Description:

A full collection of new rules and rule modifications. Rules are pre-processed and are shipped with extracted key observables (IPs, hashes, etc.) for direct use in SIEM/TIP platforms. The feed is designed for SOC teams and detection engineers who need reliable, actionable data for direct use in SIEM/TIP platforms and for CTI correlation. The inclusion of rule updates also aids teams in maintaining and refining their own detection logic by observing community best practices.

Use cases:

  • Informed detection engineering - reduce the significant manual effort of discovering, collecting, parsing, normalizing, and extracting value from public rule repositories.
  • Direct SIEM/TIP/SOAR integration - the structured format with explicit observables (STIX 2.1 or MISP) allows for straightforward ingestion and use in your existing security platforms.
  • Improved threat hunting - leverage detection logic and extracted observables for proactive threat hunting exercises.
  • Improved coverage and performance - the information about new rules and the details on rule modifications helps your team to maintain and tune their existing rules easier.
  • CTI correlation - match observables against your other threat intelligence feeds, internal logs, and CTI databases to uncover related activity and inform your detection priorisation.

Rules:

anvilogic: 62elastic-edr: 436elastic-siem: 531fibratus: 82kql: 90osquery: 88sentinel: 1sigma: 1122splunk: 1868sublime: 1sublime-security: 243wazuh: 1yara: 352

Entities:

Identity: 46 Indicator: 9187 Directory: 4277Domain-Name: 1392Email-Addr: 31File: 7563Ipv4-Addr: 55Ipv6-Addr: 14Process: 7613Relationship: 37796Windows-Registry-Key: 1019

MISP feed:

https://dispatch.ctichef.com/misp/4a305f4c-f4dc-4319-b858-4eefceb12ec8

STIX/TAXII feed:

API root:
https://dispatch.ctichef.com/

Content preview:

Latest 10 entities:

  • This rule detects inbound emails with subjects and attachments themed around employee compensation, policy, or handbook updates, a common social engineering lure. It specifically flags emails containing Microsoft Word or PDF attachments with filenames that match keywords like 'salary', 'bonus', 'handbook', or 'update'. The detection logic correlates suspicious keywords in both the subject line and attachment filename and is intended to identify credential phishing attempts delivered via malicious documents. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566, T1566.001

    name: "Attachment: Suspicious Employee Policy Update Document Lure" description: "Inbound message containing subject line and attachments related to handbook, compensation, or policy updates. Attachments are limited to Microsoft Word documents and PDF files that match similar update-related terminology. This pattern has been observed used to deliver credential phishing via QR codes." type: "rule" severity: "medium" source: | type.inbound and ( // the subject contains pay related items ( strings.icontains(subject.subject, 'salary') or regex.icontains(subject.subject, '\bpay(?:roll|\b)') or strings.icontains(subject.subject, 'remuneration') or strings.icontains(subject.subject, 'bonus') or strings.icontains(subject.subject, 'incentive') or strings.icontains(subject.subject, 'merit') or strings.icontains(subject.subject, 'handbook') or strings.icontains(subject.subject, 'benefits') ) and ( strings.icontains(subject...

    credential-access malicious-activity TA0001 T1566 T1566.001 MIT License

  • This rule detects email-based brand impersonation attacks posing as Booking.com. It identifies inbound messages with a low number of links, topics related to travel or customer service, and mentions of "Booking.com". The detection logic triggers on signs of credential theft, suspicious links (mismatched display URLs, new domains, redirect paths), or specific intent phrases like "book a room". The rule ensures the sender is not from the legitimate "booking.com" domain and has a history of malicious/spam activity or no prior solicited communication. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566, T1036

    name: "Brand Impersonation: Booking.com" description: "Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains." type: "rule" severity: "medium" source: | type.inbound and length(body.links) < 10 and any(beta.ml_topic(body.current_thread.text).topics, .name in ( "Travel and Transportation", "Customer Service and Support", "Security and Authentication" ) and .confidence != "low" ) and ( any(ml.nlu_classifier(body.current_thread.text).entities, .name == "org" and .text == "Booking.com" or strings.icontains(body.current_thread.text, ' booking.com ') or strings.icontains(sender.display_name, "booking.com") ) ) an...

    credential-access malicious-activity TA0001 T1566 T1036 MIT License

  • Identifies brute force attempts against Microsoft Entra ID multi-factor authentication (MFA) using Time-based One-Time Password (TOTP) codes. The rule triggers when a high number of failed TOTP code attempts from at least 10 distinct sessions are observed for a single user within a short time frame. This behavior is indicative of an adversary with valid primary credentials programmatically attempting to guess the MFA code to gain unauthorized access. Relevant MITRE ATT&CK tactics: TA0006 Relevant MITRE ATT&CK techniques: T1110, T1110.001, T1621

    [metadata] creation_date = "2024/12/11" integration = ["azure"] maturity = "production" updated_date = "2025/07/28" [rule] author = ["Elastic"] description = """ Identifies brute force attempts against Azure Entra multi-factor authentication (MFA) Time-based One-Time Password (TOTP) verification codes. This rule detects high frequency failed TOTP code attempts for a single user in a short time-span with a high number of distinct session IDs. Adversaries may programmatically attemopt to brute-force TOTP codes by generating several sessions and attempt to guess the correct code. """ false_positives = [ """ Based on the high-frequency threshold, it would be unlikely for a legitimate user to exceed the threshold for failed TOTP code attempts in a short time-span over multiple sessions. """, ] from = "now-9m" language = "esql" license = "Elastic License v2" name = "Microsoft Entra ID MFA TOTP Brute Force Attempts" note = """## Triage and analysis ### Investigating Microsof...

    credential-access cloud-security identity-and-access-management TA0006 T1110 T1110.001 T1621 Elastic License 2.0

  • This rule detects inbound emails with subjects related to compensation reviews (e.g., 'salary', 'bonus', 'raise') that also contain an attached EML file. The detection logic further inspects the attached EML's own attachments, triggering an alert if they contain a QR code or barcode, identified either through direct analysis or via OCR of scanned documents. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566, T1566.001

    name: "Compensation Review With QR Code in Attached EML" description: "Detects inbound messages containing compensation-related terms (salary, bonus, merit, etc.) combined with review/change language that include EML attachments containing QR codes or barcodes in scanned documents." type: "rule" severity: "high" source: | type.inbound // the subject contains pay related items and ( strings.icontains(subject.subject, 'salary') or strings.icontains(subject.subject, 'compensation') or regex.icontains(subject.subject, 'comp\b') or regex.icontains(subject.subject, '\bpay(?:roll|\b)') or strings.icontains(subject.subject, 'bonus') or strings.icontains(subject.subject, 'incentive') or strings.icontains(subject.subject, 'merit') or strings.icontains(subject.subject, 'handbook') or strings.icontains(subject.subject, 'benefits') ) // subjects include review/updates/changes and ( strings.icontains(subject.subject, 'review') or strings.ico...

    malicious-activity credential-access TA0001 T1566 T1566.001 MIT License

  • This rule detects attempts to modify or delete critical Windows forensic artifacts, specifically the Amcache.hve file and the SYSTEM hive. The Amcache.hve file logs program execution details, while the SYSTEM hive contains the Shimcache, which tracks historical program activity. The query monitors for file events targeting `Amcache.hve` or the `SYSTEM` file within `C:\Windows\System32\config\`, as attackers may tamper with these files to erase evidence of their presence and actions on a compromised system. Relevant MITRE ATT&CK tactics: TA0005 Relevant MITRE ATT&CK techniques: T1070, T1070.004

    DeviceFileEvents | where (FileName contains "SYSTEM" and FolderPath contains "C:\\Windows\\System32\\config\\") or (FileName has "Amcache.hve") | project Timestamp, DeviceName,DeviceId, FileName, FolderPath, ActionType, InitiatingProcessFileName, ReportId

    defense-evasion endpoint-security TA0005 T1070 T1070.004

  • directory--17f59e4b-d5aa-52b5-9e04-a5ac7749236a
  • file--e064aada-7c39-5538-85bb-8425bbd96ec3
  • relationship--4c86aa79-82e8-4375-9ef7-52f997e79005
  • relationship--283c5e94-37eb-46fb-b608-be0349331f89
  • relationship--868e94dd-7743-48f9-877a-bc55f6ea0593