Describe the behaviour you want to detect. SARA writes a starting Sigma rule with MITRE tags, false-positive guidance, and detection-engineering context. Anonymous, no account, best-effort generic detection.
VALIDATION WARNINGST1068
Sigma rule
title: CVE-2020-3950 VMware Fusion Privilege Escalation
id: 0e497de7-939c-4639-9470-9510ca5b1f2c
date: 2026-07-05
status: experimental
references:
- https://www.vmware.com/security/advisories/VMSA-2020-0013.html
author: SARA Detection Engineering
tags:
- attack.t1068
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains: "vmware.exe"
CommandLine|contains: "vmware.exe" and CommandLine|contains: "--type"
filter:
CommandLine|contains: "vmware.exe" and CommandLine|contains: "--help"
condition: selection and not filter
Validator messages
yaml parse error: while parsing a block mapping
in "<unicode string>", line 18, column 5:
Image|contains: "vmware.exe"
^
expected <block end>, but found '<scalar>'
in "<unicode str
Sigma is the open, vendor-neutral format for log-based detections. One rule, written once, converts to Splunk SPL, Elastic ES|QL, KQL for Microsoft Sentinel, Sumo, Chronicle, QRadar, and more. Detection engineers love it for the same reason ATT&CK is the lingua franca for tactics — Sigma is the lingua franca for the queries that detect them.
GuideHow to use this tool
Describe the behaviour you want to detect in plain English. Be specific — "PowerShell encoded command spawned by an Office process" wins over "PowerShell abuse".
SARA writes a starting Sigma rule with the right logsource, fields, MITRE ATT&CK tags, and false-positive guidance.
Copy the YAML or convert to your target backend. Then tune the rule for your environment — the output is a starting point, not a tested artifact.
When to useWhen is the Sigma generator the right move?
Closing a coverage gap fast
You've got a fresh write-up of a TTP and need a starting detection in your stack today. Generate, tune, ship.
Onboarding a junior detection engineer
Pair-program with SARA: the generator produces the skeleton, the engineer learns by tuning, the team commits the result.
Translating between backends
You have a rule in one query language; describe it in English and get the Sigma version + conversions to every other backend.
Sanity-checking a hypothesis
Sketch a detection idea in 30 seconds before investing in a full DE sprint.
API
Want this in your SOAR or SIEM?
SARA Open ships an OpenAI-compatible API. Call POST /api/v1/sigma — Plain English in, valid Sigma YAML out, with MITRE tags and false-positive guidance.