In this article:

Overview

The SOC Prime Platform API enables you to run your own scripting to automate the consumption of content from the SOC Prime Platform and streaming it into your local repository or directly into select SIEMs.

API access is also needed to use certain integration tools such as the Splunk app or the Limacharlie add-on to integrate with the SOC Prime Platform.

The API has the following base URL: https://api.tdm.socprime.com. To use our API, you need an API key. Also, note that the SOC Prime Platform API has a rate limit of 30 requests per 10 seconds.

Personal API Key Generation

Each user of an organization that has access to the SOC Prime Platform API can generate personal API keys.

Go to Account icon > Platform Settings > API to see all your existing keys or generate a new one.

To create a new key:

Click Add New Key.
In the modal that appears:
1. Give your key a meaningful name.
2. Set the expiration date.
3. Optionally define allowed IPs.
4. Select the product APIs the key provides access to.
Click Generate.
The API Key Generated modal appears. Copy the key and save it in a safe place. You won't be able to view it again once you close this modal. The key is stored in an encrypted format.

Each user can create up to 20 keys.

TDM API Integration Tool

To make downloading and deployment automation more convenient and flexible, we offer the TDM API Integration Tool available as a Content Pack in the Threat Detection Marketplace. With this tool, you can obtain content with specified parameters directly from the Threat Detection Marketplace and then save it locally as files or deploy it to your organization's environment. The Tool also allows you to create and manage content lists, as well as add and remove content from them.

In addition to the Tool, the Content Pack contains the guide covering script configuration.

Authorization

Requests are authorized with a personal API key generated by the user on the SOC Prime Platform. The key is passed as a required header parameter client_secret_id. For example:

curl -X GET \
https://api.tdm.socprime.com/v1/sigma/123bcd456efg/ala-rule \
-H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

Endpoints

Here you can find descriptions of the API endpoints with parameters, examples and possible service responses.

Threat Detection Marketplace

Sigma Rules

GET `/v1/sigma/{rule_id}/{siem_type}`

Get the translation of the specified Sigma Rule into the specified platform format.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

rule_id

Required

Data type: String

Parameter location: Path

Rule ID.

siem_type

Required

Data type: String

Parameter location: Path

Name of the platform. Available values:

ala-rule — Microsoft Sentinel Rule
ala — Microsoft Sentinel Query
elasticsearch — Elasticsearch Query (Lucene)
es-eql — Elasticsearch Query (EQL)
xpack-watcher — Elasticsearch Watcher
elasticsearch-rule — Elasticsearch Detection Rule (Lucene)
es-rule-eql — Elasticsearch Detection Rule (EQL)
kibana — Kibana Saved Search
elastalert — Elasticsearch ElastAlert
qradar — Qradar Query
humio — CrowdStrike NextGen SIEM Falcon LogScale Query
humio-alert — CrowdStrike NextGen SIEM Falcon LogScale Alert
splunk — Splunk Query
splunk_alert — Splunk Alert
sumologic — Sumo Logic Query
sumologic-cse — Sumo Logic CSE Query
sumologic-cse-rule — Sumo Logic CSE Rule
arcsight-esm — ArcSight Rule
arcsight-keyword — ArcSight Query
logpoint — LogPoint Query
grep — Regex Grep Query
powershell — PowerShell Query
graylog — Graylog Query
kafka — Apache Kafka KSQL Query
rsa_netwitness — RSA NetWitness Query
carbonblack — VMware Carbon Black Cloud Query
carbonblack-edr — VMware Carbon Black EDR Query
open-ioc — FireEye OpenIOC
fireeye-helix — FireEye Helix Query
chronicle — Google SecOps Rule
chronicle-query — Google SecOps Query
securonix — Securonix Query
s1-events — SentinelOne Events Query
s1-process — SentinelOne Process State Query
sentinel-one-power-query — SentinelOne PowerQuery
mdatp — Microsoft Defender for Endpoint Query
qualys — Qualys IOC Query
sysmon — Sysmon Rule
crowdstrike — CrowdStrike Endpoint Security Query
limacharlie — LimaCharlie Rule
devo — Devo Query
snowflake — Snowflake Query
athena — Amazon Athena Query
opendistro-query — Amazon OpenSearch Query
opendistro-rule — Amazon OpenSearch Rule
fortisiem — FortiSIEM rule
axon-ads-query — LogRhythm Axon Query
axon-ads-rule — LogRhythm Axon Rule
cortex-xdr-xql-query — Palo Alto Cortex XDR Query
cortex-xql-query — Palo Alto Cortex XSIAM Query
hunters-sql-query — Hunters Query
anomali-aql-query — Anomali Security Analytics Query
сrowdstrike-ng-query — CrowdStrike NextGen SIEM Query
trend-micro-xdr-query — Trend Vision One Query

unlock_rules

Optional

Data type: Boolean

Parameter location: Query

If this parameter is true (or 1), locked premium Sigma rules will be unlocked.

Attention. If this parameter is set to true (or 1), your organization's premium Sigma rule balance will be used to unlock the rules. This may result in heavy balance usage.

mapping_name

Optional

Data type: String

Parameter location: Header

The name of the Custom Field Mapping profile that will be applied to the Sigma Rule translations in the output. You can use the default value to apply a default Custom Field Mapping profile to each content item in the response depending on its Log Source, Sigma Product, Sigma Category, and Sigma Service.

Examples

Get the translation of a Sigma rule with ID 123bcd456efg to Microsoft Sentinel Rule, with the example_mapping Custom Field Mapping profile applied.

curl -X GET \
https://api.tdm.socprime.com/v1/sigma/123bcd456efg/ala-rule \
-H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
-H 'mapping_name: example_mapping'

Server Responses

200

Successful Response

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

GET `/v1/search-sigmas`

Get translations into the specified platform format for Sigma Rules defined by the filtering parameters.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

unlock_rules

Optional

Data type: Boolean

Parameter location: Query

If this parameter is true (or 1), locked premium Sigma rules will be unlocked.

Attention. If this parameter is set to true (or 1), your organization's premium Sigma rule balance will be used to unlock the rules. This may result in heavy balance usage.

client_siem_type

Required

Data type: String

Parameter location: Header

The language format used for translation. Possible values:

ala-rule — Microsoft Sentinel Rule
ala — Microsoft Sentinel Query
elasticsearch — Elasticsearch Query (Lucene)
es-eql — Elasticsearch Query (EQL)
xpack-watcher — Elasticsearch Watcher
elasticsearch-rule — Elasticsearch Detection Rule (Lucene)
es-rule-eql — Elasticsearch Detection Rule (EQL)
kibana — Kibana Saved Search
elastalert — Elasticsearch ElastAlert
qradar — Qradar Query
humio — CrowdStrike NextGen SIEM Falcon LogScale Query
humio-alert — CrowdStrike NextGen SIEM Falcon LogScale Alert
splunk — Splunk Query
splunk_alert — Splunk Alert
sumologic — Sumo Logic Query
sumologic-cse — Sumo Logic CSE Query
sumologic-cse-rule — Sumo Logic CSE Rule
arcsight-esm — ArcSight Rule
arcsight-keyword — ArcSight Query
logpoint — LogPoint Query
grep — Regex Grep Query
powershell — PowerShell Query
graylog — Graylog Query
kafka — Apache Kafka KSQL Query
rsa_netwitness — RSA NetWitness Query
carbonblack — VMware Carbon Black Cloud Query
carbonblack-edr — VMware Carbon Black EDR Query
open-ioc — FireEye OpenIOC
fireeye-helix — FireEye Helix Query
chronicle — Google SecOps Rule
chronicle-query — Google SecOps Query
securonix — Securonix Query
s1-events — SentinelOne Events Query
s1-process — SentinelOne Process State Query
sentinel-one-power-query — SentinelOne PowerQuery
mdatp — Microsoft Defender for Endpoint Query
qualys — Qualys IOC Query
sysmon — Sysmon Rule
crowdstrike — CrowdStrike Endpoint Security Query
limacharlie — LimaCharlie Rule
devo — Devo Query
snowflake — Snowflake Query
athena — Amazon Athena Query
opendistro-query — Amazon OpenSearch Query
opendistro-rule — Amazon OpenSearch Rule
fortisiem — FortiSIEM rule
axon-ads-query — LogRhythm Axon Query
axon-ads-rule — LogRhythm Axon Rule
cortex-xdr-xql-query — Palo Alto Cortex XDR Query
cortex-xql-query — Palo Alto Cortex XSIAM Query
hunters-sql-query — Hunters Query
anomali-aql-query — Anomali Security Analytics Query
сrowdstrike-ng-query — CrowdStrike NextGen SIEM Query
trend-micro-xdr-query — Trend Vision One Query

mapping_name

Optional

Data type: String

Parameter location: Header

is_verified

Optional

Data type: Boolean

Parameter location: Header

Displays whether the rule has been verified by SOC Prime or still needs verification.

Available values:

true
The rule has the label “SOC Prime Verified”
false
The Rule has the label “Not Verified”

client_tags_actor

Optional

Data type: String

Parameter location: Header

Name of a certain ATT&CK Group. See the full list of possible adversary group names here.

client_sigma_type

Optional

Data type: String

Parameter location: Header

Sigma type. Available Sigma types:

IOC Sigma
Threat Hunting Sigma
Compliance

tags_technique_tactic

Optional

Data type: String

Parameter location: Header

Name of a certain ATT&CK Tactic. For example: Collection. See the full list of possible ATT&CK Tactics here.

client_tags_event_id

Optional

Data type: String

Parameter location: Header

Windows Event ID.

client_case_id

Optional

Data type: String

Parameter location: Header

Sigma Rule ID.

client_tags_tool

Optional

Data type: String

Parameter location: Header

Name of a certain ATT&CK tool or malware. See the full list of possible ATT&CK tool and malware names here.

tags_technique_name

Optional

Data type: String

Parameter location: Header

Name of a certain ATT&CK Technique. For example: Screen Capture.

See the full list of possible ATT&CK Techniques here.

client_case_name

Optional

Data type: String

Parameter location: Header

Sigma rule name.

client_tags_author

Optional

Data type: String

Parameter location: Header

Filtering parameter for the Rule Author. For example: SOC Prime Team.

client_tags_event_category

Optional

Data type: String

Parameter location: Header

Sigma logsource.category field. For example:

process_creation
webserver
proxy
file_event
registry_event

client_query_string

Optional

Data type: String

Parameter location: Header

Query to search for available Sigma Rules with custom criteria. The following fields can be used for the query:

case.id — the same as client_case_id parameter
case.name — the same as client_case_name parameter
description — rule description
siem_type — the same as client_siem_type parameter
sigma.falsepositives — sigma falsepositives field
sigma.level — sigma level field. Possible values: low, medium, high, critical
sigma.status — the same as client_sigma_status parameter
sigma.text — body of rule
tags.event_id — the same as client_tags_event_id parameter
tags.actor — the same as client_tags_actor parameter
tags.author — the same as client_tags_author parameter
tags.custom — custom tag in TDM. Examples: malware, cloud, ransomware.
tags.logsource — the same as client_tags_logsource parameter
tags.sigma_type — the same as client_sigma_type parameter
tags.technique.id — the same as tags_technique_id parameter
tags.technique.name — the same as tags_technique_name parameter
tags.technique.tactics — the same as tags_technique_tactic parameter
tags.tool — the same as client_tags_tool parameter
tags.product — sigma logsource.product field. Examples: windows, linux, azure, zeek, proxy, etc.
tags.service — sigma logsource.service field. Examples: sysmon, security, powershell, office365, cloudtrail, etc.
tags.category — sigma logsource.category field. Examples: process_creation, webserver, proxy, file_event, registry_event, etc.
tags.rule_type — Sigma rule type (the same as tags_rule_type parameter). Possible values: query, alert

The syntax supports logical operators AND/OR (note that the operators have to be uppercase), parentheses, and wildcards. For more information on the syntax, see here.

For example:

sigma.level: high OR sigma.level: critical

sigma_level

Optional

Data type: String

Parameter location: Header

Severity of a Sigma rule. Available values:

low
medium
high
critical

tags_technique_id

Optional

Data type: String

Parameter location: Header

ATT&CK Technique ID. For example: T1113.

See the full list of possible ATT&CK Technique IDs here

client_tags_logsource

Optional

Data type: String

Parameter location: Header

Sigma logsource fields:

logsource.category
logsource.service
logsource.product

For example:

windows, sysmon
process_creation
security
proxy

client_sigma_status

Optional

Data type: String

Parameter location: Header

Sigma status. Available statuses:

stable: Rule that is considered stable and may be used in production systems or dashboards
test (or testing, a legacy status that is still in use): Almost stable Rule that possibly could require some fine-tuning
experimental: Experimental Rule that could lead to false results or be noisy, but could also identify interesting events

tags_rule_type

Optional

Data type: String

Parameter location: Header

Rule type. Possible values:

query — intended for threat hunting (may generate a considerable rate of false positives and require fine-tuning according to your environment)
alert — intended for real-time detection (rarely generates false positives)

page_size

Optional

Data type: Integer

Parameter location: Header

Pagination parameter that specifies the number of Rules returned per page. The maximum number of Rules that can be returned is 50. This is also the default value if not specified. All returned Rules are sorted by the release_date field value.

page_number

Optional

Data type: Integer

Parameter location: Header

Pagination parameter specifying the exact page number with the Rules that will be returned out of the whole list. This number depends on the value of the page_size parameter. All returned Rules are sorted by the release_date field value.

For example, if the page_size value is 25, and the page_number value is 2, you will get the list of Rules from 26 to 50

Default value : 1.

date_start

Optional

Data type: String (date in ISO 8601 format)

Parameter location: Header

The start date and time of the interval for the Sigma Rule fetch (considered from the date of content update). Date and time format: YYYY-M-DTHH:MM:SS

For example: 2025-03-21T12:00:00

date_end

Optional

Data type: String (date in ISO 8601 format)

Parameter location: Header

The end date and time of the interval for the Sigma Rule fetch (considered from the date of content update). Date and time format: YYYY-M-DTHH:MM:SS

For example: 2025-03-21T12:00:00

Examples

1. Get QRadar translations of all Sigma rules that have been updated starting from the specific date. Note that to complete this request, you need to provide the date_start parameter. For this parameter, specify the date and time in the YYYY-M-DTHH:MM:SS format set to the UTC timezone.

curl -X GET \
https://api.tdm.socprime.com/v1/search-sigmas \
-H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
-H 'client_siem_type: qradar' \
-H 'date_start: 2025-09-19T10:13:55'

2. Get Splunk translations of all Sigma rules mapped to MITRE ATT&CK® technique T1156 and tool RIPTIDE.

curl -X GET \
https://api.tdm.socprime.com/v1/search-sigmas \
-H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
-H 'tags_technique_id: T1156' \
-H 'client_siem_type: splunk' \
-H 'client_tags_tool: riptide'

Server Responses

200

Successful Response

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

GET `/v1/content-list`

Get translations of Sigma rules added to a Content List, with Presets, Custom Field Mapping profiles, and Filters applied. The specified translation language format should be currently supported by the Automation module.

