Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Potential CVE-2023-46214 Exploitation Attempt
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Potential CVE-2023-46214 Exploitation Attempt
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: Potential CVE-2023-46214 Exploitation Attempt
id: 04017cd5-621e-4ec4-a762-1f042fe3d3e5
related:
- id: ba5268de-4dd4-4d5c-8a90-2b5e6dc1aff8
type: derived
status: test
description: |
Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing
references:
- https://github.com/nathan31337/Splunk-RCE-poc/
- https://blog.hrncirik.net/cve-2023-46214-analysis
- https://advisory.splunk.com/advisories/SVD-2023-1104
author: Nasreddine Bencherchali (Nextron Systems), Bhavin Patel (STRT)
date: 2023-11-27
tags:
- attack.lateral-movement
- attack.t1210
- cve.2023-46214
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-method: POST
cs-uri-query|contains|all:
- 'NO_BINARY_CHECK=1'
- 'input.path'
cs-uri-query|endswith: '.xsl'
sc-status:
- 200
- 302
condition: selection
falsepositives:
- Unknown
level: medium
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise.yml