SARA / Free Tools / Sigma Generator

Free Sigma Rule Generator

Describe the behaviour you want to detect. SARA writes a starting Sigma rule with MITRE tags, false-positive guidance, and detection-engineering context. Anonymous, no account, best-effort generic detection.

VALID T1190T1203
Sigma rule
title: CVE-2017-11317 Telerik UI for ASP.NET AJAX Exploitation
id: e5b30b80-5620-4a9b-923c-c92052376e66
date: 2026-07-05
status: experimental
references:
  - https://github.com/nvdii/CVE-2017-11317
  - https://www.telerik.com/security/report-details/2017/telerik-ui-for-asp.net-ajax
author: SARA Detection Engineering
tags:
  - attack.t1190
  - attack.t1203

logsource:
  category: webserver
  product: IIS

detection:
  selection:
    cs-uri-stem|contains: /Telerik.Web.UI.WebRoot/
    cs-uri-query|contains: "FileManager"
    cs-method: POST
  filter:
    cs-uri-query|contains: "Telerik.Web.UI.DialogHandler"
  condition: selection and not filter

ReferenceWhat is Sigma?

Sigma is the open, vendor-neutral format for log-based detections. One rule, written once, converts to Splunk SPL, Elastic ES|QL, KQL for Microsoft Sentinel, Sumo, Chronicle, QRadar, and more. Detection engineers love it for the same reason ATT&CK is the lingua franca for tactics — Sigma is the lingua franca for the queries that detect them.

GuideHow to use this tool

  1. Describe the behaviour you want to detect in plain English. Be specific — "PowerShell encoded command spawned by an Office process" wins over "PowerShell abuse".
  2. SARA writes a starting Sigma rule with the right logsource, fields, MITRE ATT&CK tags, and false-positive guidance.
  3. Copy the YAML or convert to your target backend. Then tune the rule for your environment — the output is a starting point, not a tested artifact.

When to useWhen is the Sigma generator the right move?

Closing a coverage gap fast

You've got a fresh write-up of a TTP and need a starting detection in your stack today. Generate, tune, ship.

Onboarding a junior detection engineer

Pair-program with SARA: the generator produces the skeleton, the engineer learns by tuning, the team commits the result.

Translating between backends

You have a rule in one query language; describe it in English and get the Sigma version + conversions to every other backend.

Sanity-checking a hypothesis

Sketch a detection idea in 30 seconds before investing in a full DE sprint.

API

Want this in your SOAR or SIEM?

SARA Open ships an OpenAI-compatible API. Call POST /api/v1/sigma — Plain English in, valid Sigma YAML out, with MITRE tags and false-positive guidance.

curl -X POST https://sara-open.sirp.io/api/v1/sigma \
  -H "Authorization: Bearer $SARA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"description": "PowerShell encoded command from Office"}'
Read the API reference →

Browse related toolsKeep exploring

Looking for more?

Ask SARA — our AI security analyst — for full CVE context, exploit chains, and detection rules.

Try SARA