Describe the behaviour you want to detect. SARA writes a starting Sigma rule with MITRE tags, false-positive guidance, and detection-engineering context. Anonymous, no account, best-effort generic detection.
title: CVE-2023-41242 Authentication Bypass Exploitation Attempts
id: fde39e13-4a3a-4dcf-bc51-03f8e9955c1a
date: 2026-06-15
status: experimental
references:
- https://example.com/cve-2023-41242 # Replace with actual CVE reference
author: SARA Detection Engineering
tags:
- attack.t1190
- attack.t1189
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort: 443
Initiated: true
Protocol: tcp
filter:
UserAgent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'
condition: selection and not filter
Sigma is the open, vendor-neutral format for log-based detections. One rule, written once, converts to Splunk SPL, Elastic ES|QL, KQL for Microsoft Sentinel, Sumo, Chronicle, QRadar, and more. Detection engineers love it for the same reason ATT&CK is the lingua franca for tactics — Sigma is the lingua franca for the queries that detect them.
You've got a fresh write-up of a TTP and need a starting detection in your stack today. Generate, tune, ship.
Pair-program with SARA: the generator produces the skeleton, the engineer learns by tuning, the team commits the result.
You have a rule in one query language; describe it in English and get the Sigma version + conversions to every other backend.
Sketch a detection idea in 30 seconds before investing in a full DE sprint.
SARA Open ships an OpenAI-compatible API. Call POST /api/v1/sigma — Plain English in, valid Sigma YAML out, with MITRE tags and false-positive guidance.
curl -X POST https://sara-open.sirp.io/api/v1/sigma \
-H "Authorization: Bearer $SARA_API_KEY" \
-H "Content-Type: application/json" \
-d '{"description": "PowerShell encoded command from Office"}'
Read the API reference →