Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Suspicious User-Agents Related To Recon Tools
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Suspicious User-Agents Related To Recon Tools
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: Suspicious User-Agents Related To Recon Tools
id: 19aa4f58-94ca-45ff-bc34-92e533c0994a
status: test
description: Detects known suspicious (default) user-agents related to scanning/recon tools
references:
- https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb
- https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst
- https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92
author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton
date: 2022-07-19
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-user-agent|contains:
# Add more tools as you see fit
- 'Wfuzz/'
- 'WPScan v'
- 'Recon-ng/v'
- 'GIS - AppSec Team - Project Vision'
condition: selection
falsepositives:
- Unknown
level: medium
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/web/webserver_generic/web_susp_useragents.yml