Back to API Docs
AI Detect
POST
/api/v1/ai/detectGenerate detection rules from indicators and threat descriptions using AI. Supports YARA, Sigma, Snort, and Suricata formats. Produces ready-to-deploy rules with metadata, references, and MITRE ATT&CK mappings.
Permission
ai:read
Credits
15 per request
Plans
Starter, Professional, Enterprise
Timeout
Up to 30 seconds
Request Body
{
"format": "sigma",
"indicators": {
"ips": ["185.220.101.42"],
"processes": ["whoami.exe", "net.exe", "nltest.exe"],
"registry_keys": ["HKLM\\SOFTWARE\\...\\Run"]
},
"description": "Detect post-exploitation reconnaissance after SSH brute-force from Tor exit node",
"context": "Windows Server environment, living-off-the-land binaries for discovery"
}| Field | Type | Description |
|---|---|---|
| format | string | Detection rule format: "yara", "sigma", "snort", or "suricata" (required) |
| indicators | object | Object containing indicator arrays: ips, domains, hashes, urls, processes, registry_keys, file_paths (optional) |
| description | string | Natural language description of the threat behavior to detect (optional) |
| context | string | Additional context about the target environment, attack scenario, or detection requirements (optional) |
Response
{
"data": {
"format": "sigma",
"rule": "title: Post-Exploitation Reconnaissance via LOLBins After SSH Brute-Force\nid: 8f4a2b1c-3d5e-4f6a-b7c8-9d0e1f2a3b4c\nstatus: experimental\ndescription: Detects execution of reconnaissance commands (whoami, net, nltest) commonly used by attackers after gaining initial access via SSH brute-force from known Tor exit nodes.\nauthor: DFIR Suite AI\ndate: 2026/04/04\nreferences:\n - https://attack.mitre.org/techniques/T1033/\n - https://attack.mitre.org/techniques/T1018/\nlogsource:\n category: process_creation\n product: windows\ndetection:\n selection_process:\n Image|endswith:\n - '\\whoami.exe'\n - '\\net.exe'\n - '\\nltest.exe'\n selection_network:\n SourceIp: '185.220.101.42'\n condition: selection_process or selection_network\nfalsepositives:\n - Legitimate system administration tasks\n - Automated inventory scripts\nlevel: high\ntags:\n - attack.discovery\n - attack.t1033\n - attack.t1018\n - attack.t1482",
"name": "Post-Exploitation Reconnaissance via LOLBins After SSH Brute-Force",
"description": "Detects execution of reconnaissance commands (whoami, net, nltest) commonly used by attackers after gaining initial access via SSH brute-force from known Tor exit nodes.",
"severity": "high",
"references": [
"https://attack.mitre.org/techniques/T1033/",
"https://attack.mitre.org/techniques/T1018/",
"https://attack.mitre.org/techniques/T1482/"
],
"attack_mapping": [
{
"technique_id": "T1033",
"name": "System Owner/User Discovery",
"tactic": "Discovery",
"confidence": 95
},
{
"technique_id": "T1018",
"name": "Remote System Discovery",
"tactic": "Discovery",
"confidence": 88
},
{
"technique_id": "T1482",
"name": "Domain Trust Discovery",
"tactic": "Discovery",
"confidence": 82
}
]
},
"meta": {
"request_id": "req_d1e2t3c4-...",
"credits_used": 15,
"credits_remaining": 445,
"processing_time_ms": 4580
}
}| Field | Type | Description |
|---|---|---|
| data.format | string | The detection rule format (yara, sigma, snort, or suricata) |
| data.rule | string | The complete detection rule ready to deploy — copy directly into your detection platform |
| data.name | string | Human-readable name for the detection rule |
| data.description | string | Description of what the rule detects and the threat context |
| data.severity | string | "info", "low", "medium", "high", or "critical" |
| data.references | array | Reference URLs to MITRE ATT&CK techniques, CVEs, or threat intelligence reports |
| data.attack_mapping | array | MITRE ATT&CK technique mappings with technique_id, name, tactic, and confidence |
| meta.request_id | string | Unique request identifier for support and debugging |
| meta.credits_used | number | Credits consumed (15 per detection rule request) |
| meta.credits_remaining | number | Remaining credit balance after this request |
| meta.processing_time_ms | number | Server-side processing time in milliseconds |
Code Examples
cURL
curl -X POST https://api.dfir-lab.ch/v1/ai/detect \
-H "Authorization: Bearer sk-dfir-your-key-here" \
-H "Content-Type: application/json" \
-d '{
"format": "sigma",
"indicators": {
"ips": ["185.220.101.42"],
"processes": ["whoami.exe", "net.exe", "nltest.exe"],
"registry_keys": ["HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"]
},
"description": "Detect post-exploitation reconnaissance after SSH brute-force from Tor exit node",
"context": "Windows Server environment, attacker uses living-off-the-land binaries for discovery"
}'Python
import requests
response = requests.post(
"https://api.dfir-lab.ch/v1/ai/detect",
headers={
"Authorization": "Bearer sk-dfir-your-key-here",
"Content-Type": "application/json",
},
json={
"format": "sigma",
"indicators": {
"ips": ["185.220.101.42"],
"processes": ["whoami.exe", "net.exe", "nltest.exe"],
},
"description": "Detect post-exploitation reconnaissance after SSH brute-force",
"context": "Windows Server environment, living-off-the-land binaries",
},
)
data = response.json()
rule = data["data"]
print(f"Format: {rule['format']}")
print(f"Name: {rule['name']}")
print(f"Severity: {rule['severity']}")
print(f"\nRule:\n{rule['rule']}")
for mapping in rule["attack_mapping"]:
print(f" ATT&CK: {mapping['technique_id']} - {mapping['name']}")Important Notes
- Generated rules should be reviewed and tested in a staging environment before deploying to production. AI-generated rules may produce false positives depending on your environment.
- Provide at least
indicatorsor adescription— both together yield the most accurate rules. Format-specific syntax (YARA strings, Sigma log sources, Snort/Suricata headers) is handled automatically. - Each request consumes 15 credits. Results are generated fresh for every request — no caching is applied.