Detection feed

A read-only HTTP feed of the detection rules extracted from cyfar.ca posts — built for plugging into a detection pipeline, a rule repository, or a SIEM. No key required; the data is already public on the detection-rules index.

Endpoint

GET https://cyfar.ca/api/detections

Returns JSON only. There are no .yar / .rules / .yml / .sh rule files served, by design — copy and review a rule before you deploy it.

Query parameters

type — restrict to one rule type: one of yara, suricata, sigma, host.
q — case-insensitive substring match on the rule name.
since / until — ISO date or datetime; filters on when a rule was last seen. Use sincefor incremental pulls (“everything new since my last fetch”).
post— a post slug; returns only that report’s rules.
limit / offset — paging; limit is 1–2000 (default 1000).

Examples

# every Suricata rule, as JSON
curl "https://cyfar.ca/api/detections?type=suricata"

# all rules (with source posts) for a single report
curl "https://cyfar.ca/api/detections?post=weekly-recap-2026-w21"

Rule types

yarasuricatasigmahost

Only rules from published posts are served — drafts never appear. Rules are leads, not turnkey detections: read each one and tune it for your environment before deploying. The feed is rate-limited per IP; a scheduled pull won’t notice, a tight scrape loop will.