Describe the behaviour you want to detect. SARA writes a starting Sigma rule with MITRE tags, false-positive guidance, and detection-engineering context. Anonymous, no account, best-effort generic detection.
Sigma is the open, vendor-neutral format for log-based detections. One rule, written once, converts to Splunk SPL, Elastic ES|QL, KQL for Microsoft Sentinel, Sumo, Chronicle, QRadar, and more. Detection engineers love it for the same reason ATT&CK is the lingua franca for tactics — Sigma is the lingua franca for the queries that detect them.
You've got a fresh write-up of a TTP and need a starting detection in your stack today. Generate, tune, ship.
Pair-program with SARA: the generator produces the skeleton, the engineer learns by tuning, the team commits the result.
You have a rule in one query language; describe it in English and get the Sigma version + conversions to every other backend.
Sketch a detection idea in 30 seconds before investing in a full DE sprint.
SARA Open ships an OpenAI-compatible API. Call POST /api/v1/sigma — Plain English in, valid Sigma YAML out, with MITRE tags and false-positive guidance.
curl -X POST https://sara-open.sirp.io/api/v1/sigma \
-H "Authorization: Bearer $SARA_API_KEY" \
-H "Content-Type: application/json" \
-d '{"description": "PowerShell encoded command from Office"}'
Read the API reference →