Notes:

The Premium Sigma rules included in the Content List specified in the request will be automatically unlocked if Auto Unlock has been enabled in the settings of this List in the UI of the SOC Prime Platform.
Please, use unlocking of Premium Sigma rules via API with caution since this may result in heavy usage of your team's Premium Sigma rule balance.
Dynamic Lists have a content limit of 500 most recently released items to prevent your platform overload.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

content_list_name

Required

Data type: String

Parameter location: Header

Content list name as it is displayed in the Automation module.

siem_type

Required

Data type: String

Parameter location: Header

The language format for which content from the corresponding content list (indicated by the content_list_name parameter) is going to be downloaded via API.

Available values:

ala-rule — Microsoft Sentinel Rule
ala — Microsoft Sentinel Query
elasticsearch — Elasticsearch Query (Lucene)
es-eql — Elasticsearch Query (EQL)
xpack-watcher — Elasticsearch Watcher
elasticsearch-rule — Elasticsearch Detection Rule (Lucene)
es-rule-eql — Elasticsearch Detection Rule (EQL)
kibana — Kibana Saved Search
elastalert — Elasticsearch ElastAlert
qradar — Qradar Query
humio — CrowdStrike NextGen SIEM Falcon LogScale Query
humio-alert — CrowdStrike NextGen SIEM Falcon LogScale Alert
splunk — Splunk Query
splunk_alert — Splunk Alert
sumologic — Sumo Logic Query
sumologic-cse — Sumo Logic CSE Query
sumologic-cse-rule — Sumo Logic CSE Rule
arcsight-esm — ArcSight Rule
arcsight-keyword — ArcSight Query
logpoint — LogPoint Query
grep — Regex Grep Query
powershell — PowerShell Query
graylog — Graylog Query
kafka — Apache Kafka KSQL Query
rsa_netwitness — RSA NetWitness Query
carbonblack — VMware Carbon Black Cloud Query
carbonblack-edr — VMware Carbon Black EDR Query
open-ioc — FireEye OpenIOC
fireeye-helix — FireEye Helix Query
chronicle — Google SecOps Rule
chronicle-query — Google SecOps Query
securonix — Securonix Query
s1-events — SentinelOne Events Query
s1-process — SentinelOne Process State Query
sentinel-one-power-query — SentinelOne PowerQuery
mdatp — Microsoft Defender for Endpoint Query
qualys — Qualys IOC Query
sysmon — Sysmon Rule
crowdstrike — CrowdStrike Endpoint Security Query
limacharlie — LimaCharlie Rule
devo — Devo Query
snowflake — Snowflake Query
athena — Amazon Athena Query
opendistro-query — Amazon OpenSearch Query
opendistro-rule — Amazon OpenSearch Rule
fortisiem — FortiSIEM rule
axon-ads-query — LogRhythm Axon Query
axon-ads-rule — LogRhythm Axon Rule
cortex-xdr-xql-query — Palo Alto Cortex XDR Query
cortex-xql-query — Palo Alto Cortex XSIAM Query
hunters-sql-query — Hunters Query
anomali-aql-query — Anomali Security Analytics Query
сrowdstrike-ng-query — CrowdStrike NextGen SIEM Query
trend-micro-xdr-query — Trend Vision One Query

mapping_name

Optional

Data type: String

Parameter location: Header

preset_name

Optional

Data type: String

Parameter location: Header

The preset name (can be any presets not only those used for this specific content list).

alt_translate_config

Optional

Data type: String

Parameter location: Header

The name of the config for alternative translations applicable to the specified language format. For example: ci-winlogbeat7.

Examples

Get Microsoft Sentinel Rule translations of content from the example_list Content List with example_profile Custom Field Mapping profile applied.

curl -X GET \
https://api.tdm.socprime.com/v1/content-list \
-H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
-H 'content_list_name: example_list' \
-H 'siem_type: ala-rule' \
-H 'mapping_name: example_profile'

Server Responses

200

Successful Response

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

GET `/v1/ccm/jobs/{job_id}/get-content`

Get content from the Content List(s) linked to a specific Job. The Custom Field Mapping profiles, Presets, Filters, and other configurations of the Job are applied to the output content.

Notes:

The Premium Sigma rules included in the Content List specified in the request will be automatically unlocked if Auto Unlock has been enabled in the settings of this List in the UI of the SOC Prime Platform.
Please, use unlocking of Premium Sigma rules via API with caution since this may result in heavy usage of your team's Premium Sigma rule balance.
Dynamic Lists have a content limit of 500 most recently released items to prevent your platform overload.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

job_id

Required

Data type: String

Parameter location: Path

Job ID.

Examples

Get content from the Content Lists linked to the Job with ID 123bcd456efg, with all configurations of the Job applied to the output content.

curl -X GET \
https://api.tdm.socprime.com/v1/ccm/jobs/123bcd456efg/get-content \
-H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

Server Responses

200

Successful Response

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

Content Lists

GET `/v1/content-list`

Notes:

The Premium Sigma rules included in the Content List specified in the request will be automatically unlocked if Auto Unlock has been enabled in the settings of this List in the UI of the SOC Prime Platform.
Please, use unlocking of Premium Sigma rules via API with caution since this may result in heavy usage of your team's Premium Sigma rule balance.
Dynamic Lists have a content limit of 500 most recently released items to prevent your platform overload.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

content_list_name

Required

Data type: String

Parameter location: Header

Content list name as it is displayed in the Automation module.

siem_type

Required

Data type: String

Parameter location: Header

The language format for which content from the corresponding content list (indicated by the content_list_name parameter) is going to be downloaded via API.

Available values:

ala-rule — Microsoft Sentinel Rule
ala — Microsoft Sentinel Query
elasticsearch — Elasticsearch Query (Lucene)
es-eql — Elasticsearch Query (EQL)
xpack-watcher — Elasticsearch Watcher
elasticsearch-rule — Elasticsearch Detection Rule (Lucene)
es-rule-eql — Elasticsearch Detection Rule (EQL)
kibana — Kibana Saved Search
elastalert — Elasticsearch ElastAlert
qradar — Qradar Query
humio — Falcon LogScale Query
humio-alert — Falcon LogScale Alert
splunk — Splunk Query
splunk_alert — Splunk Alert
sumologic — Sumo Logic Query
sumologic-cse — Sumo Logic CSE Query
sumologic-cse-rule — Sumo Logic CSE Rule
arcsight-esm — ArcSight Rule
arcsight-keyword — ArcSight Query
logpoint — LogPoint Query
grep — Regex Grep Query
powershell — PowerShell Query
graylog — Graylog Query
kafka — Apache Kafka KSQL Query
rsa_netwitness — RSA NetWitness Query
carbonblack — VMware Carbon Black Cloud Query
carbonblack-edr — VMware Carbon Black EDR Query
open-ioc — FireEye OpenIOC
fireeye-helix — FireEye Helix Query
chronicle — Google SecOps Rule
chronicle-query — Google SecOps Query
securonix — Securonix Query
s1-events — SentinelOne Events Query
s1-process — SentinelOne Process State Query
sentinel-one-power-query — SentinelOne PowerQuery
mdatp — Microsoft Defender for Endpoint Query
qualys — Qualys IOC Query
sysmon — Sysmon Rule
crowdstrike — CrowdStrike Endpoint Security Query
limacharlie — LimaCharlie Rule
devo — Devo Query
snowflake — Snowflake Query
athena — Amazon Athena Query
opendistro-query — Amazon OpenSearch Query
opendistro-rule — Amazon OpenSearch Rule
fortisiem — FortiSIEM rule
axon-ads-query — LogRhythm Axon Query
axon-ads-rule — LogRhythm Axon Rule
cortex-xdr-xql-query — Palo Alto Cortex XDR Query
cortex-xql-query — Palo Alto Cortex XSIAM Query
hunters-sql-query — Hunters Query
anomali-aql-query — Anomali Security Analytics Query
сrowdstrike-ng-query — CrowdStrike NextGen SIEM Query
trend-micro-xdr-query — Trend Vision One Query

mapping_name

Optional

Data type: String

Parameter location: Header

preset_name

Optional

Data type: String

Parameter location: Header

The preset name (can be any presets not only those used for this specific content list).

alt_translate_config

Optional

Data type: String

Parameter location: Header

The name of the config for alternative translations applicable to the specified language format. For example: ci-winlogbeat7.

Examples

Get Microsoft Sentinel Rule translations of content from the example_list Content List with example_profile Custom Field Mapping profile applied.

curl -X GET \
https://api.tdm.socprime.com/v1/content-list \
-H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
-H 'content_list_name: example_list' \
-H 'siem_type: ala-rule' \
-H 'mapping_name: example_profile'

Server Responses

200

Successful Response

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

GET `/v1/ccm/content-list`

Get all Static and Dynamic Content Lists available to the company.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

Examples

Get Content Lists available to the company.

curl -X GET \
 https://api.tdm.socprime.com/v1/ccm/content-list \
 -H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

Server Responses

200

Successful Response. It contains a list of objects where each object is a List

For a Static List, the response contains the following parameters:

name (string) – name of the List
description (string) – description of the List
category (string) – category of the List
allow_others_to_edit (boolean) – whether other users from your organization are allowed to edit this List. Default: false
repository_ids (list of strings) – list of IDs of repositories from which content can be added to the List
repository_type (string) – type of the repositories from which content can be added to the List (Platform or Custom)
type (string) – type of the List. Value: static
id (string) – ID of the List
created (string) – date and time when the List was created
updated (string) – date and time when the List was last updated
rule_ids (list of strings) – IDs of the rules that are included in the List

For a Dynamic List, the response contains the following parameters:

name (string) – name of the List
description (string) – description of the List
category (string) – category of the List
allow_others_to_edit (boolean) – whether other users from your organization are allowed to edit this List. Default: false
repository_ids (list of strings) – list of IDs of repositories from which content can be added to the List
repository_type (string) – type of the repositories from which content can be added to the List (Platform or Custom)
type (string) – type of the List. Value: dynamic
tags_include (list of strings) – tags used to include rules into the List
include_tags_operator (string) – operator used to combine include tags
tags_exclude (list of strings) – tags used to exclude rules from the List
exclude_tags_operator (string) – operator used to combine exclude tags
siem_type (list of strings) – codes of the rule translatios included in the List
author (list of strings) – authors of the rules included in the List
technique (list of strings) – MITRE ATT&CK techniques or sub-techniques mapped to the rules included in the List
severity (list of strings) – severity of the rules included in the List
sigma_status (list of strings) – Sigma status of the rules included in the List
sigma_service (string) – log sources specified in the Sigma service field of the rules included in the List
sigma_category (string) – log sources specified in the Sigma category field of the rules included in the List
sigma_product (string) – log sources specified in the Sigma product field of the rules included in the List
lucene_query (string) – Lucene query used to define rules included in the List
content_created_date (string) – maximum time period from now when the content was created
id (string) – ID of the List
created (string) – date and time when the List was created
updated (string) – date and time when the List was last updated

For example:

[
  {
    "name": "string",
    "description": "string",
    "category": "string",
    "allow_others_to_edit": false,
    "repository_ids": [
      "socprime",
      "string"
    ],
    "repository_type": "socprime",
    "type": "static",
    "id": "string",
    "created": "2024-05-01T12:51:57.595Z",
    "updated": "2024-05-01T12:51:57.595Z",
    "rule_ids": []
  },
  {
    "name": "string",
    "description": "string",
    "category": "string",
    "allow_others_to_edit": false,
    "repository_ids": [
      "socprime",
      "string"
    ],
    "repository_type": "socprime",
    "type": "dynamic",
    "tags_include": [],
    "include_tags_operator": "or",
    "tags_exclude": [],
    "exclude_tags_operator": "or",
    "siem_type": [],
    "author": [],
    "technique": [],
    "severity": [],
    "sigma_status": [],
    "sigma_service": "string",
    "sigma_category": "string",
    "sigma_product": "string",
    "lucene_query": "string",
    "content_created_date": "0d",
    "id": "string",
    "created": "2024-05-01T12:51:57.595Z",
    "updated": "2024-05-01T12:51:57.595Z"
  }
]

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

429

Too Many Requests

POST `/v1/ccm/content-list`

Create a Static or Dynamic Content List.

The request body should have the JSON format.

Note:

It's impossible to enable Auto Unlock when creating a Content list via API. Accordingly, the Premium rules included in the Content List will NOT be automatically unlocked by default. You can enable Auto Unlock in the settings of the List in the UI of the SOC Prime Platform.
Please, use unlocking of Premium rules via API with caution since this may result in heavy usage of your team's Premium rule balance.
Dynamic Lists have a content limit of 500 most recently released items to prevent your platform overload.

Parameters

For a Static List

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

name

Required

Data type: String

Parameter location: Request Body

Content List name. This parameter cannot be null and should not duplicate any other list name of the same company. Length: 5 to 256 characters.

type

Required

Data type: String

Parameter location: Request Body

Content List type. The values should be static.

category

Optional

Data type: String

Parameter location: Request Body

Content List category. Length: up to 512 characters.

description

Optional

Data type: String

Parameter location: Request Body

Content List description. Length: up to 2048 characters.

allow_others_to_edit

Optional

Data type: Boolean

Parameter location: Request Body

Defines whether the other users from your organization are allowed to edit this List. Default value: false.

repository_ids

Required

Data type: List of strings

Parameter location: Request Body

The list of IDs of repositories from which content can be added to the List. The possible values depend on the value of the repository_type parameter:

If repository_type is socprime, the possible values are:
- socprime – SOC Prime repository
- threat_bounty – Threat Bounty repository
- sigmahq – SigmaHQ repository
- ms_sentinel – Microsoft Sentinel repository
If repository_type is custom, the possible values are any of the existing custom repository IDs. To find the IDs of your custom repositories:
- Via API: use the GET /v1/custom-repositories endpoint
- Via UI:
  - Drill down to the repository from the Repositories page and copy the repository ID from the URL (it is at the end of the URL)
  - Open any rule in the repository and copy the repository ID from the URL (it is the latter ID in the URL, the former being the ID of the rule)

repository_type

Required

Data type: String

Parameter location: Request Body

The type of the repositories from which content can be added to the List. Possible values are one of the following:

socprime – Platform Repositories
custom – Custom Repositories

For a Dynamic List

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

name

Required

Data type: String

Parameter location: Request Body

Content List name. This parameter cannot be null and should not duplicate any other list name of the same company. Length: 5 to 256 characters.

type

Required

Data type: String

Parameter location: Request Body

Content List type. The values should be dynamic.

category

Optional

Data type: String

Parameter location: Request Body

Content List category. Length: up to 512 characters.

description

Optional

Data type: String

Parameter location: Request Body

Content List description. Length: up to 2048 characters.

allow_others_to_edit

Optional

Data type: Boolean

Parameter location: Request Body

Defines whether the other users from your organization are allowed to edit this List. Default value: false.

repository_ids

Required

Data type: List of Strings

Parameter location: Request Body

The list of IDs of repositories from which content can be added to the List. The possible values depend on the value of the repository_type parameter:

If repository_type is socprime, the possible values are:
- socprime – SOC Prime repository
- threat_bounty – Threat Bounty repository
- sigmahq – SigmaHQ repository
- ms_sentinel – Microsoft Sentinel repository
If repository_type is custom, the possible values are any of the existing custom repository IDs. To find the IDs of your custom repositories:
- Via API: use the GET /v1/custom-repositories endpoint
- Via UI:
  - Drill down to the repository from the Repositories page and copy the repository ID from the URL (it is at the end of the URL)
  - Open any rule in the repository and copy the repository ID from the URL (it is the latter ID in the URL, the former being the ID of the rule)

repository_type

Required

Data type: String

Parameter location: Request Body

The type of the repositories from which content can be added to the List. Possible values are one of the following:

socprime – Platform Repositories
custom – Custom Repositories

tags_include

Optional

Data type: List of strings

Parameter location: Request Body

Tags used to include Sigma detections into the Content List. Maximum length: 256 characters, maximum number of items: 50.

tags_exclude

Optional

Data type: List of strings

Parameter location: Request Body

Tags used to exclude Sigma detections from the Content List. Maximum length: 256 characters, maximum number of items: 50.

include_tags_operator

Optional

Data type: String

Parameter location: Request Body

Logical operator used to combine Include tags. Available values:

or
and

Default value: or

exclude_tags_operator

Optional

Data type: String

Parameter location: Request Body

Logical operator used to combine Exclude tags. Available values:

or
and

Default value: or

lucene_query

Optional

Data type: String

Parameter location: Request Body

Lucene query that defines the content to be included in the Dynamic List. See available fields and their values here. Max length: 1024 characters.

siem_type

Optional

Data type: List of strings

Parameter location: Request Body

One or multiple platforms the content is intended for. Available values:

ala-rule — Microsoft Sentinel Rule
ala — Microsoft Sentinel Query
elasticsearch — Elasticsearch Query (Lucene)
es-eql — Elasticsearch Query (EQL)
xpack-watcher — Elasticsearch Watcher
elasticsearch-rule — Elasticsearch Detection Rule (Lucene)
es-rule-eql — Elasticsearch Detection Rule (EQL)
kibana — Kibana Saved Search
elastalert — Elasticsearch ElastAlert
qradar — Qradar Query
humio — CrowdStrike NextGen SIEM Falcon LogScale Query
humio-alert — CrowdStrike NextGen SIEM Falcon LogScale Alert
splunk — Splunk Query
splunk_alert — Splunk Alert
sumologic — Sumo Logic Query
sumologic-cse — Sumo Logic CSE Query
sumologic-cse-rule — Sumo Logic CSE Rule
arcsight-esm — ArcSight Rule
arcsight-keyword — ArcSight Query
logpoint — LogPoint Query
grep — Regex Grep Query
powershell — PowerShell Query
graylog — Graylog Query
kafka — Apache Kafka KSQL Query
rsa_netwitness — RSA NetWitness Query
carbonblack — VMware Carbon Black Cloud Query
carbonblack-edr — VMware Carbon Black EDR Query
open-ioc — FireEye OpenIOC
fireeye-helix — FireEye Helix Query
chronicle — Google SecOps Rule
chronicle-query — Google SecOps Query
securonix — Securonix Query
s1-events — SentinelOne Events Query
s1-process — SentinelOne Process State Query
sentinel-one-power-query — SentinelOne PowerQuery
mdatp — Microsoft Defender for Endpoint Query
qualys — Qualys IOC Query
sysmon — Sysmon Rule
crowdstrike — CrowdStrike Endpoint Security Query
limacharlie — LimaCharlie Rule
devo — Devo Query
snowflake — Snowflake Query
athena — Amazon Athena Query
opendistro-query — Amazon OpenSearch Query
opendistro-rule — Amazon OpenSearch Rule
fortisiem — FortiSIEM rule
axon-ads-query — LogRhythm Axon Query
axon-ads-rule — LogRhythm Axon Rule
cortex-xdr-xql-query — Palo Alto Cortex XDR Query
cortex-xql-query — Palo Alto Cortex XSIAM Query
hunters-sql-query — Hunters Query
anomali-aql-query — Anomali Security Analytics Query
сrowdstrike-ng-query — CrowdStrike NextGen SIEM Query
trend-micro-xdr-query — Trend Vision One Query

Maximum length: 64 characters. Maximum number of items: 50.

author

Optional

Data type: List of strings

Parameter location: Request Body

Content author(s). Maximum length: 256 characters. Maximum number of items: 50.

technique

Optional

Data type: List of strings

Parameter location: Request Body

One or multiple MITRE ATT&CK® techniques or sub-techniques. Maximum length: 256 characters. Maximum number of items: 50.

severity

Optional

Data type: List of strings

Parameter location: Request Body

Severity of a Sigma detection. Available values:

informational — intended for enrichment of events, e.g. by tagging them. No case or alerting should be triggered by such rules because it is expected that a huge amount of events will match them
low — notable event but rarely an incident. Such events can be relevant in high numbers or in combination with others. Immediate reaction shouldn't be necessary, but a regular review is recommended
medium — relevant event that should be reviewed manually on a more frequent basis
high — relevant event that should trigger an internal alert and requires a prompt review
critical — highly relevant event that indicates an incident and should be reviewed immediately

sigma_status

Optional

Data type: List of strings

Parameter location: Request Body

Status of a Sigma detection. Available values:

stable: Rule that is considered stable and may be used in production systems or dashboards
test (or testing, a legacy status that is still in use): Almost stable Rule that possibly could require some fine-tuning
experimental: Experimental Rule that could lead to false results or be noisy, but could also identify interesting events

sigma_product

Optional

Data type: String

Parameter location: Request Body

Product whose log outputs are used in Sigma detections. Maximum length: 256 characters.

sigma_category

Optional

Data type: String

Parameter location: Request Body

Category of products whose log outputs are used in Sigma detections. Maximum length: 256 characters.

sigma_service

Optional

Data type: String

Parameter location: Request Body

Subset of product logs used in Sigma detections. Maximum length: 256 characters.

content_created_date

Optional

Data type: String

Parameter location: Request Body

The maximum time period from now when the content was created. Possible values:

0d
7d
30d
90d
1y

Examples

1. Create a Static Content List.

curl -X POST \
 https://api.tdm.socprime.com/v1/ccm/content-list \
 -H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
 -d '{"name": "test content list", "type": "static", "category": "example category", "description": "example", "allow_others_to_edit": false, "repository_ids": ["threat_bounty"], "repository_type": "socprime"}'

2. Create a Dynamic Content List.

curl -X POST \
 https://api.tdm.socprime.com/v1/ccm/content-list \
 -H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
 -d '{"name": "Test Name", "type": "dynamic", "category": "API", "description": "Test Description", "allow_others_to_edit": false, "repository_ids": ["threat_bounty"], "repository_type": "socprime", "tags_include": ["1","2"], "include_tags_operator": "or", "tags_exclude": ["3","4"], "exclude_tags_operator": "and", "siem_type": ["humio-alert","ala-rule"], "author": ["SOC Prime Team"], "technique": ["Abuse Elevation Control Mechanism","Account Manipulation"], "content_created_date": 7d, "severity": ["critical","high"], "sigma_status": ["stable"], "sigma_product": "linux", "sigma_category": "antivirus", "sigma_service": "antivirus"}'

Server Responses

200

Successful Response

For a Static List, the response contains the following parameters:

name (string) – name of the List
description (string) – description of the List
category (string) – category of the List
allow_others_to_edit (boolean) – whether other users from your organization are allowed to edit this List. Default: false
repository_ids (list of strings) – list of IDs of repositories from which content can be added to the List
repository_type (string) – type of the repositories from which content can be added to the List (Platform or Custom)
type (string) – type of the List. Value: static
id (string) – ID of the List
created (string) – date and time when the List was created
updated (string) – date and time when the List was last updated
rule_ids (list of strings) – IDs of the rules that are included in the List

For a Dynamic List, the response contains the following parameters:

name (string) – name of the List
description (string) – description of the List
category (string) – category of the List
allow_others_to_edit (boolean) – whether other users from your organization are allowed to edit this List. Default: false
repository_ids (list of strings) – list of IDs of repositories from which content can be added to the List
repository_type (string) – type of the repositories from which content can be added to the List (Platform or Custom)
type (string) – type of the List. Value: dynamic
tags_include (list of strings) – tags used to include rules into the List
include_tags_operator (string) – operator used to combine include tags
tags_exclude (list of strings) – tags used to exclude rules from the List
exclude_tags_operator (string) – operator used to combine exclude tags
siem_type (list of strings) – codes of the rule translatios included in the List
author (list of strings) – authors of the rules included in the List
technique (list of strings) – MITRE ATT&CK techniques or sub-techniques mapped to the rules included in the List
severity (list of strings) – severity of the rules included in the List
sigma_status (list of strings) – Sigma status of the rules included in the List
sigma_service (string) – log sources specified in the Sigma service field of the rules included in the List
sigma_category (string) – log sources specified in the Sigma category field of the rules included in the List
sigma_product (string) – log sources specified in the Sigma product field of the rules included in the List
lucene_query (string) – Lucene query used to define rules included in the List
content_created_date (string) – maximum time period from now when the content was created
id (string) – ID of the List
created (string) – date and time when the List was created
updated (string) – date and time when the List was last updated

For example:

{
  "name": "string",
  "description": "string",
  "category": "string",
  "allow_others_to_edit": false,
  "repository_ids": [
    "socprime",
    "string"
  ],
  "repository_type": "socprime",
  "type": "static",
  "id": "string",
  "created": "2024-05-01T10:17:23.148Z",
  "updated": "2024-05-01T10:17:23.148Z",
  "rule_ids": []
}

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

GET `/v1/ccm/content-list/{list_id}`

Get the details of the Static or Dynamic Content List specified by the {list_id} parameter.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

list_id

Required

Data type: String

Parameter location: Path

Content list ID.

Examples

Get the details of a Content List with ID 123bcd245efg.

curl -X GET \
 https://api.tdm.socprime.com/v1/ccm/content-list/123bcd245efg \
 -H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

Server Responses

200

Successful Response. It contains an object which includes the details of the List specified in the request.

For a Static List, the response contains the following parameters:

name (string) – name of the List
description (string) – description of the List
category (string) – category of the List
allow_others_to_edit (boolean) – whether other users from your organization are allowed to edit this List. Default: false
repository_ids (list of strings) – list of IDs of repositories from which content can be added to the List
repository_type (string) – type of the repositories from which content can be added to the List (Platform or Custom)
type (string) – type of the List. Value: static
id (string) – ID of the List
created (string) – date and time when the List was created
updated (string) – date and time when the List was last updated
rule_ids (list of strings) – IDs of the rules that are included in the List

For a Dynamic List, the response contains the following parameters:

name (string) – name of the List
description (string) – description of the List
category (string) – category of the List
allow_others_to_edit (boolean) – whether other users from your organization are allowed to edit this List. Default: false
repository_ids (list of strings) – list of IDs of repositories from which content can be added to the List
repository_type (string) – type of the repositories from which content can be added to the List (Platform or Custom)
type (string) – type of the List. Value: dynamic
tags_include (list of strings) – tags used to include rules into the List
include_tags_operator (string) – operator used to combine include tags
tags_exclude (list of strings) – tags used to exclude rules from the List
exclude_tags_operator (string) – operator used to combine exclude tags
siem_type (list of strings) – codes of the rule translatios included in the List
author (list of strings) – authors of the rules included in the List
technique (list of strings) – MITRE ATT&CK techniques or sub-techniques mapped to the rules included in the List
severity (list of strings) – severity of the rules included in the List
sigma_status (list of strings) – Sigma status of the rules included in the List
sigma_service (string) – log sources specified in the Sigma service field of the rules included in the List
sigma_category (string) – log sources specified in the Sigma category field of the rules included in the List
sigma_product (string) – log sources specified in the Sigma product field of the rules included in the List
lucene_query (string) – Lucene query used to define rules included in the List
content_created_date (string) – maximum time period from now when the content was created
id (string) – ID of the List
created (string) – date and time when the List was created
updated (string) – date and time when the List was last updated

For example:

{
    "name": "string",
    "description": "string",
    "category": "string",
    "allow_others_to_edit": false,
    "repository_ids": [
      "socprime",
      "string"
    ],
    "repository_type": "socprime",
    "type": "static",
    "id": "string",
    "created": "2024-05-01T13:06:38.216Z",
    "updated": "2024-05-01T13:06:38.216Z",
    "rule_ids": []
  }

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

PUT `/v1/ccm/content-list/{list_id}`

Update the Static or Dynamic Content List specified by the {list_id} parameter.

The request updates only the fields that are present in the body. Null fields are ignored, empty strings are not ignored.

The request body should have the JSON format.

Note: you can update only Content Lists you're allowed to edit.

Parameters

For a Static List

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

list_id

Required

Data type: String

Parameter location: Path

Content List ID.

name

Optional

Data type: String

Parameter location: Request Body

Content List name. This parameter cannot be null and should not duplicate any other list name of the same company. Length: 5 to 256 characters.

category

Optional

Data type: String (or null)

Parameter location: Request Body

Content List category. Length: up to 512 characters.

description

Optional

Data type: String (or null)

Parameter location: Request Body

Content List description. Length: up to 2048 characters.

allow_others_to_edit

Optional

Data type: Boolean

Parameter location: Request Body

Defines whether the other users from your organization are allowed to edit this List. Default value: false.

repository_ids

Optional

Data type: List of strings

Parameter location: Request Body

The list of IDs of repositories from which content can be added to the List. The possible values depend on the value of the repository_type parameter:

If repository_type is socprime, the possible values are:
- socprime – SOC Prime repository
- threat_bounty – Threat Bounty repository
- sigmahq – SigmaHQ repository
- ms_sentinel – Microsoft Sentinel repository
If repository_type is custom, the possible values are any of the existing custom repository IDs. To find the IDs of your custom repositories:
- Via API: use the GET /v1/custom-repositories endpoint
- Via UI:
  - Drill down to the repository from the Repositories page and copy the repository ID from the URL (it is at the end of the URL)
  - Open any rule in the repository and copy the repository ID from the URL (it is the latter ID in the URL, the former being the ID of the rule)

repository_type

Optional

Data type: String

Parameter location: Request Body

The type of the repositories from which content can be added to the List. Possible values are one of the following:

socprime – Platform Repositories
custom – Custom Repositories

For a Dynamic List

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

list_id

Required

Data type: String

Parameter location: Path

Content List ID.

name

Optional

Data type: String

Parameter location: Request Body

Content List name. This parameter cannot be null and should not duplicate any other list name of the same company. Length: 5 to 256 characters.

category

Optional

Data type: String (or null)

Parameter location: Request Body

Content List category. Length: up to 512 characters.

description

Optional

Data type: String (or null)

Parameter location: Request Body

Content List description. Length: up to 2048 characters.

allow_others_to_edit

Optional

Data type: Boolean

Parameter location: Request Body

Defines whether the other users from your organization are allowed to edit this List. Default value: false.

repository_ids

Optional

Data type: List of Strings

Parameter location: Request Body

The list of IDs of repositories from which content can be added to the List. The possible values depend on the value of the repository_type parameter:

