Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Low Reputation Effective Top-Level Domain (eTLD)

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Low Reputation Effective Top-Level Domain (eTLD)

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Low Reputation Effective Top-Level Domain (eTLD)
id: cf5ee356-65c4-4556-8d11-6977fcdfed4b
status: experimental
description: Detects DNS queries to domains within known low reputation eTLDs. This rule uses AlphaSOC's threat intelligence data and is updated on a monthly basis.
references:
    - https://feeds.alphasoc.net/bad-etlds.txt
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-08-04
tags:
    - attack.command-and-control
    - attack.t1071.004
    - attack.initial-access
    - detection.threat-hunting
logsource:
    category: dns
detection:
    selection:
        query|endswith:
            - '.duckdns.org'
            - '.top'
            - '.ddns.net'
            - '.gl.at.ply.gg'
            - '.portmap.io'
            - '.icu'
            - '.zapto.org'
            - '.live'
            - '.hopto.org'
            - '.portmap.host'
            - '.sbs'
            - '.sytes.net'
            - '.click'
            - '.ydns.eu'
            - '.site'
            - '.cloud'
            - '.no-ip.org'
            - '.kozow.com'
            - '.lat'
            - '.pro'
    condition: selection
falsepositives:
    - Unknown
level: medium

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules-threat-hunting/network/net_dns_low_reputation_etld.yml