Which SIEM platforms have a CVE-2026-47103 detection rule?

df00tech provides CVE-2026-47103 (python-statemachine SCXML Eval Injection (CVE-2026-47103)) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect python-statemachine SCXML Eval Injection (CVE-2026-47103) (CVE-2026-47103)?

Detecting python-statemachine SCXML Eval Injection (CVE-2026-47103) requires the following data sources: Microsoft Defender for Endpoint, Microsoft Sentinel, Azure Monitor.

What severity and confidence is the CVE-2026-47103 detection?

The CVE-2026-47103 detection is rated critical severity with medium confidence.

What are common false positives for CVE-2026-47103?

Common false positives for CVE-2026-47103 include: Legitimate applications using python-statemachine with developer-supplied SCXML files for workflow automation; CI/CD pipelines running python-statemachine unit tests with SCXML fixtures; Data science environments where multiple Python subprocesses are spawned as normal workflow.

CVE-2026-47103: python-statemachine SCXML <data expr> Eval Injection — Detection (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

let vulnerable_import = dynamic(['statemachine', 'python_statemachine', 'StateMachine']);
DeviceProcessEvents
| where FileName in~ ('python.exe', 'python3', 'python3.exe', 'uvicorn', 'gunicorn', 'uwsgi', 'flask', 'fastapi')
    or InitiatingProcessFileName in~ ('python.exe', 'python3', 'python3.exe')
| where ProcessCommandLine has_any ('statemachine', 'scxml', '.scxml')
    or ProcessCommandLine matches regex @'(?i)(eval|exec).*scxml'
| union (
    DeviceFileEvents
    | where FileName endswith '.scxml'
    | where ActionType in ('FileCreated', 'FileModified')
)
| union (
    DeviceNetworkEvents
    | where InitiatingProcessFileName in~ ('python.exe', 'python3', 'python3.exe')
    | where RemotePort !in (80, 443, 8080, 8443)
    | where InitiatingProcessCommandLine has_any ('statemachine', 'scxml')
)
| extend RiskScore = case(
    ProcessCommandLine matches regex @'(?i)(subprocess|os\.system|__import__|exec|eval|base64)', 90,
    ProcessCommandLine has '.scxml', 60,
    40
)
| where RiskScore >= 40
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, RemoteIP, RemotePort, RiskScore
| sort by RiskScore desc, TimeGenerated desc

Detects execution patterns consistent with exploitation of CVE-2026-47103: Python processes loading statemachine libraries, creation or modification of SCXML files, suspicious eval/exec patterns in Python command lines, and unexpected outbound network from statemachine-associated Python processes.

critical severity medium confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel Azure Monitor

Required Tables

DeviceProcessEvents DeviceFileEvents DeviceNetworkEvents

False Positives

Legitimate applications using python-statemachine with developer-supplied SCXML files for workflow automation
CI/CD pipelines running python-statemachine unit tests with SCXML fixtures
Data science environments where multiple Python subprocesses are spawned as normal workflow
Application health-check scripts that spawn Python processes regularly

Splunk

spl

index=* sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "osquery:results", "auditd")
| eval cmd=coalesce(CommandLine, command, cmdline, process)
| eval parent=coalesce(ParentCommandLine, parent_cmdline, parent_process)
| where match(cmd, "(?i)(statemachine|scxml)") OR match(cmd, "(?i)(\.scxml)")
| eval suspicious_pattern=if(
    match(cmd, "(?i)(subprocess\.\w+|os\.system|__import__|exec\s*\(|eval\s*\(|base64\.b64decode)"), 1, 0
  )
| eval scxml_file=if(match(cmd, "(?i)\.scxml"), 1, 0)
| eval network_spawn=if(match(parent, "(?i)(statemachine|scxml)") AND sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=3, 1, 0)
| eval risk_score=case(
    suspicious_pattern=1, 90,
    scxml_file=1 AND match(cmd, "(?i)(statemachine|python)"), 70,
    scxml_file=1, 50,
    true(), 30
  )
| where risk_score >= 50
| stats count min(_time) as first_seen max(_time) as last_seen values(cmd) as commands values(host) as hosts by risk_score, suspicious_pattern
| sort -risk_score
| eval first_seen=strftime(first_seen, "%Y-%m-%dT%H:%M:%SZ"), last_seen=strftime(last_seen, "%Y-%m-%dT%H:%M:%SZ")

SPL search for CVE-2026-47103 exploitation indicators across Sysmon, Linux audit, and osquery sources. Scores events by risk based on SCXML file involvement, statemachine library usage, and presence of dangerous Python built-ins in command lines.

critical severity medium confidence

Data Sources

Splunk Enterprise Security Sysmon Linux Auditd osquery

Required Sourcetypes

WinEventLog:Microsoft-Windows-Sysmon/Operational linux_secure osquery:results auditd

False Positives

Developers testing python-statemachine with SCXML workflows in local environments
Automated test suites that execute Python statemachine scenarios as part of integration testing
Data pipeline scripts that generate SCXML files programmatically for legitimate workflow definitions
Security researchers running PoC in isolated lab environments

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start"
   and (
     process.name in ("python", "python3", "python3.9", "python3.10", "python3.11", "python3.12")
     or process.parent.name in ("python", "python3")
   )
   and (
     process.command_line like~ "*statemachine*"
     or process.command_line like~ "*.scxml*"
     or process.args_count > 0 and process.command_line like~ "*scxml*"
   )
  ] by process.entity_id
  [any where event.category in ("network", "file")
   and (
     (event.category == "network" and not destination.port in (80, 443, 8080, 8443, 5432, 3306, 6379))
     or (event.category == "file" and file.extension == "scxml")
   )
  ] by process.entity_id

EQL sequence detection correlating Python process startup with statemachine/SCXML references followed by unexpected network connections or SCXML file operations, identifying the full kill chain for CVE-2026-47103 exploitation.

critical severity high confidence

Data Sources

Elastic Security Elastic Agent Auditbeat Winlogbeat

Required Tables

logs-* endgame-* .ds-logs-endpoint.events.*

False Positives

Applications with legitimate SCXML-driven workflow engines making internal API calls post-initialization
Python microservices that connect to databases or message queues after loading state machine definitions
Development environments where SCXML files are created and Python processes connect to local services
Monitoring agents that create temporary SCXML files as part of health-check workflows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "sourceip",
  "destinationip",
  "destinationport",
  "username",
  "Command" AS command_line,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category_name
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Linux OS', 'Sysmon')
  AND (
    "Command" ILIKE '%statemachine%'
    OR "Command" ILIKE '%.scxml%'
    OR "Command" ILIKE '%scxml%'
  )
  AND (
    "Command" ILIKE '%eval(%'
    OR "Command" ILIKE '%exec(%'
    OR "Command" ILIKE '%__import__%'
    OR "Command" ILIKE '%subprocess%'
    OR "Command" ILIKE '%os.system%'
    OR "Command" ILIKE '%base64%'
    OR "destinationport" NOT IN (80, 443, 8080, 8443)
  )
  AND LOGSOURCETYPENAME(devicetype) NOT ILIKE '%firewall%'
LAST 24 HOURS
ORDER BY starttime DESC
LIMIT 500

QRadar AQL query to surface command-line events containing python-statemachine or SCXML references combined with dangerous Python evaluation patterns or unexpected outbound ports, indicating potential CVE-2026-47103 exploitation.

critical severity medium confidence

Data Sources

IBM QRadar Windows Security Event Log Linux Syslog Sysmon

Required Tables

events

False Positives

Legitimate Python web applications using python-statemachine for business logic with external service calls
DevOps tooling that generates SCXML from templates and invokes subprocesses for pipeline steps
Internal automation scripts that use statemachine for orchestration and connect to internal endpoints
Security scanning tools that inspect Python dependencies and spawn subprocesses

Sumo Logic CSE

sql

_sourceCategory=* ("statemachine" OR ".scxml" OR "scxml")
| parse regex field=_raw "(?P<command_line>(?:python|python3)[^\n]{0,500})"
| where !isNull(command_line)
| eval suspicious=if(
    command_line matches "(?i).*(eval\\(|exec\\(|__import__|subprocess|os\.system|base64\.b64decode).*",
    true, false
  )
| eval scxml_ref=if(command_line matches "(?i).*(\.scxml|scxml).*", true, false)
| eval statemachine_ref=if(command_line matches "(?i).*(statemachine).*", true, false)
| eval risk=if(suspicious and (scxml_ref or statemachine_ref), "CRITICAL",
           if(scxml_ref and statemachine_ref, "HIGH",
           if(scxml_ref or statemachine_ref, "MEDIUM", "LOW")))
| where risk in ("CRITICAL", "HIGH")
| count by _sourceHost, risk, suspicious, command_line
| sort by risk asc, _count desc