If repository_type is socprime, the possible values are:
- socprime – SOC Prime repository
- threat_bounty – Threat Bounty repository
- sigmahq – SigmaHQ repository
- ms_sentinel – Microsoft Sentinel repository
If repository_type is custom, the possible values are any of the existing custom repository IDs. To find the IDs of your custom repositories:
- Via API: use the GET /v1/custom-repositories endpoint
- Via UI:
  - Drill down to the repository from the Repositories page and copy the repository ID from the URL (it is at the end of the URL)
  - Open any rule in the repository and copy the repository ID from the URL (it is the latter ID in the URL, the former being the ID of the rule)

repository_type

Optional

Data type: String

Parameter location: Request Body

The type of the repositories from which content can be added to the List. Possible values are one of the following:

socprime – Platform Repositories
custom – Custom Repositories

tags_include

Optional

Data type: List of strings

Parameter location: Request Body

Tags used to include Sigma detections into the Content List. Maximum length: 256 characters, maximum number of items: 50

tags_exclude

Optional

Data type: List of strings

Parameter location: Request Body

Tags used to exclude Sigma detections from the Content List. Maximum length: 256 characters, maximum number of items: 50.

include_tags_operator

Optional

Data type: String

Parameter location: Request Body

Logical operator used to combine Include tags. Available values:

or
and

Default value: or

exclude_tags_operator

Optional

Data type: String

Parameter location: Request Body

Logical operator used to combine Exclude tags. Available values:

or
and

Default value: or

lucene_query

Optional

Data type: String

Parameter location: Request Body

Lucene query that defines the content to be included in the Dynamic List. See available fields and their values here. Max length: 1024 characters.

siem_type

Optional

Data type: List of strings

Parameter location: Request Body

One or multiple platforms the content is intended for. Available values:

ala-rule — Microsoft Sentinel Rule
ala — Microsoft Sentinel Query
elasticsearch — Elasticsearch Query (Lucene)
es-eql — Elasticsearch Query (EQL)
xpack-watcher — Elasticsearch Watcher
elasticsearch-rule — Elasticsearch Detection Rule (Lucene)
es-rule-eql — Elasticsearch Detection Rule (EQL)
kibana — Kibana Saved Search
elastalert — Elasticsearch ElastAlert
qradar — Qradar Query
humio — CrowdStrike NextGen SIEM Falcon LogScale Query
humio-alert — CrowdStrike NextGen SIEM Falcon LogScale Alert
splunk — Splunk Query
splunk_alert — Splunk Alert
sumologic — Sumo Logic Query
sumologic-cse — Sumo Logic CSE Query
sumologic-cse-rule — Sumo Logic CSE Rule
arcsight-esm — ArcSight Rule
arcsight-keyword — ArcSight Query
logpoint — LogPoint Query
grep — Regex Grep Query
powershell — PowerShell Query
graylog — Graylog Query
kafka — Apache Kafka KSQL Query
rsa_netwitness — RSA NetWitness Query
carbonblack — VMware Carbon Black Cloud Query
carbonblack-edr — VMware Carbon Black EDR Query
open-ioc — FireEye OpenIOC
fireeye-helix — FireEye Helix Query
chronicle — Google SecOps Rule
chronicle-query — Google SecOps Query
securonix — Securonix Query
s1-events — SentinelOne Events Query
s1-process — SentinelOne Process State Query
sentinel-one-power-query — SentinelOne PowerQuery
mdatp — Microsoft Defender for Endpoint Query
qualys — Qualys IOC Query
sysmon — Sysmon Rule
crowdstrike — CrowdStrike Endpoint Security Query
limacharlie — LimaCharlie Rule
devo — Devo Query
snowflake — Snowflake Query
athena — Amazon Athena Query
opendistro-query — Amazon OpenSearch Query
opendistro-rule — Amazon OpenSearch Rule
fortisiem — FortiSIEM rule
axon-ads-query — LogRhythm Axon Query
axon-ads-rule — LogRhythm Axon Rule
cortex-xdr-xql-query — Palo Alto Cortex XDR Query
cortex-xql-query — Palo Alto Cortex XSIAM Query
hunters-sql-query — Hunters Query
anomali-aql-query — Anomali Security Analytics Query
сrowdstrike-ng-query — CrowdStrike NextGen SIEM Query
trend-micro-xdr-query — Trend Vision One Query

Maximum length: 64 characters. Maximum number of items: 50.

author

Optional

Data type: List of strings

Parameter location: Request Body

Content author(s). Maximum length: 256 characters. Maximum number of items: 50.

technique

Optional

Data type: List of strings

Parameter location: Request Body

One or multiple MITRE ATT&CK® techniques or sub-techniques. Maximum length: 256 characters. Maximum number of items: 50.

severity

Optional

Data type: List of strings

Parameter location: Request Body

Severity of a Sigma detection. Available values:

informational — intended for enrichment of events, e.g. by tagging them. No case or alerting should be triggered by such rules because it is expected that a huge amount of events will match them
low — notable event but rarely an incident. Such events can be relevant in high numbers or in combination with others. Immediate reaction shouldn't be necessary, but a regular review is recommended
medium — relevant event that should be reviewed manually on a more frequent basis
high — relevant event that should trigger an internal alert and requires a prompt review
critical — highly relevant event that indicates an incident and should be reviewed immediately

sigma_status

Optional

Data type: List of strings

Parameter location: Request Body

Status of a Sigma detection. Available values:

stable: Rule that is considered stable and may be used in production systems or dashboards
test (or testing, a legacy status that is still in use): Almost stable Rule that possibly could require some fine-tuning
experimental: Experimental Rule that could lead to false results or be noisy, but could also identify interesting events

sigma_product

Optional

Data type: String

Parameter location: Request Body

Product whose log outputs are used in Sigma detections. Maximum length: 256 characters.

sigma_category

Optional

Data type: String

Parameter location: Request Body

Category of products whose log outputs are used in Sigma detections. Maximum length: 256 characters.

sigma_service

Optional

Data type: String

Parameter location: Request Body

Subset of product logs used in Sigma detections. Maximum length: 256 characters.

content_created_date

Optional

Data type: String

Parameter location: Request Body

The maximum time period from now when the content was created. Possible values:

0d
7d
30d
90d
1y

Examples

1. Update a Static Content List with ID 123bcd456efg.

curl -X PUT \
 https://api.tdm.socprime.com/v1/ccm/content-list/123bcd456efg \
 -H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
 -d '{"name": "test content list", "type": "static", "category": "example category", "description": "example"}'

2. Update a Dynamic Content List with ID 789bcd456efg.

curl -X PUT \
 https://api.tdm.socprime.com/v1/ccm/content-list/789bcd456efg \
 -H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
 -d '{"name": "Test Name Updated", "category": "API", "description": "Test Description 2", "tags_include": ["1","2"], "include_tags_operator": "OR", "tags_exclude": ["3","4"], "exclude_tags_operator": "AND", "siem_type": ["humio-alert","ala-rule"], "author": ["SOC Prime Team"], "technique": ["Abuse Elevation Control Mechanism","Account Manipulation"], "content_created_date": 7d, "severity": ["critical","high"], "sigma_status": ["stable"], "sigma_product": "linux", "sigma_category": "antivirus", "sigma_service": "antivirus"}'

Server Responses

200

Successful Response

For a Static List, the response contains the following parameters:

name (string) – name of the List
description (string) – description of the List
category (string) – category of the List
allow_others_to_edit (boolean) – whether other users from your organization are allowed to edit this List. Default: false
repository_ids (list of strings) – list of IDs of repositories from which content can be added to the List
repository_type (string) – type of the repositories from which content can be added to the List (Platform or Custom)
type (string) – type of the List. Value: static
id (string) – ID of the List
created (string) – date and time when the List was created
updated (string) – date and time when the List was last updated
rule_ids (list of strings) – IDs of the rules that are included in the List

For a Dynamic List, the response contains the following parameters:

name (string) – name of the List
description (string) – description of the List
category (string) – category of the List
allow_others_to_edit (boolean) – whether other users from your organization are allowed to edit this List. Default: false
repository_ids (list of strings) – list of IDs of repositories from which content can be added to the List
repository_type (string) – type of the repositories from which content can be added to the List (Platform or Custom)
type (string) – type of the List. Value: dynamic
tags_include (list of strings) – tags used to include rules into the List
include_tags_operator (string) – operator used to combine include tags
tags_exclude (list of strings) – tags used to exclude rules from the List
exclude_tags_operator (string) – operator used to combine exclude tags
siem_type (list of strings) – codes of the rule translatios included in the List
author (list of strings) – authors of the rules included in the List
technique (list of strings) – MITRE ATT&CK techniques or sub-techniques mapped to the rules included in the List
severity (list of strings) – severity of the rules included in the List
sigma_status (list of strings) – Sigma status of the rules included in the List
sigma_service (string) – log sources specified in the Sigma service field of the rules included in the List
sigma_category (string) – log sources specified in the Sigma category field of the rules included in the List
sigma_product (string) – log sources specified in the Sigma product field of the rules included in the List
lucene_query (string) – Lucene query used to define rules included in the List
content_created_date (string) – maximum time period from now when the content was created
id (string) – ID of the List
created (string) – date and time when the List was created
updated (string) – date and time when the List was last updated

For example:

{
  "name": "string",
  "description": "string",
  "category": "string",
  "allow_others_to_edit": false,
  "repository_ids": [
    "socprime",
    "string"
  ],
  "repository_type": "socprime",
  "type": "static",
  "id": "string",
  "created": "2024-05-01T10:17:23.148Z",
  "updated": "2024-05-01T10:17:23.148Z",
  "rule_ids": []
}

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

DELETE `/v1/ccm/content-list/{list_id}`

Delete the Content List specified by the {list_id} parameter.

Note: You can only delete Content Lists you're allowed to edit.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

list_id

Required

Data type: String

Parameter location: Path

Content list ID.

Examples

Delete the Content List with ID 789bcd456efg.

curl -X DELETE \
 https://api.tdm.socprime.com/v1/ccm/content-list/789bcd456efg \
 -H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

Server Responses

200

Successful Response

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

POST `/v1/ccm/content-list/{list_id}/add-rules`

Allows adding rules to a certain Static content list specified by the {list_id} parameter. A Static list can include up to 1,000 rules.

The request body should have the JSON format.

You can add rules to a Content List only if they are available for at least one of the following language formats (represented by the corresponding values of the siem_type parameter):

ala-rule — Microsoft Sentinel Rule
ala — Microsoft Sentinel Query
elasticsearch-rule — Elastic Detection Rule (Lucene)
es-rule-eql — Elastic Detection Rule (EQL)
kibana — Elastic Saved Search
xpack-watcher — Elastic Watcher
humio-alert — CrowdStrike NextGen SIEM Falcon LogScale Alert
chronicle — Google SecOps Rule
sumologic — Sumo Logic Query
splunk_alert — Splunk Alert

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

list_id

Required

Data type: String

Parameter location: Path

Content list ID.

rule_ids

Required

Data type: List of strings

Parameter location: Request Body

The IDs of the rules. You can specify up to 100 IDs.

Examples

Add rules to the Content List with ID 789bcd456efg.

curl -X POST \
 https://api.tdm.socprime.com/v1/ccm/content-list/789bcd456efg/add-rules \
 -H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
 -d '{"rule_ids": [123abc456efd]}'

Server Responses

200

Successful Response. It contains an object which includes the details of the Static List specified in the request:

name (string) – name of the List
description (string) – description of the List
category (string) – category of the List
allow_others_to_edit (boolean) – whether other users from your organization are allowed to edit this List. Default: false
repository_ids (list of strings) – list of IDs of repositories from which content can be added to the List
repository_type (string) – type of the repositories from which content can be added to the List (Platform or Custom)
type (string) – type of the List. Value: static
id (string) – ID of the List
created (string) – date and time when the List was created
updated (string) – date and time when the List was last updated
rule_ids (list of strings) – IDs of the rules that are included in the List

For example:

{
    "name": "string",
    "description": "string",
    "category": "string",
    "allow_others_to_edit": false,
    "repository_ids": [
      "socprime",
      "string"
    ],
    "repository_type": "socprime",
    "type": "static",
    "id": "string",
    "created": "2024-05-01T13:06:38.216Z",
    "updated": "2024-05-01T13:06:38.216Z",
    "rule_ids": []
  }

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

POST `/v1/ccm/content-list/{list_id}/remove-rules`

Allows removing rules from a certain Static content list specified by the {list_id} parameter.

The request body should have the JSON format.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

list_id

Required

Data type: String

Parameter location: Path

Content list ID.

rule_ids

Required

Data type: List of strings

Parameter location: Request Body

The IDs of the rules. You can specify up to 100 IDs.

Examples

Remove rules from the Content List with ID 789bcd456efg.

curl -X POST \
 https://api.tdm.socprime.com/v1/ccm/content-list/789bcd456efg/remove-rules \
 -H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
 -d '{"rule_ids": [123abc456efd]}'

Server Responses

200

Successful Response. It contains an object which includes the details of the Static List specified in the request:

name (string) – name of the List
description (string) – description of the List
category (string) – category of the List
allow_others_to_edit (boolean) – whether other users from your organization are allowed to edit this List. Default: false
repository_ids (list of strings) – list of IDs of repositories from which content can be added to the List
repository_type (string) – type of the repositories from which content can be added to the List (Platform or Custom)
type (string) – type of the List. Value: static
id (string) – ID of the List
created (string) – date and time when the List was created
updated (string) – date and time when the List was last updated
rule_ids (list of strings) – IDs of the rules that are included in the List

For example:

{
    "name": "string",
    "description": "string",
    "category": "string",
    "allow_others_to_edit": false,
    "repository_ids": [
      "socprime",
      "string"
    ],
    "repository_type": "socprime",
    "type": "static",
    "id": "string",
    "created": "2024-05-01T13:06:38.216Z",
    "updated": "2024-05-01T13:06:38.216Z",
    "rule_ids": []
  }

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

Jobs

GET `/v1/ccm/jobs`

Get a list of all available Jobs. Each Job in response will have the following parameters: ID, name, status, created date, last updated date.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

Examples

Get a list of all available Jobs.

curl -X GET \
 https://api.tdm.socprime.com/v1/ccm/jobs \
 -H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

Server Responses

200

Successful Response

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

429

Too Many Requests

GET `/v1/ccm/jobs/{job_id}`

Get details of a specific Job.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

job_id

Required

Data type: String

Parameter location: Path

Job ID.

Examples

Get details of the Job with ID 123abc456def.

curl -X GET \
 https://api.tdm.socprime.com/v1/ccm/jobs/123abc456def \
 -H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

Server Responses

200

Successful Response

404

Job not found

422

Request Validation Error

429

Too Many Requests

GET `/v1/ccm/jobs/{job_id}/get-content`

Get content from the Content List(s) linked to a specific Job. The Custom Field Mapping profiles, Presets, Filters, and other configurations of the Job are applied to the output content.

Notes:

The Premium Sigma rules included in the Content List specified in the request will be automatically unlocked if Auto Unlock has been enabled in the settings of this List in the UI of the SOC Prime Platform.
Please, use unlocking of Premium Sigma rules via API with caution since this may result in heavy usage of your team's Premium Sigma rule balance.
Dynamic Lists have a content limit of 500 most recently released items to prevent your platform overload.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

job_id

Required

Data type: String

Parameter location: Path

Job ID.

Examples

Get content from the Content Lists linked to the Job with ID 123bcd456efg, with all configurations of the Job applied to the output content.

curl -X GET \
https://api.tdm.socprime.com/v1/ccm/jobs/123bcd456efg/get-content \
-H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

Server Responses

200

Successful Response

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

Custom Field Mapping

GET `/v1/custom-field-mapping`

Get a list of all available Custom Field Mapping profiles.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

Examples

Get a list of all available Custom Field Mapping profiles.

curl -X GET \
 https://api.tdm.socprime.com/v1/custom-field-mapping \
 -H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

Server Responses

200

Successful Response

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

429

Too Many Requests

Custom Content

GET `/v1/custom-repositories`

Get the names and IDs of all custom repositories available to the user whose API key is used.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

Examples

Get all custom repositories available to the user.

curl -X GET \
https://api.tdm.socprime.com/v1/custom-repositories \
-H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

Server Responses

200

Successful Response

Contains a list of objects where each object has the following parameters:

id (string) – ID of the custom repository
name (string) – name of the custom repository

For example:

[
  {
    "id": "0c5699sh-c7b45433-9e00-5d7c676a32b6",
    "name": "Production Sentinel"
  }
]

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

Active Threats

GET `/v1/active-threats/get-updates`

Get a list of the Active Threats news items for the specified time period. For each news item, its name, creation date, and SOC Prime bias are returned.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

date_start

Required

Data type: String

Parameter location: Header

The start date and time for the news items retrieval.

date_end

Required

Data type: String

Parameter location: Header

The end date and time for the news items retrieval.

page_size

Optional

Data type: Integer

Parameter location: Header

The number of news items returned per page. The maximum and default value is 50.

page_number

Optional

Data type: Integer

Parameter location: Header

The exact page number of news items returned out of the whole list. The default value is 1 and the number of news items on each page is determined by the page_size parameter.

Examples

Get a list of Active Threats news items published between January 20, 2026, 00:00 - January 21, 2026, 00:00.

curl -X GET \
https://api.tdm.socprime.com/v1/active-threats/get-updates \
-H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
-H 'date_start: 2026-01-20T00:00:00Z' \
-H 'date_end: 2026-01-21T00:00:00Z'

Server Responses

200

Successful Response

Example:

{
 "date_start": "2026-01-21T11:04:51.684Z",
 "date_end": "2026-01-21T11:04:51.684Z",
 "page_number": 0,
 "page_size": 0,
 "pages_total": 0,
 "active_threats": [
  {
   "name": "string",
   "create_date": "2026-01-21T11:04:51.684Z",
   "socprime_bias": "string"
  }
 ]
}

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Validation Error

Example:

{
 "detail": [
  {
   "loc": [
    "string",
    0
   ],
   "msg": "string",
   "type": "string"
  }
 ]
}

Uncoder AI

POST `/v1/uncoder/translate-sigma`

Translate a Sigma rule in Uncoder AI.

The request body should have the JSON format.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

rule_text

Required

Data type: String

Parameter location: Request Body

Sigma rule to be translated. The rule should have YAML format but be encoded as string.

dst_type

Required

Data type: String

Parameter location: Query

Destination SIEM type. Possible values:

ala-rule — Microsoft Sentinel Rule
ala — Microsoft Sentinel Query
elasticsearch — Elasticsearch Query
xpack-watcher — Elasticsearch Watcher
elasticsearch-rule — Elasticsearch Detection Rule
kibana — Kibana Saved Search
elastalert — Elasticsearch ElastAlert
qradar — Qradar Query
humio — CrowdStrike NextGen SIEM Falcon LogScale Query
humio-alert — CrowdStrike NextGen SIEM Falcon LogScale Alert
splunk — Splunk Query
splunk_alert — Splunk Alert
sumologic — Sumo Logic Query
sumologic-cse — Sumo Logic CSE Query
sumologic-cse-rule — Sumo Logic CSE Rule
arcsight-esm — ArcSight Rule
arcsight-keyword — ArcSight Query
logpoint — LogPoint Query
grep — Regex Grep Query
powershell — PowerShell Query
graylog — Graylog Query
kafka — Apache Kafka KSQL Query
rsa_netwitness — RSA NetWitness Query
carbonblack — VMware Carbon Black Cloud Query
carbonblack-edr — VMware Carbon Black EDR Query
open-ioc — FireEye OpenIOC
fireeye-helix — FireEye Helix Query
chronicle — Google SecOps Rule
chronicle-query — Google SecOps Query
securonix — Securonix Query
s1-events — SentinelOne Events Query
s1-process — SentinelOne Process State Query
sentinel-one-power-query — SentinelOne PowerQuery
mdatp — Microsoft Defender for Endpoint Query
qualys — Qualys IOC Query
sysmon — Sysmon Rule
crowdstrike — CrowdStrike Endpoint Security Query
limacharlie — LimaCharlie Rule
devo — Devo Query
snowflake — Snowflake Query
athena — Amazon Athena Query
opendistro-query — Amazon OpenSearch Query
opendistro-rule — Amazon OpenSearch Rule
fortisiem — FortiSIEM rule
axon-ads-query — LogRhythm Axon Query
axon-ads-rule — LogRhythm Axon Rule
cortex-xdr-xql-query — Palo Alto Cortex XDR Query
cortex-xql-query — Palo Alto Cortex XSIAM Query
hunters-sql-query — Hunters Query
anomali-aql-query — Anomali Security Analytics Query
uberagent — UberAgent ESA Query
streamalert — StreamAlert Query
stix — STIX Query
sql — SQL Query
sqlite — SQLight Query
сrowdstrike-ng-query — CrowdStrike NextGen SIEM Query
trend-micro-xdr-query — Trend Vision One Query

dst_alt_translation

Optional

Data type: String

Parameter location: Query

Alternative data schema of the output platform format (if needed).

To find out what schemas are currently supported for a certain output platform format, go to the web interface of Uncoder AI, select the desired input platform format, then select the desired output platform format and check available schemas.

Examples

Translate a Sigma rule into a Microsoft Sentinel query.

curl -X POST \
https://api.tdm.socprime.com/v1/uncoder/translate-sigma?dst_type=ala \
-H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
-d '{"rule_text": "string"}'

Server Responses

200

Successful Response

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

POST `/v1/uncoder/ioc/generate-query`

Generate platform-specific queries from Indicators of Compromise (IOCs).

The request body should have the JSON format.

Note that the response is subject to the limitations (if any) of your Uncoder AI subscription plan.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

text

Required

Data type: String

Parameter location: Request Body

IOCs to be included in the query.

siem_type

Required

Data type: String

Parameter location: Request Body

Output query format. Possible values:

ala — Microsoft Sentinel Query
elasticsearch — Elasticsearch Query
qradar — Qradar Query
humio — CrowdStrike NextGen SIEM Falcon LogScale Query
splunk — Splunk Query
sumologic — Sumo Logic Query
arcsight-keyword — ArcSight Query
logpoint — LogPoint Query
graylog — Graylog Query
rsa_netwitness — RSA NetWitness Query
carbonblack — VMware Carbon Black Cloud Query
carbonblack-edr — VMware Carbon Black EDR Query
fireeye-helix — FireEye Helix Query
chronicle-query — Google SecOps Query
securonix — Securonix Query
s1-events — SentinelOne Events Query
mdatp — Microsoft Defender for Endpoint Query
qualys — Qualys IOC Query
crowdstrike — CrowdStrike Endpoint Security Query
snowflake — Snowflake Query

field_mapping_name

Optional

Data type: String

Parameter location: Request Body

Name of an IOC Field Mapping profile configured in Uncoder AI. Length: 1 to 100 characters. Default value: default.

include_source_ip

Optional

Data type: Boolean

Parameter location: Request Body

Defines whether to add source IPs to the query (with the OR operator) in addition to destination IPs:

true: add
false: don't add

Default value: false.

include_ioc_types

Optional

Data type: List of Strings

Parameter location: Request Body

Types of IOCs from the text parameter that will be used for generating queries. Possible values:

domain
url
hash
ip

By default, all possible types are used.

include_hash_types

Optional

Data type: List of Strings

Parameter location: Request Body

Types of hashes from the text parameter that will be used for generating queries. Possible values:

md5
sha1
sha256
sha512

By default, all possible types are used. For this parameter to work, include_ioc_types should have hash as one of its values.

exceptions

Optional

Data type: List of Strings

Parameter location: Request Body

IOC in the text parameter to be ignored.

ioc_parsing_rules

Optional

Data type: List of Strings

Parameter location: Request Body

Additional parsing settings. Possible values:

replace_dots: Replace (.) [.] {.} with a dot
remove_private_and_reserved_ips: Exclude Private & Reserved Networks — private and reserved IP addresses like 224.0.0.0/4 or 127.0.0.0/8 are ignored during IOC recognition
replace_hxxp: Replace hxxp with http — this functionality is case insensitive, so hXXp, HXXP, HXXp, and hXXP are replaced as well

iocs_per_query

Optional

Data type: Integer

Parameter location: Request Body

The number of IOCs per generated query. An integer in a range of 25 to 300. Default value: 25.

Examples

Generate queries for Microsoft Sentinel based on a set of IOCs.

curl -X POST \
https://api.tdm.socprime.com/v1/uncoder/ioc/generate-query \
-H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
-d '{
  "text": "example.com, domain.com/item1/item2, 8[.]8[.]8[.]8, 9e107d9d372bb6826bd81d3542a419d6",
  "siem_type": "ala",
  "field_mapping_name": "default",
  "include_source_ip": true,
  "include_ioc_types": [
    "ip", "hash", "domain", "url" 
  ],
  "include_hash_types": [
    "md5"
  ],
  "exceptions": [
    "8.8.8.8"
  ],
  "ioc_parsing_rules": [
    "replace_dots"
  ],
  "iocs_per_query": 25
}'

Server Responses

200

Successful Response

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

POST `/v1/uncoder/ioc/parse-iocs`

Parse Indicators of Compromise (IOCs) from a text.

The request body should have the JSON format.

Note that the response is subject to the limitations (if any) of your Uncoder AI subscription plan.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

text

Required

Data type: String

Parameter location: Request Body

Text with IOCs to be parsed.

include_ioc_types

Optional

Data type: List of Strings

Parameter location: Request Body

Types of IOCs from the text parameter that will be used for generating queries. Possible values:

domain
url
hash
ip

By default, all possible types are used.

include_hash_types

Optional

Data type: List of Strings

Parameter location: Request Body

Types of hashes from the text parameter that will be used for generating queries. Possible values:

md5
sha1
sha256
sha512

By default, all possible types are used. For this parameter to work, include_ioc_types should have hash as one of its values.

exceptions

Optional

Data type: List of Strings

Parameter location: Request Body

IOC in the text parameter to be ignored.

ioc_parsing_rules

Optional

Data type: List of Strings

Parameter location: Request Body

Additional parsing settings. Possible values:

replace_dots: Replace (.) [.] {.} with a dot
remove_private_and_reserved_ips: Exclude Private & Reserved Networks — private and reserved IP addresses like 224.0.0.0/4 or 127.0.0.0/8 are ignored during IOC recognition
replace_hxxp: Replace hxxp with http — this functionality is case insensitive, so hXXp, HXXP, HXXp, and hXXP are replaced as well

Examples

Parse emails and hashes from the text.

curl -X POST \
https://api.tdm.socprime.com/v1/uncoder/ioc/parse-iocs \
-H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
-d '{
  "text": "An example of possible IOCs: example.exe, example@domain.com, 8[.]8[.]8[.]8, 9e107d9d372bb6826bd81d3542a419d6, e4d909c290d0fb1ca068ffaddf22cbd0",
  "include_ioc_types": [
    "ip", "hash", "domain"
  ],
  "include_hash_types": [
    "md5"
  ],
  "exceptions": [
    "e4d909c290d0fb1ca068ffaddf22cbd0"
  ],
  "ioc_parsing_rules": [
    "replace_dots"
  ]
}'

Server Responses

200

Successful Response

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

POST `/v1/uncoder/reverse`

Translate a rule/query that has a platform-specific format into Sigma or another platform-specific format.

The request body should have the JSON format.

Note that translation between different formats of the same platform is available to all Uncoder AI subscription plans while translation between different platforms is offered only under certain plans and requires the reverse translation balance.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

src_type

Required

Data type: String

Parameter location: Query

Input platform format.

Note that only certain platforms and formats are supported for reverse translation, and we're working on expanding their list. To find out if a certain input platform format is currently supported, go to the web interface of Uncoder AI, select this platform format as input, and check available output options.

dst_type

Required

Data type: String

Parameter location: Query

Output platform format.

Note that only certain platforms and formats are supported for reverse translation, and we're working on expanding their list. To find out if a certain platform format is currently supported as an output for a certain input, go to the web interface of Uncoder AI, select the desired input platform format, and check available output options.

src_alt_translation

Optional

Data type: String

Parameter location: Query

Alternative data schema of the input platform format (if used).

To find out what schemas are currently supported for a certain input platform format, go to the web interface of Uncoder AI, select the desired input platform format, and check available schemas.

dst_alt_translation

Optional

Data type: String

Parameter location: Query

Alternative data schema of the output platform format (if needed).

rule_text

Required

Data type: String

Parameter location: Request Body

The rule/query to be translated

Examples

Convert a Splunk Query into a Microsoft Sentinel Query.

curl -X POST \
https://api.tdm.socprime.com/v1/uncoder/reverse?srs_type=splunk&dst_type=ala \
-H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
-d '{
  "rule_text": "index=* source=\"WinEventLog:*\" AND (Image=\"*\\abc.exe\" OR OriginalFileName=\"abc.exe\")"
}'

Server Responses

200

Successful Response

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

POST `/v1/uncoder/warden`

Check a Sigma rule in Warden.

The request body should have the JSON format.

Note that the response is subject to the limitations (if any) of your Uncoder AI subscription plan.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

rule_text

Required

Data type: String

Parameter location: Request Body

Sigma rule to be translated. The rule should have YAML format but be encoded as string.

Examples

Check a Sigma rule in Warden.

curl -X POST \
https://api.tdm.socprime.com/v1/uncoder/warden \
-H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
-d '{"rule_text": "string"}'

Server Responses

200

Successful Response

For example:

{

"warnings": [

{

"id": "string",

"msg": "string"

}

"errors": [

{

"id": "string",

"msg": "string"

}

"duplicates_count": 0,

"plagiarism_level": "string",

"possitiveCheckCount": 0,

"score": 0,

"version": "string",

"warden_limited": true

}

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

AI Features in Uncoder AI

To call these endpoints, your API key has to have both Uncoder AI and AI Features permissions (they are set when creating the key).

This set of endpoints implements asynchronous API using the Long-Running Operation (LRO) pattern. It means that rather than getting an immediate response within a single request-response cycle, you do the following:

Call an endpoint of interest.
Instead of waiting for the end of the task, the API immediately returns a unique identifier for the job (job_id) to complete your task.
You poll the dedicated endpoint /ai-features-in-uncoder/job-result to check if the task is complete.
Once the task is complete, its job status is done and the response includes the job result.

The rate limit for endpoints for initiating jos is 1 request per 30 seconds per user. The /ai-features-in-uncoder/job-result endpoint to check the job status and get the job result has the standard rate limit of 30 requests per 10 seconds.

GET `/ai-features-in-uncoder/job-result`

Check the status of a job (started by a request to another endpoint) end get the result once the job is finished.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

job_id

Required

Data type: String

Parameter location: Path

The id of the job you've got as a response after starting the job.

Examples

Check the status of a fob with id 1cbaafa5-6841-45ff-6589-f5beda00b7c1 and get the job result once it's finished.

curl -X GET \
'https://api.tdm.socprime.com/v1/ai-features-in-uncoder/job-result/1cbaafa5-6841-45ff-6589-f5beda00b7c1' \
-H 'accept: application/json' \
-H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

Server Responses

200

Successful Response

Example:

{

"status": "pending",

"job_id": "1cbaafa5-6841-45ff-6589-f5beda00b7c1",

"result": "none"

}

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

POST `/v1/ai-features-in-uncoder/short-summary`

Generate a short summary of a detection rule/query or a threat report.

Pass the detection content or threat report to be summarized as a string in the request body.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

source_type

Required

Data type: String

Parameter location: Query

The type of the text to be summarized. Available values:

rule – any type of detection content
threat_report – any type of threat report, advisory, etc

siem_type

Required

Data type: String

Parameter location: Query

This parameter defines the platform and format of the detection content to be summarized. If source_type = threat_report, do not pass it.

Available values:

anomali-aql-query – Anomali Security Analytics Query
kafka – Apache Kafka ksqlDB Query (KSQL)
arcsight-esm – ArcSight Rule
athena – AWS Athena Query
opendistro-query – AWS OpenSearch Query (Lucene)
opendistro-rule – AWS OpenSearch Rule (JSON)
crowdstrike – Crowdstrike Endpoint Security Query
csharp – CSharp Regex Query (LINQ)
datadog-logs – Datadog Query
devo – Devo Query
dnif – DNIF Query
elastalert-dsl – ElastAlert Alert (DSL)
elastalert – ElastAlert Alert (Lucene)
es-rule-eql – Elastic Stack Detection Rule (EQL)
elasticsearch-rule – Elastic Stack Detection Rule (Lucene)
elastic-esql-rule – Elastic Stack ES|QL Detection Rule
elastic-esql-query – Elastic Stack ES|QL Query
kibana – Elastic Stack Kibana SavedSearch (JSON)
es-dsl – Elastic Stack Query (DSL)
es-eql – Elastic Stack Query (EQL)
elasticsearch – Elastic Stack Query (Lucene)
exabeam-analytics-rule – Exabeam New-Scale Analytics Rule (JSON)
exabeam-correlation-rule – Exabeam New-Scale Correlation Rule (JSON)
exabeam-eql-query – Exabeam New-Scale Search Query (EQL)
exabeam-lucene-query – Exabeam Query
falco-yaml-rule – Falco Rule (YAML)
humio – CrowdStrike NextGen SIEM Falcon LogScale Query
fireeye-helix – FireEye Query
open-ioc – FireEye Rule (XML)
fortisiem – FortiSIEM Rule
chronicle-query – Google SecOps Query (UDM)
chronicle – Google SecOps Rule (YARA-L)
graylog – Graylog Query
hawk – HawkSearch Query
hunters-sql-query – Hunters Query
qradar – IBM QRadar Query (AQL)
lacework – Lacework Query
limacharlie – LimaCharlie Rule
logiq – Logiq Rule
logpoint – Logpoint Query
mdatp – Microsoft Defender for Endpoint Query (Kusto)
ala – Microsoft Sentinel Query (Kusto)
ala-rule – Microsoft Sentinel Rule (Kusto)
sentinel-kql-yaml-rule – Microsoft Sentinel Rule (YML)
ee-outliers – NVISO EE-Outliers Query
cortex-xdr-xql-query – Palo Alto Cortex XDR Query
cortex-xql-query – Palo Alto Cortex XSIAM Query (XQL)
powershell – PowerShell Query
qualys – Qualys IOC Query
grep – Regex Grep Query
rsa_netwitness – RSA NetWitness Query
netwitness-epl – RSA Netwitness Query (EPL)
securonix – Securonix Query
sentinel-one-power-query – SentinelOne PowerQuery
s1-process – SentinelOne Query (Process State)
sigma – Sigma Rule
snowflake – Snowflake Query (SQL)
splunk_alert – Splunk Alert (SPL)
splunk – Splunk Query (SPL)
sql – SQL Query
sqlite – SQLite Query
stix – STIX Pattern
streamalert – StreamAlert Alert
sumologic – Sumo Logic Query
sumologic-cse – Sumo Logic Query (CSE)
sumologic-cse-rule – Sumo Logic Rule (CSE)
sysmon – Sysmon Config
uberagent – UberAgent ESA Query
carbonblack – VMware Carbon Black Query (Cloud)
carbonblack-edr – VMware Carbon Black Query (EDR)
сrowdstrike-ng-query — CrowdStrike NextGen SIEM Query
trend-micro-xdr-query — Trend Vision One Query

Examples

Get the short summary of a Splunk query.

curl -X 'POST' \
'https://api.tdm.socprime.com/v1/ai-features-in-uncoder/short-summary?source_type=rule&siem_type=splunk' \
-H 'accept: application/json' \
-H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
-H 'Content-Type: application/json' \
-d '"index=* source=\"WinEventLog:*\" AND (Image=\"*\\abc.exe\" OR OriginalFileName=\"abc.exe\")"'

Server Responses

200

Successful Response

Example:

{

"status": "pending",

"job_id": "string",

"result": "string"

}

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

POST `/v1/ai-features-in-uncoder/full-summary`

Generate a full summary of a detection rule/query or a threat report.

Pass the detection content or threat report to be summarized as a string in the request body.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

source_type

Required

Data type: String

Parameter location: Query

The type of the text to be summarized. Available values:

rule – any type of detection content
threat_report – any type of threat report, advisory, etc

siem_type

Required

Data type: String

Parameter location: Query

This parameter defines the platform and format of the detection content to be summarized. If source_type = threat_report, do not pass it.

Available values:

anomali-aql-query – Anomali Security Analytics Query
kafka – Apache Kafka ksqlDB Query (KSQL)
arcsight-esm – ArcSight Rule
athena – AWS Athena Query
opendistro-query – AWS OpenSearch Query (Lucene)
opendistro-rule – AWS OpenSearch Rule (JSON)
crowdstrike – Crowdstrike Endpoint Security Query
csharp – CSharp Regex Query (LINQ)
datadog-logs – Datadog Query
devo – Devo Query
dnif – DNIF Query
elastalert-dsl – ElastAlert Alert (DSL)
elastalert – ElastAlert Alert (Lucene)
es-rule-eql – Elastic Stack Detection Rule (EQL)
elasticsearch-rule – Elastic Stack Detection Rule (Lucene)
elastic-esql-rule – Elastic Stack ES|QL Detection Rule
elastic-esql-query – Elastic Stack ES|QL Query
kibana – Elastic Stack Kibana SavedSearch (JSON)
es-dsl – Elastic Stack Query (DSL)
es-eql – Elastic Stack Query (EQL)
elasticsearch – Elastic Stack Query (Lucene)
exabeam-analytics-rule – Exabeam New-Scale Analytics Rule (JSON)
exabeam-correlation-rule – Exabeam New-Scale Correlation Rule (JSON)
exabeam-eql-query – Exabeam New-Scale Search Query (EQL)
exabeam-lucene-query – Exabeam Query
falco-yaml-rule – Falco Rule (YAML)
humio – CrowdStrike NextGen SIEM Falcon LogScale Query
fireeye-helix – FireEye Query
open-ioc – FireEye Rule (XML)
fortisiem – FortiSIEM Rule
chronicle-query – Google SecOps Query (UDM)
chronicle – Google SecOps Rule (YARA-L)
graylog – Graylog Query
hawk – HawkSearch Query
hunters-sql-query – Hunters Query
qradar – IBM QRadar Query (AQL)
lacework – Lacework Query
limacharlie – LimaCharlie Rule
logiq – Logiq Rule
logpoint – Logpoint Query
mdatp – Microsoft Defender for Endpoint Query (Kusto)
ala – Microsoft Sentinel Query (Kusto)
ala-rule – Microsoft Sentinel Rule (Kusto)
sentinel-kql-yaml-rule – Microsoft Sentinel Rule (YML)
ee-outliers – NVISO EE-Outliers Query
cortex-xdr-xql-query – Palo Alto Cortex XDR Query
cortex-xql-query – Palo Alto Cortex XSIAM Query (XQL)
powershell – PowerShell Query
qualys – Qualys IOC Query
grep – Regex Grep Query
rsa_netwitness – RSA NetWitness Query
netwitness-epl – RSA Netwitness Query (EPL)
securonix – Securonix Query
sentinel-one-power-query – SentinelOne PowerQuery
s1-process – SentinelOne Query (Process State)
sigma – Sigma Rule
snowflake – Snowflake Query (SQL)
splunk_alert – Splunk Alert (SPL)
splunk – Splunk Query (SPL)
sql – SQL Query
sqlite – SQLite Query
stix – STIX Pattern
streamalert – StreamAlert Alert
sumologic – Sumo Logic Query
sumologic-cse – Sumo Logic Query (CSE)
sumologic-cse-rule – Sumo Logic Rule (CSE)
sysmon – Sysmon Config
uberagent – UberAgent ESA Query
carbonblack – VMware Carbon Black Query (Cloud)
carbonblack-edr – VMware Carbon Black Query (EDR)
сrowdstrike-ng-query — CrowdStrike NextGen SIEM Query
trend-micro-xdr-query — Trend Vision One Query

Examples

Get the full summary of a Splunk query.

curl -X 'POST' \
'https://api.tdm.socprime.com/v1/ai-features-in-uncoder/full-summary?source_type=rule&siem_type=splunk' \
-H 'accept: application/json' \
-H 'client_secret_id: 5909917D6F3E540F576469F8C522CEAF' \
-H 'Content-Type: application/json' \
-d '"index=* source=\"WinEventLog:*\" AND (Image=\"*\\abc.exe\" OR OriginalFileName=\"abc.exe\")"'

Server Responses

200

Successful Response

Example:

{

"status": "pending",

"job_id": "string",

"result": "string"

}

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

POST `/v1/ai-features-in-uncoder/attack-flow`

Generate an attack flow based on a threat report.

Pass the threat report text as a string in the request body.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

Examples

Generate attack flow from the text of a threat report.

curl -X POST \
'https://api.tdm.socprime.com/v1/ai-features-in-uncoder/attack-flow' \
-H 'accept: application/json' \
-H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
-H 'Content-Type: application/json' \
-d '"Text of your threat report encoded as a string"'

Server Responses

200

Successful Response

Example:

{

"status": "pending",

"job_id": "string",

"result": "string"

}

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

POST `/v1/ai-features-in-uncoder/custom-prompt`

Get LLM's response to your custom instructions.

Pass your prompt encoded as a string in the request body.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

Examples

Get Uncoder AI LLM's response to your custom prompts.

curl -X POST \
'https://api.tdm.socprime.com/v1/ai-features-in-uncoder/custom-prompt' \
-H 'accept: application/json' \
-H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
-H 'Content-Type: application/json' \
-d '"Text of your custom prompt encoded as string"'

Server Responses

200

Successful Response

Example:

{

"status": "pending",

"job_id": "string",

"result": "string"

}

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

POST `/v1/ai-features-in-uncoder/rule-generation`

Generate Sigma rules that detect adversary behaviors described in a threat report.

Pass your threat report encoded as a string in the request body.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

Examples

Generate Sigma rules to detect behaviors described in the provided threat report.

curl -X POST \
'https://api.tdm.socprime.com/v1/ai-features-in-uncoder/rule-generation' \
-H 'accept: application/json' \
-H 'client_secret_id: 5909917D6F3E540F576469F8C522CEAF' \
-H 'Content-Type: application/json' \
-d '"Text of your threat report encoded as a string"'

Server Responses

200

Successful Response

Example:

{

"status": "pending",

"job_id": "string",

"result": "string"

}

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

POST `/v1/ai-features-in-uncoder/decision-tree`

Generate the decision tree of a query/rule logic that explains how it works step by step, with all the embeddings, branches, and other intricate logic.

Pass your detection rule/query encoded as a string in the request body.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

siem_type

Required

Data type: String

Parameter location: Query

This parameter defines the platform and format of the detection content passed to build a decision tree.

Available values:

anomali-aql-query – Anomali Security Analytics Query
kafka – Apache Kafka ksqlDB Query (KSQL)
arcsight-esm – ArcSight Rule
athena – AWS Athena Query
opendistro-query – AWS OpenSearch Query (Lucene)
opendistro-rule – AWS OpenSearch Rule (JSON)
crowdstrike – Crowdstrike Endpoint Security Query
csharp – CSharp Regex Query (LINQ)
datadog-logs – Datadog Query
devo – Devo Query
dnif – DNIF Query
elastalert-dsl – ElastAlert Alert (DSL)
elastalert – ElastAlert Alert (Lucene)
es-rule-eql – Elastic Stack Detection Rule (EQL)
elasticsearch-rule – Elastic Stack Detection Rule (Lucene)
elastic-esql-rule – Elastic Stack ES|QL Detection Rule
elastic-esql-query – Elastic Stack ES|QL Query
kibana – Elastic Stack Kibana SavedSearch (JSON)
es-dsl – Elastic Stack Query (DSL)
es-eql – Elastic Stack Query (EQL)
elasticsearch – Elastic Stack Query (Lucene)
exabeam-analytics-rule – Exabeam New-Scale Analytics Rule (JSON)
exabeam-correlation-rule – Exabeam New-Scale Correlation Rule (JSON)
exabeam-eql-query – Exabeam New-Scale Search Query (EQL)
exabeam-lucene-query – Exabeam Query
falco-yaml-rule – Falco Rule (YAML)
humio – CrowdStrike NextGen SIEM Falcon LogScale Query
fireeye-helix – FireEye Query
open-ioc – FireEye Rule (XML)
fortisiem – FortiSIEM Rule
chronicle-query – Google SecOps Query (UDM)
chronicle – Google SecOps Rule (YARA-L)
graylog – Graylog Query
hawk – HawkSearch Query
hunters-sql-query – Hunters Query
qradar – IBM QRadar Query (AQL)
lacework – Lacework Query
limacharlie – LimaCharlie Rule
logiq – Logiq Rule
logpoint – Logpoint Query
mdatp – Microsoft Defender for Endpoint Query (Kusto)
ala – Microsoft Sentinel Query (Kusto)
ala-rule – Microsoft Sentinel Rule (Kusto)
sentinel-kql-yaml-rule – Microsoft Sentinel Rule (YML)
ee-outliers – NVISO EE-Outliers Query
cortex-xdr-xql-query – Palo Alto Cortex XDR Query
cortex-xql-query – Palo Alto Cortex XSIAM Query (XQL)
powershell – PowerShell Query
qualys – Qualys IOC Query
grep – Regex Grep Query
rsa_netwitness – RSA NetWitness Query
netwitness-epl – RSA Netwitness Query (EPL)
securonix – Securonix Query
sentinel-one-power-query – SentinelOne PowerQuery
s1-process – SentinelOne Query (Process State)
sigma – Sigma Rule
snowflake – Snowflake Query (SQL)
splunk_alert – Splunk Alert (SPL)
splunk – Splunk Query (SPL)
sql – SQL Query
sqlite – SQLite Query
stix – STIX Pattern
streamalert – StreamAlert Alert
sumologic – Sumo Logic Query
sumologic-cse – Sumo Logic Query (CSE)
sumologic-cse-rule – Sumo Logic Rule (CSE)
sysmon – Sysmon Config
uberagent – UberAgent ESA Query
carbonblack – VMware Carbon Black Query (Cloud)
carbonblack-edr – VMware Carbon Black Query (EDR)
сrowdstrike-ng-query — CrowdStrike NextGen SIEM Query
trend-micro-xdr-query — Trend Vision One Query

Examples

Get a decision tree for a Sigma rule.

curl -X POST \
'https://api.tdm.socprime.com/v1/ai-features-in-uncoder/decision-tree?siem_type=sigma' \
-H 'accept: application/json' \
-H 'client_secret_id: 5909917D6F3E540F576469F8C522CEAF' \
-H 'Content-Type: application/json' \
-d '"Your Sigma rule encoded as a string"'

Server Responses

200

Successful Response

Example:

{

"status": "pending",

"job_id": "string",

"result": "string"

}

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

POST `/v1/ai-features-in-uncoder/rule-enrichment`

Enrich a Sigma rule with MITRE ATT&CK techniques and sub-techniques suggested by AI. The tags are added to the tags section. It can be missing or empty in the Sigma rule you pass.

Pass the Sigma rule encoded as a string in the request body.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

Examples

Enrich a Sigma rule with MITRE ATT&CK tags suggested by AI.

curl -X POST \
'https://api.tdm.socprime.com/v1/ai-features-in-uncoder/rule-enrichment' \
-H 'accept: application/json' \
-H 'client_secret_id: 5909917D6F3E540F576469F8C522CEAF' \
-H 'Content-Type: application/json' \
-d '"Your Sigma rule encoded as a string"'

Server Responses

200

Successful Response

Example:

{

"status": "pending",

"job_id": "string",

"result": "string"

}

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

POST `/v1/ai-features-in-uncoder/query-optimization`

Get optimization suggestions for your query.

Pass your query encoded as a string in the request body.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

siem_type

Required

Data type: String

Parameter location: Query

This parameter defines the platform and format of the query passed for optimization.

Available values:

anomali-aql-query – Anomali Security Analytics Query
kafka – Apache Kafka ksqlDB Query (KSQL)
arcsight-esm – ArcSight Rule
athena – AWS Athena Query
opendistro-query – AWS OpenSearch Query (Lucene)
opendistro-rule – AWS OpenSearch Rule (JSON)
crowdstrike – Crowdstrike Endpoint Security Query
csharp – CSharp Regex Query (LINQ)
datadog-logs – Datadog Query
devo – Devo Query
dnif – DNIF Query
elastalert-dsl – ElastAlert Alert (DSL)
elastalert – ElastAlert Alert (Lucene)
es-rule-eql – Elastic Stack Detection Rule (EQL)
elasticsearch-rule – Elastic Stack Detection Rule (Lucene)
elastic-esql-rule – Elastic Stack ES|QL Detection Rule
elastic-esql-query – Elastic Stack ES|QL Query
kibana – Elastic Stack Kibana SavedSearch (JSON)
es-dsl – Elastic Stack Query (DSL)
es-eql – Elastic Stack Query (EQL)
elasticsearch – Elastic Stack Query (Lucene)
exabeam-analytics-rule – Exabeam New-Scale Analytics Rule (JSON)
exabeam-correlation-rule – Exabeam New-Scale Correlation Rule (JSON)
exabeam-eql-query – Exabeam New-Scale Search Query (EQL)
exabeam-lucene-query – Exabeam Query
falco-yaml-rule – Falco Rule (YAML)
humio – CrowdStrike NextGen SIEM Falcon LogScale Query
fireeye-helix – FireEye Query
open-ioc – FireEye Rule (XML)
fortisiem – FortiSIEM Rule
chronicle-query – Google SecOps Query (UDM)
chronicle – Google SecOps Rule (YARA-L)
graylog – Graylog Query
hawk – HawkSearch Query
hunters-sql-query – Hunters Query
qradar – IBM QRadar Query (AQL)
lacework – Lacework Query
limacharlie – LimaCharlie Rule
logiq – Logiq Rule
logpoint – Logpoint Query
mdatp – Microsoft Defender for Endpoint Query (Kusto)
ala – Microsoft Sentinel Query (Kusto)
ala-rule – Microsoft Sentinel Rule (Kusto)
sentinel-kql-yaml-rule – Microsoft Sentinel Rule (YML)
ee-outliers – NVISO EE-Outliers Query
cortex-xdr-xql-query – Palo Alto Cortex XDR Query
cortex-xql-query – Palo Alto Cortex XSIAM Query (XQL)
powershell – PowerShell Query
qualys – Qualys IOC Query
grep – Regex Grep Query
rsa_netwitness – RSA NetWitness Query
netwitness-epl – RSA Netwitness Query (EPL)
securonix – Securonix Query
sentinel-one-power-query – SentinelOne PowerQuery
s1-process – SentinelOne Query (Process State)
sigma – Sigma Rule
snowflake – Snowflake Query (SQL)
splunk_alert – Splunk Alert (SPL)
splunk – Splunk Query (SPL)
sql – SQL Query
sqlite – SQLite Query
stix – STIX Pattern
streamalert – StreamAlert Alert
сrowdstrike-ng-query — CrowdStrike NextGen SIEM Query
trend-micro-xdr-query — Trend Vision One Query

Examples

Get optimization suggestions for a Microsoft Sentinel query.

curl -X POST \
'https://api.tdm.socprime.com/v1/ai-features-in-uncoder/query-optimization?siem_type=ala' \
-H 'accept: application/json' \
-H 'client_secret_id: 5909917D6F3E540F576469F8C522CEAF' \
-H 'Content-Type: application/json' \
-d '"Your Microsoft Sentinel query encoded as a string"'

Server Responses

200

Successful Response

Example:

{

"status": "pending",

"job_id": "string",

"result": "string"

}

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

POST `/v1/ai-features-in-uncoder/validation`

Analyze the syntax and structure of a rule/query and flag syntax errors and logic flaws, get suggestions on improvements, or confirm that everything is correct.

Pass your rule/query encoded as a string in the request body.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

siem_type

Required

Data type: String

Parameter location: Query

This parameter defines the platform and format of the rule/query passed for validation.

Available values:

anomali-aql-query – Anomali Security Analytics Query
kafka – Apache Kafka ksqlDB Query (KSQL)
arcsight-esm – ArcSight Rule
athena – AWS Athena Query
opendistro-query – AWS OpenSearch Query (Lucene)
opendistro-rule – AWS OpenSearch Rule (JSON)
coralogix-lucene-rule – Coralogix Alert
coralogix-lucene-query – Coralogix Query
crowdstrike – Crowdstrike Endpoint Security Query
csharp – CSharp Regex Query (LINQ)
datadog-logs – Datadog Query
devo – Devo Query
dnif – DNIF Query
elastalert-dsl – ElastAlert Alert (DSL)
elastalert – ElastAlert Alert (Lucene)
es-rule-eql – Elastic Stack Detection Rule (EQL)
elasticsearch-rule – Elastic Stack Detection Rule (Lucene)
elastic-esql-rule – Elastic Stack ES|QL Detection Rule
elastic-esql-query – Elastic Stack ES|QL Query
kibana – Elastic Stack Kibana SavedSearch (JSON)
es-dsl – Elastic Stack Query (DSL)
es-eql – Elastic Stack Query (EQL)
elasticsearch – Elastic Stack Query (Lucene)
exabeam-analytics-rule – Exabeam New-Scale Analytics Rule (JSON)
exabeam-correlation-rule – Exabeam New-Scale Correlation Rule (JSON)
exabeam-eql-query – Exabeam New-Scale Search Query (EQL)
exabeam-lucene-query – Exabeam Query
falco-yaml-rule – Falco Rule (YAML)
humio – CrowdStrike NextGen SIEM Falcon LogScale Query
fireeye-helix – FireEye Query
open-ioc – FireEye Rule (XML)
fortisiem – FortiSIEM Rule
chronicle-query – Google SecOps Query (UDM)
chronicle – Google SecOps Rule (YARA-L)
graylog – Graylog Query
hawk – HawkSearch Query
hunters-sql-query – Hunters Query
qradar – IBM QRadar Query (AQL)
lacework – Lacework Query
limacharlie – LimaCharlie Rule
logiq – Logiq Rule
logpoint – Logpoint Query
logsign-lucene-query – Logsign Unified SecOps Query
logsio-lucene-query – Logz.io Query
mdatp – Microsoft Defender for Endpoint Query (Kusto)
ala – Microsoft Sentinel Query (Kusto)
ala-rule – Microsoft Sentinel Rule (Kusto)
sentinel-kql-yaml-rule – Microsoft Sentinel Rule (YML)
ee-outliers – NVISO EE-Outliers Query
cortex-xdr-xql-query – Palo Alto Cortex XDR Query
cortex-xql-query – Palo Alto Cortex XSIAM Query (XQL)
powershell – PowerShell Query
qualys – Qualys IOC Query
grep – Regex Grep Query
rsa_netwitness – RSA NetWitness Query
netwitness-epl – RSA Netwitness Query (EPL)
securonix – Securonix Query
sentinel-one-power-query – SentinelOne PowerQuery
s1-process – SentinelOne Query (Process State)
sigma – Sigma Rule
snowflake – Snowflake Query (SQL)
sophosedr-sql-query – Sophos EDR Query
splunk_alert – Splunk Alert (SPL)
splunk – Splunk Query (SPL)
sql – SQL Query
sqlite – SQLite Query
stix – STIX Pattern
streamalert – StreamAlert Alert
sumologic – Sumo Logic Query
sumologic-cse – Sumo Logic Query (CSE)
sumologic-cse-rule – Sumo Logic Rule (CSE)
suricata-rule – Suricata Rule
sysmon – Sysmon Config
tanium-trs-query – Tanium Query
trendmicroxdr-lucene-query – Trend Micro XDR Query
uberagent – UberAgent ESA Query
carbonblack – VMware Carbon Black Query (Cloud)
carbonblack-edr – VMware Carbon Black Query (EDR)
сrowdstrike-ng-query — CrowdStrike NextGen SIEM Query
trend-micro-xdr-query — Trend Vision One Query

Examples

Validate a Sigma rule.

curl -X POST \
'https://api.tdm.socprime.com/v1/ai-features-in-uncoder/validation?siem_type=sigma' \
-H 'accept: application/json' \
-H 'client_secret_id: 5909917D6F3E540F576469F8C522CEAF' \
-H 'Content-Type: application/json' \
-d '"Your Sigma rule encoded as a string"'

Server Responses

200

Successful Response

Example:

{

"status": "pending",

"job_id": "string",

"result": "string"

}

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

POST `/v1/ai-features-in-uncoder/results-aggregation`

Group query results in order to facilitate further investigation.

Pass your query encoded as a string in the request body.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

siem_type

Required

Data type: String

Parameter location: Query

This parameter defines the platform and format of the query passed for results aggregation.

Available values:

qradar – IBM QRadar Query (AQL)
anomali-aql-query – Anomali Security Analytics Query
athena – AWS Athena Query
es-eql – Elastic Stack Query (EQL)
humio – CrowdStrike NextGen SIEM Falcon LogScale Query
mdatp – Microsoft Defender for Endpoint Query (Kusto)
ala – Microsoft Sentinel Query (Kusto)
splunk – Splunk Query (SPL)
sumologic – Sumo Logic Query

Examples

Aggregate results for a Microsoft Sentinel query.

curl -X POST \
'https://api.tdm.socprime.com/v1/ai-features-in-uncoder/results-aggregation?siem_type=ala' \
-H 'accept: application/json' \
-H 'client_secret_id: 5909917D6F3E540F576469F8C522CEAF' \
-H 'Content-Type: application/json' \
-d '"Your Microsoft Sentinel query encoded as a string"'

Server Responses

200

Successful Response

Example:

{

"status": "pending",

"job_id": "string",

"result": "string"

}

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

Attack Detective

GET `/v1/attack-detective/scans`

Get a list of all finished scans run by your organization in Attack Detective.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

Examples

Get a list of scans run by your organization in Attack Detective.

curl -X GET \
 https://api.tdm.socprime.com/v1/attack-detective/scans \
 -H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \

Server Responses

200

Successful Response

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

429

Too Many Requests

GET `/v1/attack-detective/scan-result`

Get a JSON with scan results for a specified scan or a Data Plane in a scan.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

scan_group_id

Required

Data type: String

Parameter location: Query

The ID of a scan. To find out the ID of a scan, use the /v1/attack-detective/scans endpoint.

When sending a request, specify either this parameter or scan_config_id.

scan_config_id

Required

Data type: String

Parameter location: Query

The ID of a Data Plane in a scan. To find out this ID, use the /v1/attack-detective/scans endpoint.

When sending a request, specify either this parameter or scan_group_id.

Examples

Get a JSON with the results a scan run by your organization in Attack Detective.

curl -X GET \
 "https://api.tdm.socprime.com/v1/attack-detective/scan-result?scan_group_id=xxxxxxxxxxxxx" \
 -H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \

Server Responses

200

Successful Response

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

Service Endpoints

The following endpoints are for service use only. They are not intended for user requests.

POST `/v1/mark-rules-as-deployed`

Allows marking rules as deployed.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

case_id

Required

Data type: String

Parameter location: Request Body

Sigma Rule ID. This parameter is passed as a field in the JSON object in the request body.

siem_type

Required

Data type: String

Parameter location: Request Body

Language format of the deployed content item. This parameter is passed as a field in the JSON object in the request body.

