Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Potential Operation Triangulation C2 Beaconing Activity - Proxy

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Potential Operation Triangulation C2 Beaconing Activity - Proxy

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Potential Operation Triangulation C2 Beaconing Activity - Proxy
id: aa03c712-75c6-438b-8d42-de88f2427e09
related:
    - id: 7fc30d63-728d-48d9-ad6f-14d14f4accf7 # DNS C2
      type: similar
status: test
description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB
references:
    - https://securelist.com/operation-triangulation/109842/
    - https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp
author: Florian Roth (Nextron Systems)
date: 2023-06-01
tags:
    - attack.command-and-control
    - attack.g0020
    - detection.emerging-threats
logsource:
    category: proxy
detection:
    selection:
        cs-host|contains:
            - 'addatamarket.net'
            - 'ans7tv.net'
            - 'anstv.net'
            - 'backuprabbit.com'
            - 'businessvideonews.com'
            - 'cloudsponcer.com'
            - 'datamarketplace.net'
            - 'growthtransport.com'
            - 'mobilegamerstats.com'
            - 'snoweeanalytics.com'
            - 'tagclick-cdn.com'
            - 'topographyupdates.com'
            - 'unlimitedteacup.com'
            - 'virtuallaughing.com'
            - 'web-trackers.com'
    condition: selection
falsepositives:
    - Unknown
level: high

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml