{{ notification }}
SIGMA RULE BUILDER
✓ valid {{ lint.errors.length }} error{{ lint.errors.length !== 1 ? 's' : '' }}
{{ aiPanelHeading('title') }}
{{ aiState.title.text || aiLoadingLabel('title') }}
{{ aiState.title.error }}
{{ t }}
{{ aiPanelHeading('describe') }}
{{ aiState.describe.text || aiLoadingLabel('describe') }}
{{ aiState.describe.error }}
{{ d }}
{{ aiPanelHeading('falsepositives') }}
{{ aiState.falsepositives.text || aiLoadingLabel('falsepositives') }}
{{ aiState.falsepositives.error }}
{{ fp }}

Presets fill the fields below and suggest detection field names.

Available fields for this logsource:

{{ f }}

Keywords match against full log event text (no field binding).

{{ aiPanelHeading('detection') }}
{{ aiState.detection.text || aiLoadingLabel('detection') }}
{{ aiState.detection.error }}
{{ aiPanelHeading('tags') }}
{{ aiState.tags.text || aiLoadingLabel('tags') }}
{{ aiState.tags.error }}
MITRE ATT&CK ENTERPRISE — v14.1
{{ tac.label }} {{ tac.visibleCount }}
✕ {{ e }}
⚠ {{ w }}
✓ Rule looks good
{{ aiPanelHeading('explain') }}
{{ aiState.explain.error }}
{{ aiPanelHeading('review') }} {{ aiState.review.score }}/10
{{ aiState.review.rawText || aiLoadingLabel('review') }}
{{ aiState.review.error }}
{{ yamlOutput }}
QUERY CONVERTER Best-effort — always review before use 
{{ converterOutput }}

⚠ {{ converterNote }}

LIVE PREVIEW
✕ {{ e }} 
{{ yamlOutput }}
SigmaHQ Community Rules github.com/SigmaHQ/sigma →
{{ grp }}

← Select a category to browse community rules

Loads rule list from github.com/SigmaHQ/sigma on demand.

Add a GitHub token in to avoid rate limits.

Pinned Templates

Quick-start templates served from this repo.

{{ templateError }}

Import Existing Rule

Paste a Sigma rule YAML to edit it.

{{ importError }}

Settings

Optional. Raises GitHub API rate limit from 60 to 5,000 req/hr. Only needs public_repo read scope (or no scope — public repos are readable unauthenticated). Stored in localStorage only — never sent anywhere except api.github.com.

Generate a token →
AI (optional) LM Studio · Ollama · OpenAI · any OpenAI-compatible
{{ aiLiveBadgeText }}

Works with LM Studio, Ollama, OpenAI, or any OpenAI-compatible server. Leave blank to disable AI.

{{ aiModelRecommendation }} · For JSON tasks: prefer non-thinking models or reduce max_tokens.
✦ New Rule Wizard
{{ wizard.step > i ? '●' : wizard.step === i ? '●' : '○' }}

What kind of detection are you building?

BRAINSTORM STARTER RULE
{{ wizard.brainstormText || 'Generating draft…' }}
{{ wizard.brainstormPlan.title || 'Untitled draft' }}
{{ wizard.brainstormPlan.description }}
Scenario: {{ wizard.brainstormPlan.scenario || 'custom' }} · Preset: {{ wizard.brainstormPlan.logsource_id }}
{{ wizard.brainstormText }}
{{ wizard.aiDescText || 'Generating description…' }}
{{ wizard.aiDescText }}

Choose a logsource preset, or skip to configure manually.

{{ wizard.aiLsText }}

Review the rule that will be created:

{{ wizardPreviewYaml }}
⊕ Rule Library {{ libraryEntries.length }} saved

No saved rules yet.

Click ⊙ save in the toolbar to save the current rule.

No rules match your search.

{{ entry.level }} {{ entry.title || 'Untitled' }}
{{ entry.logsource?.product || entry.logsource?.category || '—' }} {{ entry.tags.slice(0,2).join(' · ') }} {{ formatRelativeTime(entry.savedAt) }}