Description:
A full collection of new rules and rule modifications. Rules are pre-processed and are shipped with extracted key observables (IPs, hashes, etc.) for direct use in SIEM/TIP platforms. The feed is designed for SOC teams and detection engineers who need reliable, actionable data for direct use in SIEM/TIP platforms and for CTI correlation. The inclusion of rule updates also aids teams in maintaining and refining their own detection logic by observing community best practices.
Use cases:
- Informed detection engineering - reduce the significant manual effort of discovering, collecting, parsing, normalizing, and extracting value from public rule repositories.
- Direct SIEM/TIP/SOAR integration - the structured format with explicit observables (STIX 2.1 or MISP) allows for straightforward ingestion and use in your existing security platforms.
- Improved threat hunting - leverage detection logic and extracted observables for proactive threat hunting exercises.
- Improved coverage and performance - the information about new rules and the details on rule modifications helps your team to maintain and tune their existing rules easier.
- CTI correlation - match observables against your other threat intelligence feeds, internal logs, and CTI databases to uncover related activity and inform your detection priorisation.
Rules:
anvilogic: 75elastic-edr: 740elastic-siem: 1099fibratus: 84kql: 238osquery: 100sentinel: 4sigma: 1766splunk: 1981sublime: 3sublime-security: 453wazuh: 1yara: 468
Entities:
Identity: 52 Indicator: 13712 Directory: 6648Domain-Name: 2188Email-Addr: 42File: 11456Ipv4-Addr: 145Ipv6-Addr: 67Process: 12044Relationship: 65172Windows-Registry-Key: 1364
MISP feed:
STIX/TAXII feed:
RSS feed:
Content preview:
Latest 10 entities:
- sublime-security
This rule detects brand impersonation of the United States Postal Service (USPS). It analyzes inbound emails for the presence of the USPS logo or the 'USPS' string in the sender's display name. The logic further requires links and a combination of suspicious factors such as specific keywords ('redelivery', 'package'), impersonal greetings, or links that do not lead to the legitimate usps.com domain, while aiming to exclude legitimate newsletters, replies, and forwards. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566
name: "Brand impersonation: USPS" description: "Impersonation of the United States Postal Service." type: "rule" severity: "high" source: | type.inbound and ( any(ml.logo_detect(file.message_screenshot()).brands, .name == "USPS") or strings.icontains(sender.display_name, "USPS") ) and length(body.links) > 0 and 2 of ( any(body.links, strings.ilike(.display_text, "*check now*", "*track*", "*package*", '*view your order*' ) ), strings.ilike(body.current_thread.text, "*returned*to*sender*", "*redelivery*", '*USPS promotions*' ), // impersonal greeting any(ml.nlu_classifier(body.current_thread.text).entities, .name == "recipient" and .text =~ "Customer" ), // no links go to usps.com all(body.links, .href_url.domain.root_domain != "usps.com") ) and ( sender.email.dom...malicious-activity credential-access TA0001 T1566 MIT License
- elastic-siem
This rule identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress or egress entries. It monitors AWS CloudTrail logs for `DeleteNetworkAcl` or `DeleteNetworkAclEntry` events from the `ec2.amazonaws.com` provider. An alert from this rule may indicate that an adversary is attempting to impair defenses by removing network-level security controls to enable unauthorized access or data exfiltration. Relevant MITRE ATT&CK tactics: TA0005 Relevant MITRE ATT&CK techniques: T1562, T1562.007
[metadata] creation_date = "2020/05/26" integration = ["aws"] maturity = "production" updated_date = "2026/01/16" [rule] author = ["Elastic"] description = """ Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries. """ false_positives = [ """ Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "5m" language = "kuery" license = "Elastic License v2" name = "AWS EC2 Network Access Control List Deletion" note = """## Triage and analysis ### Investigating AWS EC2 Network Access Control List Deletion AWS EC2 Network ACLs are essential for controlling in...cloud-security network-security defense-evasion TA0005 T1562 T1562.007 Elastic License 2.0
- elastic-siem
This rule detects the creation of a new AWS CloudTrail trail using the CreateTrail API. Adversaries may create new trails to exfiltrate data to attacker-controlled S3 buckets or CloudWatch destinations, or to subvert existing monitoring by creating trails with limited regional scope. Legitimate creation is expected during initial setup or for auditing enhancements, but any new trail should be validated for proper configuration, including destination ownership, encryption, and multi-region coverage. Relevant MITRE ATT&CK tactics: TA0009, TA0005 Relevant MITRE ATT&CK techniques: T1530, T1562
[metadata] creation_date = "2020/06/10" integration = ["aws"] maturity = "production" updated_date = "2026/01/16" [rule] author = ["Elastic"] description = """ Detects creation of a new AWS CloudTrail trail via CreateTrail API. While legitimate during onboarding or auditing improvements, adversaries can create trails that write to attacker-controlled destinations, limit regions, or otherwise subvert monitoring objectives. New trails should be validated for destination ownership, encryption, multi-region coverage, and organizational scope. """ false_positives = [ """ Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "...cloud-security collection TA0009 TA0005 T1530 T1562 Elastic License 2.0
- elastic-siem
This rule detects the deletion of an AWS CloudTrail trail through the 'DeleteTrail' API call. Deleting CloudTrail logs is a significant defense evasion technique as it removes the audit trail for actions performed within an AWS account. The detection focuses on successful 'DeleteTrail' events originating from 'cloudtrail.amazonaws.com'. Relevant MITRE ATT&CK tactics: TA0005 Relevant MITRE ATT&CK techniques: T1562, T1562.001, T1562.008
[metadata] creation_date = "2020/05/26" integration = ["aws"] maturity = "production" updated_date = "2026/01/16" [rule] author = ["Elastic"] description = """ Detects deletion of an AWS CloudTrail trail via DeleteTrail API. Removing trails is a high-risk action that destroys an audit control plane and is frequently paired with other destructive or stealthy operations. Validate immediately and restore compliant logging. """ false_positives = [ """ Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" name = "AWS CloudTrail Log Deleted" note = """## Triage and analysis ### Investiga...defense-evasion cloud-security malicious-activity TA0005 T1562 T1562.001 T1562.008 Elastic License 2.0
- elastic-siem
This rule detects the suspension of AWS CloudTrail logging via the 'StopLogging' API call. Disabling CloudTrail logging is a common defense evasion technique used by adversaries to hide their activities before performing sensitive actions or exfiltrating data. The detection logic specifically looks for successful 'StopLogging' events from the 'cloudtrail.amazonaws.com' provider within AWS CloudTrail logs. Relevant MITRE ATT&CK tactics: TA0005 Relevant MITRE ATT&CK techniques: T1562, T1562.001, T1562.008
[metadata] creation_date = "2020/06/10" integration = ["aws"] maturity = "production" updated_date = "2026/01/16" [rule] author = ["Elastic"] description = """ Detects Cloudtrail logging suspension via StopLogging API. Stopping CloudTrail eliminates forward audit visibility and is a classic defense evasion step before sensitive changes or data theft. Investigate immediately and determine what occurred during the logging gap. """ false_positives = [ """ Suspending the recording of a trail may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail suspensions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" name = "AWS CloudTrail Log Suspended" note = """##...cloud-security defense-evasion malicious-activity TA0005 T1562 T1562.001 T1562.008 Elastic License 2.0
- elastic-siem
This rule identifies the addition of an AWS IAM user to a group. Since users inherit permissions from their assigned groups, this action can be a method for privilege escalation or persistence, especially if the target group has administrative or highly permissive policies. The detection focuses on successful `AddUserToGroup` API calls logged in AWS CloudTrail. Relevant MITRE ATT&CK tactics: TA0006, TA0003, TA0004 Relevant MITRE ATT&CK techniques: T1098, T1078.004
[metadata] creation_date = "2020/06/04" integration = ["aws"] maturity = "production" updated_date = "2026/01/16" [rule] author = ["Elastic"] description = """ Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM). Any user added to a group automatically gains the permissions that are assigned to the group. If the target group carries elevated or admin privileges, this action can instantly grant high-risk permissions useful for credential misuse, lateral movement, or privilege escalation. """ false_positives = [ """ Legitimate operations such as new user onboarding, role changes, or service account updates may trigger this event. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. User additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-6m" index = ["f...cloud-security credential-access persistence privilege-escalation TA0006 TA0003 TA0004 T1098 T1078.004 Elastic License 2.0
- elastic-siem
This rule detects when an AWS Config configuration recorder is stopped. This action is significant as AWS Config provides continuous visibility into resource configuration changes. An attacker may stop the recorder to evade detection, hide subsequent malicious activities, or undermine security and compliance monitoring within an AWS environment. The rule specifically queries AWS CloudTrail logs for the 'StopConfigurationRecorder' event from the 'config.amazonaws.com' provider. Relevant MITRE ATT&CK tactics: TA0005 Relevant MITRE ATT&CK techniques: T1562, T1562.001, T1562.008
[metadata] creation_date = "2020/06/16" integration = ["aws"] maturity = "production" updated_date = "2026/01/16" [rule] author = ["Elastic"] description = """ Identifies when an AWS Config configuration recorder is stopped. AWS Config recorders continuously track and record configuration changes across supported AWS resources. Stopping the recorder immediately reduces visibility into infrastructure changes and can be abused by adversaries to evade detection, obscure follow-on activity, or weaken compliance and security monitoring controls. """ false_positives = [ """ Authorized administrators may temporarily stop the AWS Config recorder during planned maintenance, account restructuring, or controlled configuration changes. Automated infrastructure or compliance tooling may also stop and restart the recorder as part of setup or teardown workflows. Activity outside of documented change windows or from unexpected identities should be investigated. """, ] from = "...cloud-security defense-evasion malicious-activity TA0005 T1562 T1562.001 T1562.008 Elastic License 2.0
- elastic-siem
This rule detects the deletion of an Amazon GuardDuty detector, which is a continuous threat monitoring service for AWS accounts. By identifying successful 'DeleteDetector' API calls, the rule aims to catch adversaries attempting to disable security visibility and evade detection. Such an action is a significant indicator of defense evasion, as it effectively removes a layer of security monitoring and all historical findings. Relevant MITRE ATT&CK tactics: TA0005 Relevant MITRE ATT&CK techniques: T1562, T1562.001
[metadata] creation_date = "2020/05/28" integration = ["aws"] maturity = "production" updated_date = "2026/01/16" [rule] author = ["Elastic"] description = """ Detects the deletion of an Amazon GuardDuty detector. GuardDuty provides continuous monitoring for malicious or unauthorized activity across AWS accounts. Deleting the detector disables this visibility, stopping all threat detection and removing existing findings. Adversaries may delete GuardDuty detectors to impair security monitoring and evade detection during or after an intrusion. This rule identifies successful "DeleteDetector" API calls and can indicate a deliberate defense evasion attempt. """ false_positives = [ """ The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Detector deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false po...defense-evasion cloud-security malicious-activity TA0005 T1562 T1562.001 Elastic License 2.0
- elastic-siem
This rule identifies attempts to delete AWS Config resources, a service that provides visibility into resource configuration changes and compliance. Deleting Config components like recorders, delivery channels, or rules can significantly impair security visibility and auditing capabilities. Adversaries may perform this action to evade detection, conceal other malicious activities, or weaken governance controls within an AWS environment. Relevant MITRE ATT&CK tactics: TA0005 Relevant MITRE ATT&CK techniques: T1562, T1562.001, T1562.008
[metadata] creation_date = "2020/06/26" integration = ["aws"] maturity = "production" updated_date = "2026/01/16" [rule] author = ["Elastic", "Austin Songer"] description = """ Identifies attempts to delete AWS Config resources. AWS Config provides continuous visibility into resource configuration changes and compliance posture across an account. Deleting Config components can significantly reduce security visibility and auditability. Adversaries may delete or disable Config resources to evade detection, hide prior activity, or weaken governance controls before or after other malicious actions. """ false_positives = [ """ Deletion of AWS Config resources may occur during legitimate account restructuring, environment teardown, or changes to compliance tooling. Centralized security teams or approved automation may also delete and recreate Config components as part of controlled workflows. Confirm that the action aligns with approved change management and was performe...defense-evasion cloud-security TA0005 T1562 T1562.001 T1562.008 Elastic License 2.0
- elastic-siem
This rule detects the deletion of AWS CloudWatch alarms by monitoring for the 'DeleteAlarms' API call in CloudTrail logs. The detection logic specifically targets successful events from the 'monitoring.amazonaws.com' provider, while excluding actions performed by internal AWS services. This activity is a strong indicator of defense evasion, as an adversary may remove monitoring alarms to hide malicious actions, disable automated responses, or reduce visibility for security teams. Relevant MITRE ATT&CK tactics: TA0005 Relevant MITRE ATT&CK techniques: T1562, T1562.001, T1562.006
[metadata] creation_date = "2020/06/15" integration = ["aws"] maturity = "production" updated_date = "2026/01/16" [rule] author = ["Elastic"] description = """ Detects the deletion of one or more Amazon CloudWatch alarms using the "DeleteAlarms" API. CloudWatch alarms are critical for monitoring metrics and triggering alerts when thresholds are exceeded. An adversary may delete alarms to impair visibility, silence alerts, and evade detection following malicious activity. This behavior may occur during post-exploitation or cleanup phases to remove traces of compromise or disable automated responses. """ false_positives = [ """ CloudWatch alarm deletions can occur legitimately during scheduled maintenance, infrastructure redeployments, or automation workflows that clean up temporary monitoring configurations. Verify that the user identity, role, and IP address are expected for the environment. If deletions are performed by CI/CD pipelines or authorized administrators ...defense-evasion cloud-security malicious-activity TA0005 T1562 T1562.001 T1562.006 Elastic License 2.0
