Quick Start

Generate your first Sigma detection rules in under 5 minutes.

Prerequisites

A CloudSigma account — sign up free
An API key (Pro tier or above) or a JWT access token from the web app

Free-tier users can generate rules via the web UI at cloudsigma.a13e.com/generate . API key access requires a Pro or Team subscription.

Generate Rules from a URL

Get your API key

Navigate to Account → API Keys and create a new key. Copy the full key — it is shown only once.

Your key looks like: csk_live_a1b2c3d4e5f6...

Submit threat intelligence

Send a POST request to /v1/generate with a threat intel URL:


curl -X POST https://cloudsigma.a13e.com/v1/generate \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "inputType": "url",
    "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a"
  }'

The API returns immediately with an execution ARN:


{
  "success": true,
  "data": {
    "executionArn": "arn:aws:states:eu-west-2:...:execution:..."
  }
}

Poll for results

Check the execution status using the ARN from the previous step:


curl https://cloudsigma.a13e.com/v1/status/EXECUTION_ARN \
  -H "Authorization: Bearer YOUR_API_KEY"

While the pipeline is running, you will see "status": "RUNNING". When complete:


{
  "success": true,
  "data": {
    "status": "SUCCEEDED",
    "output": {
      "rules": [
        {
          "yaml": "title: AWS IAM Access Key Creation...\nstatus: experimental\n...",
          "title": "AWS IAM Access Key Creation",
          "conversions": {
            "splunk": "index=cloudtrail eventName=CreateAccessKey ...",
            "sentinel": "CloudTrailLogs | where EventName == 'CreateAccessKey' ..."
          }
        }
      ],
      "ttps": [...],
      "metadata": { ... }
    }
  }
}

Review your rules

Each rule in the rules array includes:

yaml — The Sigma rule in YAML format
title — Human-readable rule title
conversions — SIEM-native queries keyed by backend name

Other Input Types

You can also generate rules from a CVE ID or raw text:


# From a CVE
curl -X POST https://cloudsigma.a13e.com/v1/generate \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"inputType": "cve", "cveId": "CVE-2025-1974"}'
 
# From raw text
curl -X POST https://cloudsigma.a13e.com/v1/generate \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"inputType": "text", "text": "The threat actor used compromised AWS credentials to..."}'

What’s Next

Authentication — JWT tokens and API key setup
API Overview — Base URL, response format, rate limits
Generating Rules — All input types and options explained
Supported Platforms — 13 platforms across 5 detection planes