Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
GCP Break-glass Container Workload Deployed
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
GCP Break-glass Container Workload Deployed
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: GCP Break-glass Container Workload Deployed
id: 76737c19-66ee-4c07-b65a-a03301d1573d
status: test
description: |
Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.
references:
- https://cloud.google.com/binary-authorization
author: Bryan Lim
date: 2024-01-12
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.t1548
logsource:
product: gcp
service: gcp.audit
detection:
selection:
data.protoPayload.resource.type: 'k8s_cluster'
data.protoPayload.logName:
- 'cloudaudit.googleapis.com/activity'
- 'cloudaudit.googleapis.com%2Factivity'
data.protoPayload.methodName: 'io.k8s.core.v1.pods.create'
keywords:
- 'image-policy.k8s.io/break-glass'
condition: selection and keywords
falsepositives:
- Unknown
level: medium
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml