Integrations

Sigma is designed to allow hollistic control of your environment. Through various Compute, ITSM and AI integrations, Sigma allows you to centrally manage your Infrastructure.

Compute

Depending on your license, you can integrate Sigma with various Compute environments. Each Compute environment has unique API requirements and parameters required for a successful Simga integration.

Supported Compute environments:

• AWS (Amazon Web Services)

• OCI (Oracle Cloud Infrastructure)

• Microsoft Azure

• VMware

AWS (Amazon Web Services)

Sigma requires an API key generated from the AWS console with sufficient AWS IAM permissions to view and manage AWS resources. Below are instructions on how to set up the AWS IAM permissions.

AWS IAM Permissions

1. If you don’t already have a user account to be used for the Sigma integration, create a new AWS user account.

2. For Sigma to view and manage AWS resources, add the following AWS IAM permissions:

   - EC2:
       - DescribeInstances:      Allows Sigma to describe instances in the various regions.
       - DescribeRegions:        Allows Sigma to describe AWS regions.
       - DescribeVpcs:           Allows Sigma to describe VPCs.
       - DescribeSecurityGroups: Allows Sigma to describe security groups.
       - StartInstances:         Allows Sigma to start instances.
       - StopInstances :         Allows Sigma to stop instances.
       - RebootInstances :       Allows Sigma to reboot instances.
       - TerminateInstances :    Allows Sigma to terminate instances.
   - S3:
       - ListAllMyBuckets:       Allows Sigma to list S3 buckets.
   - CloudWatch:
       - GetMetricData:          Allows Sigma to retrieve utilization metrics.
   - Systems Manager:
       - SendCommand:            Allows Sigma to execute scripts on EC2 instances.
       - GetCommandInvocation:   Allows Sigma to get command status on EC2 instances.

   Alternatively, you may copy the below JSON to configure the required IAM policies using the AWS Policy editor:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "VisualEditor0",
               "Effect": "Allow",
               "Action": [
                   "ec2:RebootInstances",
                   "ssm:SendCommand",
                   "ec2:DescribeInstances",
                   "ec2:TerminateInstances",
                   "ec2:StartInstances",
                   "s3:ListAllMyBuckets",
                   "cloudwatch:GetMetricData",
                   "ec2:DescribeVpcs",
                   "ec2:DescribeRegions",
                   "ec2:StopInstances",
                   "ec2:DescribeSecurityGroups",
                   "ssm:GetCommandInvocation"
               ],
               "Resource": "*"
           }
       ]
   }
   

   Note

   Important: The above permissions apply to all resources. If you wish to limit the scope of resources, use the AWS console to manually select the resources that Sigma will be authorized to manage.

Creating AWS Access Key

1. Sign in to the AWS Management Console and open the IAM Console.

2. In the navigation pane, choose Users.

3. Choose the user account whose AWS IAM permissions were set up for the Sigma connection, and then choose the Security credentials tab.

4. In the Access keys section, choose Create access key. If you already have two access keys, this button is deactivated and you must delete an access key before you can create a new one.

5. On the Retrieve access keys page, choose either Show to reveal the value of your user’s secret access key, or Download .csv file. This is your only opportunity to save your secret access key. After you’ve saved your secret access key in a secure location, choose Done.

6. For the Sigma connection, you will need the AWS Access Key ID as well as the Secret Access Key.

Adding AWS Environment

1. Login to your Sigma instance.

2. In the navigation bar, click Administration > Environments.

3. Select the Compute tab (Default).

4. Select the “Click to add” button on the bottom of the Compute tab.

5. Select AWS from the Compute product dropdown.

6. Provide a Connection Name. This will be used to identify this specific AWS connection.

7. Provide the Access key ID and the Secret Access Key in the specific fields and select Connect.

8. If the connection is successful, the AWS connection will display in the environments page, as well as under the Compute > AWS tab.