Sumo Logic search correlating Python command lines referencing statemachine or SCXML with dangerous eval/exec patterns. Triages results by computed risk level to highlight likely CVE-2026-47103 exploitation attempts.

critical severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Linux System Logs Windows Event Logs Application Logs

Required Tables

_sourceCategory=*

False Positives

Application servers logging startup commands that reference statemachine library initialization
Deployment scripts that echo command lines containing statemachine and subprocess calls for legitimate orchestration
Test harnesses that log Python invocations including statemachine and subprocess for CI reporting
Debugging sessions where developers print command lines containing eval or exec for diagnostic purposes

Google Chronicle / SecOps

yaral

rule cve_2026_47103_python_statemachine_eval_injection {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2026-47103: python-statemachine SCXML eval injection"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://github.com/fgmacedo/python-statemachine/security/advisories/GHSA-v4jc-pm6r-3vj8"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /python(3(\.[0-9]+)?)?(\.exe)?$/
    (
      $e.target.process.command_line = /statemachine/
      or $e.target.process.command_line = /\.scxml/
      or $e.target.process.command_line = /scxml/
    )
    (
      $e.target.process.command_line = /eval\s*\(/
      or $e.target.process.command_line = /exec\s*\(/
      or $e.target.process.command_line = /__import__/
      or $e.target.process.command_line = /subprocess/
      or $e.target.process.command_line = /os\.system/
      or $e.target.process.command_line = /base64\.b64decode/
    )
    $hostname = $e.principal.hostname

  match:
    $hostname over 5m

  outcome:
    $risk_score = max(if(
      $e.target.process.command_line = /eval\s*\(/ or
      $e.target.process.command_line = /__import__/, 95, 75
    ))
    $command = array_distinct($e.target.process.command_line)

  condition:
    #e > 0
}

Chronicle YARA-L 2.0 rule detecting python-statemachine SCXML eval injection exploitation. Matches Python process launches combining statemachine/SCXML references with dangerous code execution built-ins.

critical severity high confidence

Data Sources

Google Chronicle CrowdStrike Falcon Carbon Black Windows Event Logs Linux Auditd

Required Tables

UDM Events

False Positives

Legitimate machine learning pipelines using python-statemachine for model training workflows with subprocess calls
Internal tooling that combines SCXML state definitions with subprocess for job scheduling
Developer workstations running statemachine-heavy applications with debugging eval statements enabled
Automated document processing pipelines that create SCXML from templates and use exec for post-processing

CrowdStrike LogScale (CQL)

cql

#event_simpleName IN (ProcessRollup2, SyntheticProcessRollup2)
| CommandLine = /(?i)(statemachine|\.scxml|scxml)/
| eval dangerous_eval = if(
    CommandLine = /(?i)(eval\s*\(|exec\s*\(|__import__|subprocess\.|os\.system|base64\.b64decode)/,
    1, 0
  )
| eval scxml_file = if(CommandLine = /(?i)\.scxml/, 1, 0)
| eval statemachine_lib = if(CommandLine = /(?i)statemachine/, 1, 0)
| eval risk_score = case(
    dangerous_eval = 1 AND statemachine_lib = 1, 95,
    dangerous_eval = 1 AND scxml_file = 1, 90,
    statemachine_lib = 1 AND scxml_file = 1, 70,
    dangerous_eval = 1, 60,
    true, 40
  )
| where risk_score >= 60
| eval FileName = FileName + " (" + SHA256HashData + ")"
| table _time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, risk_score, dangerous_eval
| sort -risk_score, -_time
| head 200

CrowdStrike CQL hunt across process execution events for python-statemachine SCXML eval injection patterns. Scores by combination of statemachine library usage, SCXML file reference, and presence of dangerous Python execution primitives.

critical severity high confidence

Data Sources

CrowdStrike Falcon Platform CrowdStrike Threat Graph

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Python automation frameworks that use statemachine and spawn subprocesses for task execution
Data engineering jobs using SCXML workflow definitions alongside subprocess-based data transformations
Enterprise applications with SCXML-driven UI logic that perform eval-based configuration loading
Penetration testing tools that reference statemachine patterns for workflow simulation

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2026-47103 python-statemachine SCXML <data expr> Eval Injection (CVE-2026-47103)?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2026-47103

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Execution

Popular Detections

Get new detections in your inbox