Available values:

ala-rule — Microsoft Sentinel Rule
ala — Microsoft Sentinel Query
elasticsearch — Elasticsearch Query (Lucene)
es-eql — Elasticsearch Query (EQL)
xpack-watcher — Elasticsearch Watcher
elasticsearch-rule — Elasticsearch Detection Rule (Lucene)
es-rule-eql — Elasticsearch Detection Rule (EQL)
kibana — Kibana Saved Search
elastalert — Elasticsearch ElastAlert
qradar — Qradar Query
humio — CrowdStrike NextGen SIEM Falcon LogScale Query
humio-alert — CrowdStrike NextGen SIEM Falcon LogScale Alert
splunk — Splunk Query
splunk_alert — Splunk Alert
sumologic — Sumo Logic Query
sumologic-cse — Sumo Logic CSE Query
sumologic-cse-rule — Sumo Logic CSE Rule
arcsight-esm — ArcSight Rule
arcsight-keyword — ArcSight Query
logpoint — LogPoint Query
grep — Regex Grep Query
powershell — PowerShell Query
graylog — Graylog Query
kafka — Apache Kafka KSQL Query
rsa_netwitness — RSA NetWitness Query
carbonblack — VMware Carbon Black Cloud Query
carbonblack-edr — VMware Carbon Black EDR Query
open-ioc — FireEye OpenIOC
fireeye-helix — FireEye Helix Query
chronicle — Google SecOps Rule
chronicle-query — Google SecOps Query
securonix — Securonix Query
s1-events — SentinelOne Events Query
s1-process — SentinelOne Process State Query
sentinel-one-power-query — SentinelOne PowerQuery
mdatp — Microsoft Defender for Endpoint Query
qualys — Qualys IOC Query
sysmon — Sysmon Rule
crowdstrike — CrowdStrike Endpoint Security Query
limacharlie — LimaCharlie Rule
devo — Devo Query
snowflake — Snowflake Query
athena — Amazon Athena Query
opendistro-query — Amazon OpenSearch Query
opendistro-rule — Amazon OpenSearch Rule
fortisiem — FortiSIEM rule
axon-ads-query — LogRhythm Axon Query
axon-ads-rule — LogRhythm Axon Rule
cortex-xdr-xql-query — Palo Alto Cortex XDR Query
cortex-xql-query — Palo Alto Cortex XSIAM Query
hunters-sql-query — Hunters Query
anomali-aql-query — Anomali Security Analytics Query
сrowdstrike-ng-query — CrowdStrike NextGen SIEM Query
trend-micro-xdr-query — Trend Vision One Query

Examples

Mark rules as deployed.

curl -X POST \
 https://api.tdm.socprime.com/v1/mark-rules-as-deployed \
 -H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
 -d '[{"case_id": "XXXXXXYYYYYY", "siem_type": "elasticsearch"}, {"case_id": "YYYYYYXXXXXX", "siem_type": "ala"}]'

Server Responses

200

Successful Response

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

POST `/v1/rule-trigger-metrics`

Allows logging the number of times a rule was triggered.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

rule_name

Required

Data type: String

Parameter location: Request Body

Content item name in Threat Detection Marketplace. This parameter is passed as a field in the JSON object in the request body.

case_id

Optional

Data type: String

Parameter location: Request Body

Content item ID in Threat Detection Marketplace. This parameter is passed as a field in the JSON object in the request body.

siem_type

Required

Data type: String

Parameter location: Request Body

Language format of the triggered rule. This parameter is passed as a field in the JSON object in the request body.

Available values:

ala-rule — Microsoft Sentinel Rule
ala — Microsoft Sentinel Query
elasticsearch — Elasticsearch Query (Lucene)
es-eql — Elasticsearch Query (EQL)
xpack-watcher — Elasticsearch Watcher
elasticsearch-rule — Elasticsearch Detection Rule (Lucene)
es-rule-eql — Elasticsearch Detection Rule (EQL)
kibana — Kibana Saved Search
elastalert — Elasticsearch ElastAlert
qradar — Qradar Query
humio — CrowdStrike NextGen SIEM Falcon LogScale Query
humio-alert — CrowdStrike NextGen SIEM Falcon LogScale Alert
splunk — Splunk Query
splunk_alert — Splunk Alert
sumologic — Sumo Logic Query
sumologic-cse — Sumo Logic CSE Query
sumologic-cse-rule — Sumo Logic CSE Rule
arcsight-esm — ArcSight Rule
arcsight-keyword — ArcSight Query
logpoint — LogPoint Query
grep — Regex Grep Query
powershell — PowerShell Query
graylog — Graylog Query
kafka — Apache Kafka KSQL Query
rsa_netwitness — RSA NetWitness Query
carbonblack — VMware Carbon Black Cloud Query
carbonblack-edr — VMware Carbon Black EDR Query
open-ioc — FireEye OpenIOC
fireeye-helix — FireEye Helix Query
chronicle — Google SecOps Rule
chronicle-query — Google SecOps Query
securonix — Securonix Query
s1-events — SentinelOne Events Query
s1-process — SentinelOne Process State Query
sentinel-one-power-query — SentinelOne PowerQuery
mdatp — Microsoft Defender for Endpoint Query
qualys — Qualys IOC Query
sysmon — Sysmon Rule
crowdstrike — CrowdStrike Endpoint Security Query
limacharlie — LimaCharlie Rule
devo — Devo Query
snowflake — Snowflake Query
athena — Amazon Athena Query
opendistro-query — Amazon OpenSearch Query
opendistro-rule — Amazon OpenSearch Rule
fortisiem — FortiSIEM rule
axon-ads-query — LogRhythm Axon Query
axon-ads-rule — LogRhythm Axon Rule
cortex-xdr-xql-query — Palo Alto Cortex XDR Query
cortex-xql-query — Palo Alto Cortex XSIAM Query
hunters-sql-query — Hunters Query
anomali-aql-query — Anomali Security Analytics Query
сrowdstrike-ng-query — CrowdStrike NextGen SIEM Query
trend-micro-xdr-query — Trend Vision One Query

trigger_count

Required

Data type: Integer

Parameter location: Request Body

Number of times the rule was triggered. This parameter is passed as a field in the JSON object in the request body.

period

Required

Data type: Integer

Parameter location: Request Body

Period over which trigger_count was counted. This parameter is passed as a field in the JSON object in the request body.

Examples

Get the number of times a rule was triggered.

curl -X POST \
 https://api.tdm.socprime.com/v1/rule-trigger-metrics \
 -H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
 -d '[{"rule_name": "test111", "case_id": "123A45B6D", "siem_type": "elasticsearch", "trigger_count": 1, "period": "2025-09-01T10:00:00Z - 2025-09-02T10:00:00Z"}]'

Server Responses

200

Successful Response

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

Audit Logs

The following endpoint is available only under certain Threat Detection Marketplace subscription plans.

GET `/v1/audit-logs`

Get audit logs for your orgnization.

Parameters

client_secret_id

Required

Data type: String

Parameter location: Header

The API key to authorize the request.

date_from

Optional

Data type: String

Parameter location: Query

This parameter defines the timestamp from which the logs will be returned (it uses >= comparison). It should has an ISO 8601 compatible format. If not provided, the timestamp that equals the current time minus 1 hour is used. This parameter is ignored if next_page_token is provided.

date_to

Optional

Data type: String

Parameter location: Query

This parameter defines the timestamp until which the logs will be returned (it uses < comparison). It should has an ISO 8601 compatible format. If not provided, the timestamp that equals the current time minus 1 minute is used. This parameter is ignored if next_page_token is provided.

next_page_token

Optional

Data type: String

Parameter location: Query

This parameter allows to obtain the next page of results. The value of next_page_token can be found in the API response body. When this parameter is used, parameters date_from and date_to are ignored.

size

Optional

Data type: Integer

Parameter location: Query

The number of events to be returned. The default value is 100. The max value is 10,000.

Examples

Get the audit logs for the period from 2025-09-24 15:00 to 2025-09-25 15:00.

curl -X GET \
https://api.tdm.socprime.com/v1/audit-logs?date_from=2025-09-24T15:00:00Z&date_to=2025-09-25T15:00:00Z \
-H 'client_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

Server Responses

200

Successful Response

The response includes the following parameters:

size (integer)
total (integer)
date_from (string)
date_to (string)
next_page_token (string)
events (array)

Each event may contain the following fields:

timestamp (datetime.datetime)
event_name (str)
content_id (str | None)
content_name (str | None)
content_platform (str | None)
repository_id (str | None)
repository_name (str | None)
repository_type (str | None)
user_email (str | None)
user_name (str | None)
event_page (str | None)
source_ip (str | None)
user_agent (str | None)

Here is the list of possible events:

Attack Detective:

Started a scan
Deleted a scan
Ran a scan
Exported a report from Data Audit
Paused a scan
Configured a scan schedule
Gave feedback via Action Loop
Deleted a scan schedule

Uncoder AI:

Translated a Sigma/Roota rule
Opened a content item in Uncoder AI
Translation failed
Generated IOC-based queries
Validated a rule using Warden
Updated a translation in a custom repository
Saved a translation as a file
Translated a platform-specific rule/query
Saved a translation in a custom repository
Uploaded a file with IOCs
Deployed a rule from Uncoder AI
Parsed metadata before saving a rule
Unlocked a rule via Uncoder AI
Contributed to action loop
Documented a rule in Confluence
Configured IOC field mapping

Threat Detection Marketplace and the SOC Prime Platform as a whole:

Logged in to the SOC Prime Platform
Logged in to the SOC Prime Platform via Google
Logged in to the SOC Prime Platform via Microsoft
Logged in to the SOC Prime Platform via Github
Logged in to the SOC Prime Platform via SSO
Logged in to the SOC Prime Platform via Slack
Logged in to the SOC Prime Platform via Atlassian
Logged out of the SOC Prime Platform
Registered on the SOC Prime Platform
Registered on the SOC Prime Platform via Microsoft
Registered on the SOC Prime Platform via Github
Registered on the SOC Prime Platform via Slack
Registered on the SOC Prime Platform via Atlassian
Changed password
Edited user name
Enabled two-factor authentication
Disabled two-factor authentication
Downloaded or copied to the clipboard a content item
Unlocked a premium content item
Marked content as deployed
Marked content as undeployed
Hid a rule in search results
Unhid a rule in search results
Created a content list
Edited a content list
Deleted a content list
Added content to a content list
Removed content from a content list
Copied a content list
Created a custom field mapping profile
Launched a query for hunting from the Hunt page
Deployed content
Searched content in Falcon LogScale
Created or edited a search profile
Deleted a search profile
Created a preset
Edited a preset
Deleted a preset
Invited a person to join their organization on the SOC Prime Platform
Created a deployment job
Edited a deployment job
Deleted a deployment job
Enabled a deployment job
Enabled a deployment job with premium content auto-unlock
Disabled a deployment job
Ran a deployment job with premium content auto-unlock
Created a Confluence Integration
Edited a Confluence Integration
Deleted a Confluence Integration
Created or edited a GitHub Integration
Deleted a GitHub Integration
Created or edited a Microsoft Sentinel Data Plane
Created or edited a Splunk Data Plane
Created or edited an Elastic Stack Data Plane
Created or edited a Microsoft Defender for Endpoint Data Plane
Created or edited an IBM QRadar Data Plane
Created or edited an AWS OpenSearch Data Plane
Created or edited a Chronicle Security Data Plane
Created or edited a Sumo Logic Data Plane
Created or edited a Crowdstrike Endpoint Security Data Plane
Created or edited a Falcon LogScale Data Plane
Created or edited a VMware Carbon Black Data Plane
Created or edited an AWS Athena Data Plane
Created or edited an ArcSight Data Plane
Deleted a Microsoft Sentinel Data Plane
Deleted a Falcon LogScale Data Plane
Deleted a Chronicle Security Data Plane
Deleted a Splunk Data Plane
Deleted a Microsoft Defender for Endpoint Data Plane
Deleted an Elastic Stack Data Plane
Deleted an ArcSight Data Plane
Deleted an AWS OpenSearch Data Plane
Deleted an IBM QRadar Data Plane
Deleted a Sumo Logic Data Plane
Deleted a VMware Carbon Black Data Plane
Deleted an AWS Athena Data Plane
Deleted a Crowdstrike Endpoint Security Data Plane
Downloaded content-specific documentation
Deactivated a user account
Registered on the SOC Prime Platform by an invite from a manager
Sent an invite to register on the SOC Prime Platform
Registered on the SOC Prime Platform by an invite from a teammate
Created a custom repository
Edited settings of a custom repository
Set the organization's industry
Requested to change the organization industry
Initiated deleting the selected content from Inventory (or both from Inventory and their SIEM)
Deleted the selected content from Inventory (or both from Inventory and their SIEM)
Created a custom user role
Edited a custom user role
Modified the role assigned by default to the new users
Modified the role of a user
Deleted a custom user role
Created an API key
Modified an API key
Deleted an API key
Updated SSO configuration
Downloaded report from Dashboard
Deployed content from Uncoder AI
Deleted a custom repository
Deleted a Custom Field Mapping profile
Configured or updated sync with custom repository
Downloaded a JSON report on MITRE ATT&CK Coverage
Cleared all deleted content from Inventory
Configured a Tenant
Edited a Tenant
Deleted a Tenant
Downloaded a CSV report on MITRE ATT&CK Coverage
Downloaded a CSV report on Log Source Coverage
Logged out because of enforced SSO
Downloaded edited content
Created a filter
Updated a filter
Disabled content in SIEM from Inventory
Enabled content in SIEM from Inventory
Deleted content from Inventory
Changed organization's industry
Copied a global Custom Field Mapping
Deployed content
Searched content in Falcon LogScale
Created a preset
Edited a preset
Deleted a preset
Created or edited a Chronicle Security Data Plane
Deleted a Chronicle Security Data Plane
Modified the role assigned by default to the new users
Updated SSO configuration

API:

Marked Content as Deployed via API
API request

400

Bad request

401

Unauthorized

403

Forbidden

404

Not found

422

Request Validation Error

429

Too Many Requests

API

GET /v1/sigma/{rule_id}/{siem_type}

Parameters

client_secret_id

rule_id

siem_type

unlock_rules

mapping_name

Examples

Server Responses

GET /v1/search-sigmas

Parameters

client_secret_id

unlock_rules

client_siem_type

mapping_name

is_verified

client_tags_actor

client_sigma_type

tags_technique_tactic

client_tags_event_id

client_case_id

client_tags_tool

tags_technique_name

client_case_name

client_tags_author

client_tags_event_category

client_query_string

sigma_level

tags_technique_id

client_tags_logsource

client_sigma_status

tags_rule_type

page_size

page_number

date_start

date_end

Examples

Server Responses

GET /v1/content-list

Parameters

client_secret_id

content_list_name

siem_type

mapping_name

preset_name

alt_translate_config

Examples

Server Responses

GET /v1/ccm/jobs/{job_id}/get-content

Parameters

client_secret_id

job_id

Examples

Server Responses

GET /v1/content-list

Parameters

client_secret_id

content_list_name

siem_type

mapping_name

preset_name

alt_translate_config

Examples

Server Responses

GET /v1/ccm/content-list

Parameters

client_secret_id

Examples

Server Responses

POST /v1/ccm/content-list

Parameters

client_secret_id

name

type

category

description

allow_others_to_edit

repository_ids

repository_type

GET `/v1/sigma/{rule_id}/{siem_type}`

GET `/v1/search-sigmas`

GET `/v1/content-list`

GET `/v1/ccm/jobs/{job_id}/get-content`

GET `/v1/content-list`

GET `/v1/ccm/content-list`

POST `/v1/ccm/content-list`

GET `/v1/ccm/content-list/{list_id}`

PUT `/v1/ccm/content-list/{list_id}`