Detection Rules Pro Feed

Description:

A full collection of new rules and rule modifications. Rules are pre-processed and are shipped with extracted key observables (IPs, hashes, etc.) for direct use in SIEM/TIP platforms. The feed is designed for SOC teams and detection engineers who need reliable, actionable data for direct use in SIEM/TIP platforms and for CTI correlation. The inclusion of rule updates also aids teams in maintaining and refining their own detection logic by observing community best practices.

Application:

Informed detection engineering - reduce the significant manual effort of discovering, collecting, parsing, normalizing, and extracting value from public rule repositories.
Direct SIEM/TIP/SOAR integration - the structured STIX2.1 format with explicit observables allows for straightforward ingestion and use in your existing security platforms.
Improved threat hunting - leverage detection logic and extracted observables for proactive threat hunting exercises.
Improved coverage and performance - the information about new rules and the details on rule modifications helps your team to maintain and tune their existing rules easier.
CTI correlation - match observables against your other threat intelligence feeds, internal logs, and CTI databases to uncover related activity and inform your detection priorisation.

Entities:

Identity: 39 Indicator: 8211 Directory: 3696Domain-Name: 1159Email-Addr: 28File: 5232Ipv4-Addr: 54Ipv6-Addr: 12Process: 6733Relationship: 28987Windows-Registry-Key: 926

Rules:

anvilogic: 58elastic-edr: 332elastic-siem: 415fibratus: 81kql: 76osquery: 78sigma: 944splunk: 1811sublime-security: 192wazuh: 1yara: 314

Get access for $1000/month, with 14 days trial

STIX/TAXII endpoints:

API root:

https://dispatch.ctichef.com/

Collection:

4a305f4c-f4dc-4319-b858-4eefceb12ec8

Content preview:

Latest 10 entities:

Type	Details	Created At
	Suspicious Microsoft OAuth Flow via Auth Broker to DRS elastic-siem New rule This rule detects a potential OAuth phishing attack in Microsoft Entra ID. It identifies scenarios where two successful sign-in events share the same user principal and session ID but originate from different IP addresses within a five-minute window. The detection logic specifically targets OAuth flows where the client application is the Microsoft Authentication Broker (MAB) and the resource is the Device Registration Service (DRS), a pattern highly indicative of an attacker using a stolen authorization code to gain access. Relevant MITRE ATT&CK tactics: TA0001, TA0006 Relevant MITRE ATT&CK techniques: T1566, T1566.002, T1528 initial-access credential-access cloud-security malicious-activity TA0001 TA0006 T1566 T1566.002 T1528	Jun 17, 2025
	Potential Kerberos SPN Spoofing via Suspicious DNS Query elastic-siem New rule This rule identifies DNS queries on Windows systems containing a specific Base64-encoded pattern (`UWhRCBAAAA*`). This pattern is indicative of a marshaled CREDENTIAL_TARGET_INFORMATION structure, which is a key component in Kerberos coercion attacks. Adversaries exploit this by creating malicious DNS records to spoof a Service Principal Name (SPN), tricking a victim system into authenticating to an attacker-controlled host. This technique facilitates credential theft, often through NTLM reflection. Relevant MITRE ATT&CK tactics: TA0006 Relevant MITRE ATT&CK techniques: T1557, T1557.001, T1187 credential-access malicious-activity endpoint-security TA0006 T1557 T1557.001 T1187	Jun 17, 2025
	Potential Kerberos Coercion via DNS-Based SPN Spoofing elastic-siem New rule This rule detects the creation of a DNS record containing a specific base64-encoded pattern (`UWhRCA...BAAAA`), which corresponds to a marshaled `CREDENTIAL_TARGET_INFORMATION` structure. This activity is indicative of Kerberos coercion attacks that leverage DNS-based SPN spoofing. Adversaries use this technique to force systems to authenticate to attacker-controlled hosts, enabling reflective Kerberos relay attacks to gain privileged access, potentially as `NT AUTHORITY\SYSTEM`. Relevant MITRE ATT&CK tactics: TA0006 Relevant MITRE ATT&CK techniques: T1557, T1557.001, T1187 credential-access endpoint-security malicious-activity TA0006 T1557 T1557.001 T1187	Jun 17, 2025
	Brand Impersonation: Meta and Subsidiaries sublime-security This rule detects email-based impersonation of Meta and its subsidiaries like Facebook and Instagram. It analyzes sender display names for variations of 'Facebook Ads', 'Meta Support', and others, and also checks sender domain names. The logic combines these indicators with advanced checks, including logo detection, Natural Language Understanding (NLU) to identify credential theft intentions, and looks for specific physical addresses like '1 Facebook Way' in the email body. The rule is designed to reduce false positives by excluding known legitimate domains and considering sender reputation. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566, T1566.002 malicious-activity credential-access TA0001 T1566 T1566.002	Jun 17, 2025
	AWS IAM Assume Role Policy Update elastic-siem This rule detects updates to an AWS IAM role's trust policy by an IAM user or Assumed Role identity. This action, identified via the 'UpdateAssumeRolePolicy' event in CloudTrail logs, can be leveraged by attackers to modify which principals can assume a role, potentially gaining its privileges. The rule employs a 'New Terms' logic, triggering only on the first observation of a unique combination of `cloud.account.id`, `user.name`, and `roleName` within a 14-day period to reduce noise from legitimate administrative activities. Relevant MITRE ATT&CK tactics: TA0004 Relevant MITRE ATT&CK techniques: T1078, T1078.004, T1098.003 privilege-escalation cloud-security malicious-activity TA0004 T1078 T1078.004 T1098.003	Jun 17, 2025
	`domain-name--8dbf1c3a-2d0b-512b-a5d2-d7d749ce25db`	Jun 17, 2025
	`relationship--3484f7e3-7f55-4fa2-a45f-8c3008155845`	Jun 17, 2025
	`relationship--afde75de-71c2-4cc5-a069-2cbd38c96991`	Jun 17, 2025
	AWS EC2 User Data Retrieval for EC2 Instance elastic-siem Identifies discovery request DescribeInstanceAttribute with the attribute userData and instanceId in AWS CloudTrail logs. This may indicate an attempt to retrieve user data from an EC2 instance. Adversaries may use this information to gather sensitive data from the instance such as hardcoded credentials or to identify potential vulnerabilities. This is a New Terms rule that identifies the first time an IAM user or role requests the user data for a specific EC2 instance. Relevant MITRE ATT&CK tactics: TA0007, TA0006 Relevant MITRE ATT&CK techniques: T1580, T1552, T1552.005 discovery credential-access cloud-security malicious-activity TA0007 TA0006 T1580 T1552 T1552.005	Jun 17, 2025
	`relationship--1f27cd91-a259-40be-a377-4e17259c961b`	Jun 17, 2025