Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Okta 2023 Breach Indicator Of Compromise
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Okta 2023 Breach Indicator Of Compromise
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: Okta 2023 Breach Indicator Of Compromise
id: 00a8e92a-776b-425f-80f2-82d8f8fab2e5
status: test
description: |
Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach.
This rule can be enhanced by filtering out known and legitimate username used in your environnement.
author: Muhammad Faisal (@faisalusuf)
date: 2023-10-25
references:
- https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
- https://developer.okta.com/docs/reference/api/event-types/
tags:
- attack.credential-access
- detection.emerging-threats
logsource:
service: okta
product: okta
detection:
selection:
eventtype:
- 'user.lifecycle.create'
- 'user.lifecycle.activate'
target.user.display.name|contains: 'svc_network_backup'
condition: selection
falsepositives:
- Unknown
level: medium
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml