What this endpoint does

This endpoint searches for detection rules authored by Recorded Future's Insikt Group, returning the full rule source code for YARA, Sigma, and Snort signatures. Each rule is attached to an Insikt Group Analyst Note that provides threat analysis context, and rules include MITRE ATT&CK technique mappings and associated entity references (malware families, file hashes, threat actors). Filter by rule type, creation or update date ranges, associated entity IDs, note title text, or specific document ID. This is a POST endpoint that uses cursor-based pagination — pass the next_offset value from each response as the offset in the next request to retrieve additional pages. Use the Detection Rules: Associated Entities endpoint to find entity IDs for filtering, or use the Detection Rules: Associated Entity Types endpoint to discover which entity types are available for filtering.

Response data

The response contains a result array of detection rule notes, plus count (results in current page), total_count (total matching results), and next_offset (pagination cursor). Each result includes the Insikt Group note's id, type (yara/sigma/snort), title, description (detailed threat narrative), and timestamps. The rules array within each result contains one or more rule objects with content (the full rule source code ready for deployment), file_name (suggested filename), and entities (associated MITRE ATT&CK techniques, malware families, file hashes, and other Recorded Future entities mapped to the rule).