Describe the behaviour you want to detect. SARA writes a starting Sigma rule with MITRE tags, false-positive guidance, and detection-engineering context. Anonymous, no account, best-effort generic detection.
VALIDATION WARNINGST1190
Sigma rule
title: Exploitation of CVE-2025-47813 (loginok)
id: cbafbddd-b5ee-4c00-9b1a-057aa2380b63
date: 2026-07-05
status: experimental
references:
- https://example.com/cve-2025-47813
author: SARA Detection Engineering
tags:
- attack.t1190
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort: 47813
Protocol: tcp
Initiated: true
SourceIp:
- 192.168.1.100
- 10.0.0.1
UserAgent:
- "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.3"
filter:
Image:
- "C:\Windows\System32\svchost.exe"
- "C:\Windows\System32\lsass.exe"
condition: all of selection and not filter
Validator messages
yaml parse error: while scanning a double-quoted scalar
in "<unicode string>", line 27, column 9:
- "C:\Windows\System32\svchost.exe"
^
found unknown escape character 'W'
in
Sigma is the open, vendor-neutral format for log-based detections. One rule, written once, converts to Splunk SPL, Elastic ES|QL, KQL for Microsoft Sentinel, Sumo, Chronicle, QRadar, and more. Detection engineers love it for the same reason ATT&CK is the lingua franca for tactics — Sigma is the lingua franca for the queries that detect them.
GuideHow to use this tool
Describe the behaviour you want to detect in plain English. Be specific — "PowerShell encoded command spawned by an Office process" wins over "PowerShell abuse".
SARA writes a starting Sigma rule with the right logsource, fields, MITRE ATT&CK tags, and false-positive guidance.
Copy the YAML or convert to your target backend. Then tune the rule for your environment — the output is a starting point, not a tested artifact.
When to useWhen is the Sigma generator the right move?
Closing a coverage gap fast
You've got a fresh write-up of a TTP and need a starting detection in your stack today. Generate, tune, ship.
Onboarding a junior detection engineer
Pair-program with SARA: the generator produces the skeleton, the engineer learns by tuning, the team commits the result.
Translating between backends
You have a rule in one query language; describe it in English and get the Sigma version + conversions to every other backend.
Sanity-checking a hypothesis
Sketch a detection idea in 30 seconds before investing in a full DE sprint.
API
Want this in your SOAR or SIEM?
SARA Open ships an OpenAI-compatible API. Call POST /api/v1/sigma — Plain English in, valid Sigma YAML out, with MITRE tags and false-positive guidance.