OCI (Oracle Cloud Infrastructure)

Sigma requires an API key generated from the OCI console with sufficient IAM policies to view and manage OCI resources. Below are instructions on how to set up the OCI IAM policies.

OCI IAM Policies

1. If you don’t already have a user account to be used for the Sigma integration, create a new OCI user account.

2. Add the user to a group that has the below required IAM permissions:

   - manage instance-family in tenancy:                          Allows Sigma to manage instance-related resources across the tenancy.
   - use instance-family in tenancy:                             Allows Sigma to use instance-related resources within the tenancy.
   - manage instances in tenancy:                                Allows Sigma with management capabilities specifically on instances within the tenancy.
   - use instances in tenancy:                                   Allows Sigma to utilize instances within the tenancy.
   - manage virtual-network-family in tenancy:                   Allows Sigma management capabilities for virtual network resources within the tenancy.
   - use virtual-network-family in tenancy:                      Allows Sigma to use virtual network resources within the tenancy.
   - read app-catalog-listing in tenancy:                        Allows Sigma to read app catalog listings within the tenancy.
   - manage app-catalog-listing in tenancy:                      Allows Sigma to manage capabilities for app catalog listings within the tenancy.
   - manage app-catalog-listings in tenancy:                     Allows Sigma with management capabilities for app catalog listings within the tenancy.
   - use volume-family in tenancy:                               Allows Sigma to use volume-related resources within the tenancy.
   - use instance-agent in tenancy:                              Allows Sigma to use instance agent resources within the tenancy.
   - manage object-family in tenancy:                            Allows Sigma to manage object-related resources within the tenancy.
   - manage instance-agent-command-family in tenancy:            Allows Sigma with management capabilities for instance agent commands within the tenancy.
   - manage instance-agent-command-execution-family in tenancy:  Allows Sigma to manage instance agent command executions within the tenancy.
   - use instance-agent-command-execution-family in tenancy:     Allows Sigma to use instance agent command executions.
   - manage all-resources in tenancy:                            Allows Sigma management capabilities for all resources within the tenancy.
   - manage compute-capacity-reports in tenancy:                 Allows Sigma to manage compute capacity reports within the tenancy.
   - use dedicated-vm-hosts in tenancy:                          Allows Sigma to use dedicated VM hosts within the tenancy.
   - inspect instance-images in tenancy:                         Allows Sigma to inspect instance images within the tenancy.
   - manage objects in tenancy:                                  Allows Sigma management capabilities for objects (files) within the tenancy.
   - inspect marketplace-listings in tenancy:                    Allows Sigma to inspect marketplace listings within the tenancy.
   - {INSTANCE_IMAGE_READ} in tenancy:                           Allows Sigma to read image details.
   - read marketplace-listings in tenancy:                       Allows Sigma to read marketplace listings within the tenancy.
   - read marketplace-community-listings in tenancy:             Allows Sigma to read community marketplace listings within the tenancy.
   - use marketplace-listings in tenancy:                        Allows Sigma to use marketplace listings within the tenancy.
   - use marketplace-community-listings in tenancy:              Allows Sigma to use community marketplace listings within the tenancy.
   - inspect compartments in tenancy:                            Allows Sigma to inspect compartments (organizational units) within the tenancy.
   - manage repos in tenancy:                                    Allows Sigma management capabilities for repositories within the tenancy.
   - manage orm-stack in tenancy:                                Allows Sigma to manage ORM (Object-Relational Mapping) stacks within the tenancy.

   Alternatively, you may copy the below policy block to configure the required IAM policies using the OCI Policy Builder:

   Note

   Important: Please ensure to replace ‘Default’/’My Group’ with the name of your group that contains the Sigma user account, and ensure to replace ‘VMGroup’ with your dynamic group that contains the virtual machines that Sigma will manage.

