems:


splunk, sentinel, elasticsearch, chronicle, opensearch, google_secops

Example Request


curl -X POST https://cloudsigma.a13e.com/v1/generate \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "inputType": "url",
    "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a",
    "options": {
      "targetProviders": ["aws", "gcp", "azure"],
      "targetSiems": ["splunk", "sentinel"],
      "includeIocRules": true
    }
  }'

Response

The endpoint starts an asynchronous pipeline and returns immediately with an execution ARN. Use the Status endpoint to poll for results.


{
  "success": true,
  "data": {
    "executionArn": "arn:aws:states:REGION:ACCOUNT_ID:execution:CloudSigmaPipeline:abc-123"
  }
}

Pipeline Output (via Status Endpoint)

When the pipeline completes, the status endpoint returns the full output:


{
  "rules": [
    {
      "yaml": "title: AWS IAM Access Key Creation\nstatus: experimental\nlogsource:\n  product: aws\n  service: cloudtrail\ndetection:\n  selection:\n    eventName: CreateAccessKey\n  condition: selection\nlevel: medium\ntags:\n  - attack.persistence\n  - attack.t1098.001",
      "title": "AWS IAM Access Key Creation",
      "conversions": {
        "splunk": "index=cloudtrail eventName=\"CreateAccessKey\"",
        "sentinel": "CloudTrailLogs | where EventName == \"CreateAccessKey\""
      }
    }
  ],
  "ttps": [
    {
      "techniqueId": "T1098.001",
      "techniqueName": "Account Manipulation: Additional Cloud Credentials",
      "tactic": "Persistence",
      "confidence": "high"
    }
  ],
  "iocs": [],
  "detectionGaps": [],
  "pipelineNotices": [],
  "metadata": {
    "inputType": "url",
    "rulesGenerated": 5,
    "ttpsExtracted": 8,
    "platformsTargeted": 3,
    "processingTimeMs": 12500
  }
}

Errors

HTTP	Code	Description	Resolution
400	`InvalidInputType`	Unknown `inputType` value	Use `url`, `cve`, or `text`
400	`ValidationError`	Missing required field	Check request body
401	`Unauthorized`	Invalid or missing token	Check Authentication
429	`RateLimitExceeded`	More than 5 requests/minute	Wait and retry
429	`TierLimitExceeded`	Monthly rule limit reached	Upgrade your plan
500	`PipelineFailed`	Internal pipeline error	Retry; contact support if persistent

The pipeline typically completes in 10–30 seconds depending on input complexity and the number of target platforms.