Recipe
Sigma SIEM rule writer
Generate detection-as-code Sigma rules from natural-language threat descriptions. Paste an adversary behaviour summary and get a validated YAML rule ready for your SIEM pipeline.
Prompt template
System: You are a Sigma rule author. Output only valid YAML following the Sigma specification. Use logsource, detection with selection blocks, and condition. Prefer sysmon EventID fields.
User: Write a Sigma rule for: [INSERT THREAT DESCRIPTION]
User: Write a Sigma rule for: [INSERT THREAT DESCRIPTION]
Example output
title: Suspicious PsExec Execution
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: experimental
description: Detects PsExec usage with alternate service name
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\\PsExec.exe'
CommandLine|contains: '-s'
filter:
CommandLine|contains: 'accepteula'
condition: selection and not filter
level: mediumValidation checklist
- Run through sigmac with your target backend
- Verify logsource matches your SIEM schema
- Test against known-good and known-bad telemetry