Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,731

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 3.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Kubernetes Potential Enumeration Activity

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Kubernetes Potential Enumeration Activity

Using Splunk · Default · sigma-cli 3.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion3.0.2
title: Kubernetes Potential Enumeration Activity
id: 597a7e84-187d-458b-9e4f-2f5a0e676711
status: experimental
description: |
    Detects potential Kubernetes enumeration or attack activity via the audit log.
    This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests.
    Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
references:
    - https://www.nccgroup.com/research/detection-engineering-for-kubernetes-clusters/
    - https://github.com/trufflesecurity/trufflehog
    - https://github.com/corneliusweig/rakkess
author: uniqu3-us3r
date: 2026-04-28
tags:
    - attack.execution
    - attack.discovery
    - attack.t1609
    - attack.t1613
logsource:
    product: kubernetes
    service: audit
detection:
    selection_status:
        responseStatus.code: 'ALLOW'
    selection_request_uri:
        requestURI|contains:
            # Shells Encoded
            - '%2fbin%2fash'
            - '%2fbin%2fbash'
            - '%2fbin%2fbusybox'
            - '%2fbin%2fdash'
            - '%2fbin%2fsh'
            - '%2fbin%2fzsh'
            # Shells Plain
            - '/bin/ash'
            - '/bin/bash'
            - '/bin/busybox'
            - '/bin/dash'
            - '/bin/sh'
            - '/bin/zsh'
            # Tools Encoded
            - '%2fusr%2fbin%2fcurl'
            - '%2fusr%2fbin%2fkubectl'
            - '%2fusr%2fbin%2fperl'
            - '%2fusr%2fbin%2fpython'
            - '%2fusr%2fbin%2fwget'
            # Tools Plain
            - '/usr/bin/curl'
            - '/usr/bin/kubectl'
            - '/usr/bin/perl'
            - '/usr/bin/python'
            - '/usr/bin/wget'
    selection_request_user_agent:
        userAgent|contains:
            - 'access_matrix'  # Rakkess
            - 'trufflehog'     # Secret scanning tool
            - 'azurehound'     # Azure/Cloud discovery
            - 'micro-scanner'  # Vulnerability scanning
    condition: selection_status and 1 of selection_request_*
falsepositives:
    - Authorized administrative maintenance via kubectl
    - Automated internal infrastructure monitoring and certificate rotation
    - Security-approved vulnerability or secret scanning in DevSecOps pipelines
level: medium

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/application/kubernetes/audit/kubernetes_audit_potential_enumeration_activity.yml