Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Potential CVE-2021-26084 Exploitation Attempt

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Potential CVE-2021-26084 Exploitation Attempt

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Potential CVE-2021-26084 Exploitation Attempt
id: 38825179-3c78-4fed-b222-2e2166b926b1
status: test
description: Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection
references:
    - https://github.com/TesterCC/exp_poc_library/blob/be61622600ec79d8fba2fa5f816a870715f0cb3b/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md
    - https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md
    - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
    - https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/
author: Sittikorn S, Nuttakorn T
date: 2022-12-13
modified: 2023-03-24
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2021-26084
    - detection.emerging-threats
logsource:
    category: webserver
    definition: 'Requirements: The POST request body data must be collected in order to make use of certain parts of this detection'
detection:
    selection_main:
        cs-method: 'POST'
        sc-status: 200
        cs-username: 'anonymous' # This string is used to reduce possible FP you could remove it to get authenticated attempts
    selection_exploit_1:
        cs-uri-query|contains|all:
            - '/pages/createpage-entervariables.action'
            - 'SpaceKey=x' # This URI assume that you can't have a space ID of "X"
    selection_exploit_2_uri:
        cs-uri-query|contains: '/doenterpagevariables.action'
    selection_exploit_2_keyword:
        - 'u0027' # This string should appear in the post body as a value of the parameter "queryString"
    condition: selection_main and (selection_exploit_1 or all of selection_exploit_2_*)
falsepositives:
    - Unknown
level: high

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml