SARA Open Chat Settings Help

What can SARA do?

SARA is a free AI security analyst by SIRP. Ask about threats, enrich IOCs, triage alerts, manage incidents, and automate response — all from chat.

Security Knowledge

No account required. Ask any cybersecurity question.

Definitions & Concepts Free

What is credential stuffing? Explain lateral movement What is a zero-day vulnerability?

Incident Response Guidance Free

How should I respond to ransomware? Steps to investigate a BEC attack Checklist for hardening Active Directory

CVE & Vulnerability Lookup Free

What is CVE-2024-3400? Tell me about Log4Shell Latest critical vulnerabilities

Threat Intelligence Free

Tell me about APT29 What TTPs does Lazarus Group use? Compare APT28 vs APT29

IOC Enrichment & Analysis

Paste IPs, hashes, domains, or URLs for instant threat intelligence from 8 sources.

IOC Enrichment Free

Check this IP: 185.220.101.34 Analyze hash a3f9b2c847de... Is this domain malicious? evil.com

Phishing & Email Analysis Free

Analyze this phishing email: [paste headers] Check this URL: https://suspicious.com/login

Alert Triage Free

Triage this SIEM alert: [paste JSON] Analyze this CEF log: [paste]

Detection Engineering Free

Write a Sigma rule for PowerShell abuse Explain MITRE T1059.001

Tenant Operations

Connect your OmniSense tenant in Settings to unlock live incident management.

Incident Management OmniSense

Show me my incidents Open P1 alerts Show me my phishing incidents Show closed cases Analyze incident 266279 Analyze case 55032 Analyze alert 100 Show me incident 266279 What happened in incident 266279?

Agent Execution OmniSense

Run enrichment on incident 266279 Classify incident 55032 Run analysis on incident 266279 Run all agents on incident 266279 Run triage on my latest incident Run triage and analysis on incident 210 Run all agents on incident 266279 just show

Add just show, assist mode, or don't save to see results in chat without writing to OmniSense.

SOC Metrics & Analytics OmniSense

What's our MTTR? Show me MTTD Mean time to handle alerts Any SLA breaches? Show SLA compliance Who has the most incidents? Analyst workload Are incidents increasing? Show security trends How are we doing this week? Security posture False positive rate Weekly report

Assets OmniSense

Show me my assets Details on SERVER-DC-01 What's the risk on SERVER-DC-01?

Response Actions & Playbooks

Execute containment actions and automate response workflows.

Response Actions OmniSense

Block IP 192.168.1.100 Quarantine host WORKSTATION-05 Disable user john.doe What actions can I take? Show action catalog

SIRP Actions OmniSense

Change priority to P1 on incident 266279 Set severity to SEV1 on incident 266279 Change status to closed on incident 266279 Change state to case on incident 266279 Close incident 266279 Add comment 'Confirmed benign' on incident 266279

Update any incident field directly from chat. Priority, severity, status, state, disposition, and comments.

Playbooks OmniSense

Show my playbooks Run phishing playbook on incident 266279 Create a ransomware IR playbook Create a BEC response playbook

Custom Plugins Pro

Block IP on CrowdStrike (Create custom triggers in Settings → Plugins)

Multi-Tenant (MSSP) OmniSense

Show my tenants Switch to Rewterz

Investigation Workspace

Persistent analyst workbench with SARA as your co-analyst. Open Workspaces →

Create from Chat Registered+

Investigate incident 266279 Create workspace for alert 261282

Auto-creates workspace with IOCs, assets, timeline from OmniSense.

Workspace Features

Pin IOCs with verdict/score, build timelines, map MITRE ATT&CK, analyst notes, link related incidents, set verdicts (TP/FP/Ongoing), export as Markdown/HTML. Templates: Malware, Phishing, Insider Threat, Ransomware.

SARA Co-analyst

Chat panel with full workspace context. Ask "Enrich all IOCs", "Analyze attack pattern", "Summarize investigation", or "What's missing?" IOCs from responses auto-pin to canvas.

Plans

Registered: 1 workspace. Pro: 10. Team: Unlimited.

Features

Export & Share

Export any chat as Markdown report. Share a read-only link to any conversation.

Saved Templates

Save frequently used prompts as reusable templates. Click "Save" on any message.

API Access Pro

Integrate SARA into your SOAR/SIEM. OpenAI-compatible API. API docs →

Bring Your Own LLM

Use Claude, GPT-4, Gemini, Mistral, Groq, Ollama, or any OpenAI-compatible provider. Configure in Settings.

Multi-turn conversations work! Ask "Analyze incident 266279", then follow up with "Run enrichment on it" or "Run all agents on it" — SARA remembers the incident from context. You can also say "Show me incident 266279" for details only, or "Analyze" for the full pipeline (enrichment → classification → analysis → remediation).

Plans

Free

10 messages/hr. Basic IOC enrichment. 7-day chat history.

Registered (sign in with Google)

50 messages/hr. Web search. 7-day history. Sign in with company email for free Pro trial.

Pro $29/mo

200 messages/hr. Full enrichment. OmniSense connect. Custom plugins (5). API keys (3). Unlimited history.

Team $79/mo

500 messages/hr. Everything in Pro. Custom plugins (20). API keys (10). Up to 5 seats.

SARA — Free AI Security Analyst by SIRP · Terms · Privacy