Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Exploitation Attempt Of CVE-2023-46214 Using Public POC Code

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Exploitation Attempt Of CVE-2023-46214 Using Public POC Code

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Exploitation Attempt Of CVE-2023-46214 Using Public POC Code
id: ba5268de-4dd4-4d5c-8a90-2b5e6dc1aff8
related:
    - id: 04017cd5-621e-4ec4-a762-1f042fe3d3e5
      type: derived
status: test
description: |
    Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code
references:
    - https://github.com/nathan31337/Splunk-RCE-poc/
    - https://blog.hrncirik.net/cve-2023-46214-analysis
    - https://advisory.splunk.com/advisories/SVD-2023-1104
author: Lars B. P. Frydenskov(Trifork Security)
date: 2023-11-27
tags:
    - attack.lateral-movement
    - attack.t1210
    - cve.2023-46214
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection_method_and_response:
        cs-method: POST
        sc-status:
            - 200
            - 302
    selection_uri_upload:
        cs-uri-stem|contains: '/splunkd/__upload/indexing/preview'
        cs-uri-query|contains|all:
            - 'NO_BINARY_CHECK=1'
            - 'input.path=shell.xsl'
    selection_uri_search:
        cs-uri-stem|contains|all:
            - '/api/search/jobs'
            - '/results'
        cs-uri-query|contains|all:
            - '/opt/splunk/var/run/splunk/dispatch/'
            - '/shell.xsl'
    condition: selection_method_and_response and 1 of selection_uri_*
falsepositives:
    - Unlikely
level: high

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise_poc.yml