SARA / Free Tools / Sigma Generator

Free Sigma Rule Generator

Describe the behaviour you want to detect. SARA writes a starting Sigma rule with MITRE tags, false-positive guidance, and detection-engineering context. Anonymous, no account, best-effort generic detection.

VALIDATION WARNINGS T1190
Sigma rule
title: Exploitation of CVE-2025-47813 (loginok)
id: cbafbddd-b5ee-4c00-9b1a-057aa2380b63
date: 2026-07-05
status: experimental
references:
  - https://example.com/cve-2025-47813
author: SARA Detection Engineering
tags:
  - attack.t1190

logsource:
  category: network_connection
  product: windows

detection:
  selection:
    DestinationPort: 47813
    Protocol: tcp
    Initiated: true
    SourceIp:
      - 192.168.1.100
      - 10.0.0.1
    UserAgent:
      - "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.3"
  filter:
    Image:
      - "C:\Windows\System32\svchost.exe"
      - "C:\Windows\System32\lsass.exe"
  condition: all of selection and not filter
Validator messages
  • yaml parse error: while scanning a double-quoted scalar in "<unicode string>", line 27, column 9: - "C:\Windows\System32\svchost.exe" ^ found unknown escape character 'W' in

ReferenceWhat is Sigma?

Sigma is the open, vendor-neutral format for log-based detections. One rule, written once, converts to Splunk SPL, Elastic ES|QL, KQL for Microsoft Sentinel, Sumo, Chronicle, QRadar, and more. Detection engineers love it for the same reason ATT&CK is the lingua franca for tactics — Sigma is the lingua franca for the queries that detect them.

GuideHow to use this tool

  1. Describe the behaviour you want to detect in plain English. Be specific — "PowerShell encoded command spawned by an Office process" wins over "PowerShell abuse".
  2. SARA writes a starting Sigma rule with the right logsource, fields, MITRE ATT&CK tags, and false-positive guidance.
  3. Copy the YAML or convert to your target backend. Then tune the rule for your environment — the output is a starting point, not a tested artifact.

When to useWhen is the Sigma generator the right move?

Closing a coverage gap fast

You've got a fresh write-up of a TTP and need a starting detection in your stack today. Generate, tune, ship.

Onboarding a junior detection engineer

Pair-program with SARA: the generator produces the skeleton, the engineer learns by tuning, the team commits the result.

Translating between backends

You have a rule in one query language; describe it in English and get the Sigma version + conversions to every other backend.

Sanity-checking a hypothesis

Sketch a detection idea in 30 seconds before investing in a full DE sprint.

API

Want this in your SOAR or SIEM?

SARA Open ships an OpenAI-compatible API. Call POST /api/v1/sigma — Plain English in, valid Sigma YAML out, with MITRE tags and false-positive guidance.

curl -X POST https://sara-open.sirp.io/api/v1/sigma \
  -H "Authorization: Bearer $SARA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"description": "PowerShell encoded command from Office"}'
Read the API reference →

Browse related toolsKeep exploring

Looking for more?

Ask SARA — our AI security analyst — for full CVE context, exploit chains, and detection rules.

Try SARA