   Allow group 'Default'/'My Group' to manage instance-family in tenancy
   Allow group 'Default'/'My Group' to use instance-family in tenancy
   Allow group 'Default'/'My Group' to manage instances in tenancy
   Allow group 'Default'/'My Group' to use instances in tenancy
   Allow group 'Default'/'My Group' to manage virtual-network-family in tenancy
   Allow group 'Default'/'My Group' to use virtual-network-family in tenancy
   Allow group 'Default'/'My Group' to read app-catalog-listing in tenancy
   Allow group 'Default'/'My Group' to manage app-catalog-listing in tenancy
   Allow group 'Default'/'My Group' to manage app-catalog-listings in tenancy
   Allow group 'Default'/'My Group' to use volume-family in tenancy
   Allow group 'Default'/'My Group' to use instance-agent in tenancy
   Allow group 'Default'/'My Group' to manage object-family in tenancy
   Allow group 'Default'/'My Group' to manage instance-agent-command-family in tenancy
   Allow group 'Default'/'My Group' to manage instance-agent-command-execution-family in tenancy
   Allow dynamic-group 'VMGroup' to use instance-agent-command-execution-family in tenancy where request.instance.id=target.instance.id
   Allow group 'Default'/'My Group' to manage all-resources in tenancy
   Allow group 'Default'/'My Group' to manage compute-capacity-reports in tenancy
   Allow group 'Default'/'My Group' to use dedicated-vm-hosts in tenancy
   Allow group 'Default'/'My Group' to inspect instance-images in tenancy
   Allow group 'Default'/'My Group' to manage objects in tenancy
   Allow group 'Default'/'My Group' to inspect marketplace-listings in tenancy
   Allow group 'Default'/'My Group' to {INSTANCE_IMAGE_READ} in tenancy
   Allow group 'Default'/'My Group' to read marketplace-listings in tenancy
   Allow group 'Default'/'My Group' to read marketplace-community-listings in tenancy
   Allow group 'Default'/'My Group' to use marketplace-listings in tenancy
   Allow group 'Default'/'My Group' to use marketplace-community-listings in tenancy
   Allow group 'Default'/'My Group' to inspect compartments in tenancy
   Allow group 'Default'/'My Group' to manage repos in tenancy
   Allow group 'Default'/'My Group' to manage orm-stack in tenancy
   Allow group 'Default'/'My Group' to manage orm-job in tenancy
   

Creating OCI API Key

1. Sign in to the OCI Console with the username that has the required OCI IAM Policies.

2. Click on your profile icon in the top-right corner of the console.

3. Click My Profile at the top-right corner.

4. Under Resources at the bottom-left, select API Keys and click Add API Key.

5. The Add API Key dialog is displayed. Select Generate API Key Pair to create a new key pair.

6. Click Download Private Key. A .pem file is saved to your local device. You will need this later.

7. Click Add.

8. Copy the API fingerprint of the generated key. You will need this later.

9. Copy the User OCID under User infmormation. You will need this later.

10. Click on your profile icon in the top-right corner of the console.

11. Select “Tenancy: <your_tenancy_name>” from the dropdown menu.

12. Copy the tenancy OCID under Tenancy infmormation. You will need this later.

Adding OCI Environment

1. Login to your Sigma instance.

2. In the navigation bar, click Administration > Environments.

3. Select the Compute tab (Default).

4. Select the “Click to add” button on the bottom of the Compute tab.

5. Select OCI from the Compute product dropdown.

6. Provide a Connection Name. This will be used to identify this specific OCI connection.

7. Provide the Tenancy ID, Region (example: Ashburn), User Id and the API Fingerprint in the specific fields.

8. Click inside the PEM File Upload zone, and upload the previously saved .pem file, then select Connect.

9. If the connection is successful, the OCI connection will display in the environments page, as well as under the Compute > OCI tab.

Microsoft Azure

Sigma requires an API key generated from the Azure console with sufficient IAM permissions to view and manage Azure resources.

