Turn observed malware behaviors into shareable Sigma rules, then convert to the SIEM query language of your choice — without writing YAML or learning Sigma's condition syntax first.
intel2sigma is a guided composer for Sigma rules targeted at malware analysts, CTI producers, and anyone who observes suspicious behavior but doesn't live in a SIEM. You describe what you observed through structured forms (a process started, a file was written, a registry value was set, etc.), and the tool produces canonical Sigma YAML plus ready-to-run queries for the major SIEM and EDR backends.
- Malware analysts producing behavioral detections alongside the usual IOCs (hashes, IPs, domains)
- CTI teams in information-sharing networks (IFIN, ISACs, MISP communities)
- Detection engineers at organizations running out-of-the-box SIEM or EDR who want portable detections
- Anyone learning Sigma who doesn't want to start with a YAML spec
- Not a SIEM or detection management platform
- Not an LLM-powered tool — the composer is fully deterministic; no model decides what your rule contains
- Not a replacement for sigma-cli or pySigma for users already fluent in Sigma
Visit intel2sigma.davidsharp.io. No account needed. Sessions are ephemeral; the server keeps nothing. The hosted deployment runs as a stateless container on Azure Container Apps behind Cloudflare (TLS, WAF, rate limiting); your inputs never touch a database.
pip install intel2sigma
intel2sigma serveThen open http://localhost:8000.
Requires uv (install: curl -LsSf https://astral.sh/uv/install.sh | sh, or on Windows: powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex").
git clone https://github.com/davekindof/intel2sigma
cd intel2sigma
uv sync # install all deps
uv run pytest # run the test suite
uv run mypy intel2sigma --strict # typecheck
uv run ruff check && uv run ruff format --check # lint and format
uv run uvicorn intel2sigma.web.app:app --reload # dev server (v1+)Python 3.14 is downloaded and managed by uv — no system Python install needed. uv.lock is committed and reproduces the environment exactly.
v0 smoke test (core library only):
uv run pytest tests/test_model_smoke.py tests/test_pysigma_integration.pySee CLAUDE.md for the full development workflow and architectural rules.
docker run -p 8000:8000 intel2sigma.azurecr.io/intel2sigma:latestTo build locally:
docker build --build-arg BUILD_SHA=$(git rev-parse --short HEAD) \
-t intel2sigma:dev .
docker run -p 8000:8000 intel2sigma:devAll three options run the same stateless app. Once running, GET /version
returns the build SHA and pinned-data versions; GET /healthz is the
liveness probe.
SPEC.md— architectural source of truthROADMAP.md— phased delivery plandocs/architecture.md— runtime viewdocs/ui.md— presentation layer specificationdocs/taxonomy.md— observation catalog and field mappingdocs/heuristics.md— rule quality checksdocs/recalibration.md— quarterly cadence for refreshing pinned upstreamsCLAUDE.md— instructions for contributors (human and AI)
MIT.