Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Grafana Path Traversal Exploitation CVE-2021-43798
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Grafana Path Traversal Exploitation CVE-2021-43798
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: Grafana Path Traversal Exploitation CVE-2021-43798
id: 7b72b328-5708-414f-9a2a-6a6867c26e16
status: test
description: Detects a successful Grafana path traversal exploitation
references:
- https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/
- https://github.com/search?q=CVE-2021-43798
author: Florian Roth (Nextron Systems)
date: 2021-12-08
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2021-43798
- detection.emerging-threats
logsource:
category: webserver
detection:
selection_traversal:
cs-uri-query|contains: '/../../../../../../../'
sc-status: 200
selection_plugins:
cs-uri-query|contains:
- '/public/plugins/live'
- '/public/plugins/icon'
- '/public/plugins/loki'
- '/public/plugins/text'
- '/public/plugins/logs'
- '/public/plugins/news'
- '/public/plugins/stat'
- '/public/plugins/mssql'
- '/public/plugins/mixed'
- '/public/plugins/mysql'
- '/public/plugins/tempo'
- '/public/plugins/graph'
- '/public/plugins/gauge'
- '/public/plugins/table'
- '/public/plugins/debug'
- '/public/plugins/zipkin'
- '/public/plugins/jaeger'
- '/public/plugins/geomap'
- '/public/plugins/canvas'
- '/public/plugins/grafana'
- '/public/plugins/welcome'
- '/public/plugins/xychart'
- '/public/plugins/heatmap'
- '/public/plugins/postgres'
- '/public/plugins/testdata'
- '/public/plugins/opentsdb'
- '/public/plugins/influxdb'
- '/public/plugins/barchart'
- '/public/plugins/annolist'
- '/public/plugins/bargauge'
- '/public/plugins/graphite'
- '/public/plugins/dashlist'
- '/public/plugins/piechart'
- '/public/plugins/dashboard'
- '/public/plugins/nodeGraph'
- '/public/plugins/alertlist'
- '/public/plugins/histogram'
- '/public/plugins/table-old'
- '/public/plugins/pluginlist'
- '/public/plugins/timeseries'
- '/public/plugins/cloudwatch'
- '/public/plugins/prometheus'
- '/public/plugins/stackdriver'
- '/public/plugins/alertGroups'
- '/public/plugins/alertmanager'
- '/public/plugins/elasticsearch'
- '/public/plugins/gettingstarted'
- '/public/plugins/state-timeline'
- '/public/plugins/status-history'
- '/public/plugins/grafana-clock-panel'
- '/public/plugins/grafana-simple-json-datasource'
- '/public/plugins/grafana-azure-monitor-datasource'
condition: all of selection*
falsepositives:
- Vulnerability scanners that scan a host that returns 200 status codes even in cases of a file not found or other error
level: critical
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2021/Exploits/CVE-2021-43798/web_cve_2021_43798_grafana.yml