Registering Azure Application

1. Log in to the Microsoft Entra Admin Center.

2. Under Application, select App registrations.

3. Click on New registration.

4. Enter a name for the application (e.g., “Sigma Integration”).

5. Select the Accounts in this organizational directory only option.

6. Click Register.

7. After registering the application, navigate to Certificates & secrets.

8. Click on New client secret.

9. Add a description and select an expiry period.

10. Click Add.

11. Copy the Value of the client secret. You will need this later.

12. Under Overview, copy the application ID. You will need this later.

Adding Role Assignments

1. Log in to the Microsoft Azure portal.

2. Select the Subscriptions service.

3. Select the subscription you wish to grant Sigma access.

4. Click on Access control (IAM).

5. Click Add > Add role assignment.

6. Select the following roles:

   - Virtual Machine Contributor: Allows Sigma to manage virtual machines.
   - Monitoring Reader:           Allows Sigma to retrieve utilization metrics.

7. Click Next then under Assign access to, select User, group, or service principal.

8. Under Select, search for your application by name and select it.

9. Click Review + assign.

10. Go back to the Microsoft Azure portal homepage.

11. Select the Tenant Properties service.

12. Copy the Tenant ID. You will need this later.

Adding Azure Environment

1. Login to your Sigma instance.

2. In the navigation bar, click Administration > Environments.

3. Select the Compute tab (Default).

4. Select the “Click to add” button on the bottom of the Compute tab.

5. Select Azure from the Compute product dropdown.

6. Provide a Connection Name. This will be used to identify this specific Azure connection.

7. Provide the Tenant ID, Application ID and the Secret Access Key in the specific fields and select Connect.

8. If the connection is successful, the Azure connection will display in the environments page, as well as under the Compute > Azure tab.

VMware

Sigma Automate can connect directly to VMware environments using either a vCenter Server or an individual ESXi host. This integration provides full visibility and lifecycle control over virtual machines, clusters, datastores, and compute resources — while maintaining a strict separation between infrastructure-level access (vCenter/ESXi) and in-guest OS-level access (for configuration, script execution, and orchestration).

Connection Overview

When integrating Sigma with VMware, you must configure two separate accounts, each serving a distinct purpose:

Credential Types

Credential Type	Used For	Authenticates Against	Example	Description
Infrastructure Integration Account	VM lifecycle, provisioning, snapshot, and datastore control	vCenter Server or ESXi API	sigma@vsphere.local	Grants Sigma permission to manage VMware resources via the vSphere API layer.
OS-Level Service Account	In-guest script execution, configuration, and orchestration	Active Directory Domain (guest OS)	SVC_SIGMA_OS	Provides Sigma secure access inside virtual machines to perform automation tasks.

Important

These accounts are completely separate. The Infrastructure Integration Account connects Sigma to the VMware API, while the OS-Level Service Account operates inside guest VMs. Do not reuse or share credentials between these two layers.

Prerequisites

Before connecting:

• Ensure network connectivity between Sigma and your vCenter Server or ESXi host (port 443/TCP).

• Verify the VMware API account has the required privileges (see section below).

• Create a dedicated Active Directory service account for OS-level automation within guest systems.

VMware Infrastructure Account (vCenter)

If you don’t already have a dedicated VMware account for Sigma integration, create one (for example, sigma@vsphere.local) and assign the following permissions.

Create the Custom Role

1. Open the vSphere Client and connect to your vCenter Server.

2. Click Menu → Administration → Access Control → Roles.

3. Select Add to create a new role, name it Sigma_Automate_VM_Integration, and keep the dialog open while you configure the permissions below.

Required Permission Categories

- Datastore (Allows Sigma to allocate storage and access ISO files)
    - Allocate space
    - Browse datastore
- Global (Allows Sigma to view vSphere objects and manage tags)
    - Diagnostics
    - Global tag
- Network (Allows Sigma to assign virtual network adapters)
    - Assign network
- Resource (Allows Sigma to assign VMs to resource pools)
    - Assign virtual machine to resource pool
- Storage views (Allows Sigma to view storage information)
    - View
- Virtual machine (Allows Sigma to manage virtual machines)
    - Change Configuration (Modify VM hardware)
        - Add existing disk
        - Add new disk
        - Add or remove device
        - Change settings
        - Change resource
        - Remove disk
    - Edit Inventory (Create and remove VMs)
        - Create new
        - Remove
    - Guest operations (Execute commands inside VMs)
        - Guest operation alias modification
        - Guest operation alias query
        - Guest operation modifications
        - Guest operation program execution
        - Guest operation queries
    - Interaction (Control VM power state, access console)
        - Console interaction
        - Power on
        - Power off
        - Reset

Required Scope: The role must be assigned at the Datacenter level with “Propagate to children” enabled. This ensures permissions apply to all child objects (folders, VMs, hosts) within the datacenter and is required for proper operation.

Recommended Role Name: Sigma_Automate_VM_Integration

Example Permission Path: vCenter → Datacenter → Permissions → Add → sigma@vsphere.local → Role: Sigma_Automate_VM_Integration (with "Propagate to children" enabled)

Important

A Second Account is Required for In-Guest Operations

The VMware Infrastructure Account (above) only manages VM infrastructure (power, hardware, creation/deletion). To execute scripts and perform automation inside the guest operating systems, Sigma requires a separate domain service account with administrative privileges within the VMs themselves. This separation ensures proper security boundaries between infrastructure management and guest OS operations.

OS-Level Service Account (Active Directory)

Sigma requires a domain-based service account for in-guest automation and configuration tasks. This account enables Sigma to perform PowerShell or SSH operations inside virtual machines via VMware Tools Guest Operations.

Recommended Account Name: SVC_SIGMA_OS

Create the account in Active Directory Users and Computers (ADUC) under your organization’s Service Accounts OU.

Required Account Configuration:

• Domain Account: Create SVC_SIGMA_OS as a standard domain user

• Password Policy: Strong password (≥20 characters), rotated every 90–180 days per IT policy

• Group Membership: Add to a domain group (e.g., GG_Sigma_OS_Automation) for scoping and audit control

• Login Rights: - Grant Log on as a service and Log on as a batch job - Deny interactive and RDP logon rights to prevent manual sign-in

• Local Rights: Ensure the service account is part of the Administrators group inside target VMs (via GPO or template)

• Protocol Access (Optional): - Windows: Allow WinRM over HTTPS - Linux: Allow SSH key or password authentication

PowerShell Execution Policy (Windows Guests)

Sigma uses PowerShell remoting for in-guest Windows automation. To ensure script execution works properly, the execution policy for the SVC_SIGMA_OS account must be configured as RemoteSigned.

Configuration Steps (Run as Administrator on a guest VM):

# Verify current policy
Get-ExecutionPolicy -List

# Set RemoteSigned for the Sigma OS account
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force

# Verify the change
Get-ExecutionPolicy -List

The output should show:

Scope          ExecutionPolicy
-----          ---------------
MachinePolicy       Undefined
UserPolicy          Undefined
Process             Undefined
CurrentUser         RemoteSigned
LocalMachine        Restricted

Alternative (via GPO):

To enforce this for the SVC_SIGMA_OS account or group:

1. Open Group Policy Management.

2. Create or edit a GPO linked to the OU containing target VMs.

3. Navigate to:

   User Configuration → Administrative Templates → Windows Components → Windows PowerShell

4. Enable Turn on Script Execution and select:

   Allow local scripts and remote signed scripts

Security Recommendations

- Least Privilege: Assign only the minimal rights required for each account.
- Credential Rotation: Rotate every 90–180 days and store securely (Sigma Secrets, Vault, or CloudTruth).
- Audit Logging: Review vCenter API and AD authentication logs regularly.
- Encryption: Require HTTPS/TLS for vCenter and WinRM/SSH encryption for guest access.
- Segregation of Duties: Store VMware API credentials and OS service credentials separately.

Configuration Steps in Sigma

1. Log in to your Sigma instance.

2. Navigate to: Administration → Environments.

3. Under Compute, click “Click to add”.

4. From the Select Provider dropdown, choose VMware.

5. Fill out the connection form: - Connection Name: Friendly name for the environment. - vCenter/ESXi Hostname or IP: Management endpoint. - Username / Password: VMware Integration Account (e.g., sigma@vsphere.local). - Click Connect to validate and register the connection.

6. Once connected, Sigma discovers clusters, hosts, and datastores.

7. To enable in-guest orchestration: - Go to Administration → Credentials. - Add your OS-Level Service Account (SVC_SIGMA_OS). - Associate it with the VMware environment or specific templates.

Troubleshooting

Issue	Cause	Resolution
Invalid credentials	OS-level account used for VMware API authentication	Use the correct vCenter or ESXi account (sigma@vsphere.local).
Permission denied (NoPermission errors)	Missing Global.View or Global.Read permissions, or role scope not propagated to child objects	Ensure the role includes Global → Diagnostics and Global → Global tag permissions. The role must be assigned at the Datacenter level with “Propagate to children” enabled to ensure all child objects (folders, VMs) inherit the permissions.
Failed script execution	Missing AD rights or incorrect PowerShell policy	Ensure SVC_SIGMA_OS has admin/sudo rights and PowerShell execution policy set to RemoteSigned.
Connection timeout	Network port 443 blocked or firewall restrictions	Allow HTTPS access between Sigma and the vCenter/ESXi management network.
Certificate warning	Self-signed or untrusted VMware SSL certificate	Import the vCenter SSL certificate into Sigma or trusted CA store.

Next Steps

Once the VMware connection is established:

• Browse to Compute → VMware and confirm the inventory tree populates with clusters, hosts, datastores, and VM data.

• Assign the OS-Level Service Account to enable in-guest automation (script execution, configuration, software install).

• Save the configuration for reuse across environments or workflows.

ITSM

ServiceNow

Sigma integrates directly with ServiceNow through its REST API, allowing the platform to read, update, and attach files to change records automatically.

Overview

This integration enables Sigma automation workflows to: - Create or update change records in ServiceNow. - Attach configuration logs, deployment results, or compliance reports to a change ticket. - Synchronize build status and change approval metadata for audit purposes.

Connection Steps

1. Log in to ServiceNow as an administrator Navigate to System OAuth → Application Registry → New → Create an OAuth API endpoint for external clients.

2. Generate API credentials - Record the Client ID and Client Secret. - If using a user token, generate a personal access token (PAT) via the REST API Explorer → OAuth Token.

3. Set access permissions Ensure the integration user or token has the following roles: - itil (for incident/change access) - personalize_dictionary (optional, for extended field mapping) - attachment_admin (for file uploads)

4. Allow file attachment updates Go to System Properties → Attachments, and verify that “Allow attachments for change_request table” is enabled.

5. Copy the API credentials to Sigma In Sigma → Integrations → ITSM → ServiceNow, enter: - Instance URL: https://yourinstance.service-now.com - Client ID / Secret or API Token - Username / Password (if basic auth is used)

6. Test and save the connection Sigma will validate the ServiceNow API credentials and confirm access to the change_request endpoint. A success message indicates the integration is active.

Notes

• The ServiceNow user configured here becomes the “automation service account” for all ITSM change updates.

• Ensure the API user is excluded from human MFA policies.

• Logs and attachments uploaded by Sigma will appear with the configured ServiceNow username in the “Attachments” tab of each change request.

---

Jira

Sigma can integrate with both Jira Cloud and Jira Server using REST API authentication. This connection enables Sigma to automatically create or update issues, post deployment summaries, and attach audit files for traceability.

Overview

Typical use cases: - Auto-create Jira tickets for new Sigma automation events. - Update ticket status when a Sigma workflow completes successfully or fails. - Attach configuration reports and logs for review by ITSM teams.

Connection Steps

1. Log in to Jira (as a project admin) Navigate to your Atlassian profile (for Jira Cloud): Profile → Manage your account → Security → Create and manage API tokens.

2. Generate an API token - Click Create API token, name it “Sigma Integration”, and copy the generated token. - Store it securely; it will only be shown once.

3. Assign necessary permissions The integration account must have at least: - Browse Projects - Create Issues - Edit Issues - Add Comments - Attach Files

4. Copy API details to Sigma In Sigma → Integrations → ITSM → Jira, provide: - Jira Base URL: https://yourorg.atlassian.net (for Jira Cloud) - Username or Email Address used to create the token - API Token

5. Map issue types and fields (optional) Under Advanced Settings, you can map Sigma build types or orchestration tasks to Jira issue types (e.g., Deployment → Change, Alert → Incident).

6. Test and activate integration Click Test Connection. Sigma will perform a lightweight API call to verify authentication. Once validated, all Sigma-generated tickets will automatically include links to the associated Sigma job ID.

Notes

• Jira Cloud tokens do not expire unless revoked. Rotate periodically for compliance.

• For self-hosted Jira Server, you can instead configure basic authentication using an API user.

• Attachments larger than 10 MB are compressed automatically before upload.

---

Best Practices

• Use dedicated service accounts in ServiceNow and Jira to avoid accidental MFA or permission issues.

• Store credentials securely in Sigma’s encrypted secrets manager.

• Test connectivity after credential rotation or ServiceNow/Jira version upgrades.

• Tag all automated tickets (e.g., Sigma-Automate) for quick filtering in your ITSM dashboards.

AI

OpenAI

Sigma includes an optional integration with OpenAI to provide AI-assisted automation features such as script generation, configuration intelligence, and resource optimization insights.

Overview

This integration allows Sigma to leverage large-language-model intelligence for accelerating or augmenting IT automation workflows — for example: - Generating PowerShell, Bash, or Python scripts from plain-language task descriptions. - Summarizing configuration states, environment health, or log outputs. - Providing recommendations for cost right-sizing, automation templates, or runbook efficiency improvements.

Important — This Integration Is Optional

• The OpenAI connection is not required for normal Sigma operation.

• No data is shared with OpenAI unless you explicitly enable the feature and perform an AI-assisted action (e.g., “Generate Script” or “Explain Workflow”).

• You can disable the integration at any time in Sigma → Integrations → AI.

Connection Steps

1. Obtain an OpenAI API Key - Visit https://platform.openai.com/account/api-keys. - Click Create new secret key and copy the generated token. - Keep it secure — you won’t be able to view it again.

2. Configure the Integration in Sigma - Navigate to Integrations → AI → OpenAI. - Paste your API key into the provided field. - Choose your default model (e.g., gpt-4-turbo, gpt-4o-mini) if applicable. - Save and validate the connection.

3. Usage Examples Once connected, Sigma can use the OpenAI API to: - Generate automation scripts: convert natural-language tasks into executable PowerShell, Bash, or Python snippets. - Explain processes: summarize long logs or workflows in human-readable form. - Provide recommendations: suggest configuration or cost optimizations based on environment data.

4. Security and Privacy - Sigma transmits only the minimal contextual text needed for AI assistance — never credentials or secrets. - API keys are stored encrypted within Sigma’s secure key vault. - All data exchanged with OpenAI is processed over HTTPS using TLS 1.2 or higher.

Notes

• Enabling the AI integration enhances productivity and situational awareness but is not part of core automation.

• Organizations that prefer to keep all automation offline can leave this integration disabled with no impact on system functionality.

• Usage may incur costs according to your OpenAI account billing plan.