Cyber Threat Intelligence Feeds

Enterprise Detection Intelligence Feed

Description:

Premium feed that expands "Detection Rules Pro" Feed with analysis and guidance. The feed includes rule change analysis with impact guidance, correlation to active CVEs and threat campaigns, and a weekly detection engineering brief, all designed to support strategic decision-making, prioritization of efforts, and a robust, proactive detection posture. The feed is best suited for mature security operations centers, threat intelligence teams, and proactive detection engineers requiring advanced context.

Use cases:

  • Risk-based prioritization - focus your team's efforts on deploying and tuning detections that address the most current and impactful threats.
  • Improved situational awareness - gain a deeper understanding of how community detections align with the evolving threat landscape, active vulnerabilities, and adversary TTPs.
  • Proactive detection posture management - move beyond reactive alerting to strategically curating and maintaining your detection capabilities based on actionable intelligence.
  • Reduced fatigue and improved resource allocation - maximize the impact of your detection engineering by providing decision support with tactical and strategic intelligence about threat detection landscape.

Rules:

anvilogic: 75elastic-edr: 740elastic-siem: 1099fibratus: 84kql: 238osquery: 100sentinel: 4sigma: 1766splunk: 1981sublime: 3sublime-security: 453wazuh: 1yara: 468

Entities:

Identity: 52 Indicator: 13712 Note: 11654 Report: 32 Directory: 6648Domain-Name: 2188Email-Addr: 42File: 11456Ipv4-Addr: 145Ipv6-Addr: 67Process: 12044Relationship: 65172Windows-Registry-Key: 1364

Get access for $1500/month, 30 days trial or $16,200/year (10% discount)

MISP feed:

https://dispatch.ctichef.com/misp/95114f32-5047-4df7-99ac-20d4ba07a38f

STIX/TAXII feed:

API root:
https://dispatch.ctichef.com/
Collection:
95114f32-5047-4df7-99ac-20d4ba07a38f

RSS feed:

https://dispatch.ctichef.com/rss/enterprise-detection-intel-feed

Content preview:

Latest 10 entities:

  • Brand impersonation: USPS
    sublime-security

    This rule detects brand impersonation of the United States Postal Service (USPS). It analyzes inbound emails for the presence of the USPS logo or the 'USPS' string in the sender's display name. The logic further requires links and a combination of suspicious factors such as specific keywords ('redelivery', 'package'), impersonal greetings, or links that do not lead to the legitimate usps.com domain, while aiming to exclude legitimate newsletters, replies, and forwards. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566

    name: "Brand impersonation: USPS" description: "Impersonation of the United States Postal Service." type: "rule" severity: "high" source: | type.inbound and ( any(ml.logo_detect(file.message_screenshot()).brands, .name == "USPS") or strings.icontains(sender.display_name, "USPS") ) and length(body.links) > 0 and 2 of ( any(body.links, strings.ilike(.display_text, "*check now*", "*track*", "*package*", '*view your order*' ) ), strings.ilike(body.current_thread.text, "*returned*to*sender*", "*redelivery*", '*USPS promotions*' ), // impersonal greeting any(ml.nlu_classifier(body.current_thread.text).entities, .name == "recipient" and .text =~ "Customer" ), // no links go to usps.com all(body.links, .href_url.domain.root_domain != "usps.com") ) and ( sender.email.dom...

    malicious-activity credential-access TA0001 T1566 MIT License

  • [Impact: medium][Scope: coverage] Update to "Brand impersonation: USPS" rule

    The rule logic was updated to reduce false positives and broaden detection. The sender display name check was changed from a regex to a case-insensitive 'contains' function. New conditions were added to exclude legitimate newsletters, forwards, and replies. The keyword list was also expanded to include 'USPS promotions'.

  • AWS EC2 Network Access Control List Deletion
    elastic-siem

    This rule identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress or egress entries. It monitors AWS CloudTrail logs for `DeleteNetworkAcl` or `DeleteNetworkAclEntry` events from the `ec2.amazonaws.com` provider. An alert from this rule may indicate that an adversary is attempting to impair defenses by removing network-level security controls to enable unauthorized access or data exfiltration. Relevant MITRE ATT&CK tactics: TA0005 Relevant MITRE ATT&CK techniques: T1562, T1562.007

    [metadata] creation_date = "2020/05/26" integration = ["aws"] maturity = "production" updated_date = "2026/01/16" [rule] author = ["Elastic"] description = """ Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries. """ false_positives = [ """ Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "5m" language = "kuery" license = "Elastic License v2" name = "AWS EC2 Network Access Control List Deletion" note = """## Triage and analysis ### Investigating AWS EC2 Network Access Control List Deletion AWS EC2 Network ACLs are essential for controlling in...

    cloud-security network-security defense-evasion TA0005 T1562 T1562.007 Elastic License 2.0

  • [Impact: low][Scope: metadata] Update to "AWS EC2 Network Access Control List Deletion" rule

    The rule's metadata has been updated, including a new `updated_date`. The investigation guide in the `note` field was also modified to remove a disclaimer related to the use of generative AI.

  • AWS CloudTrail Log Created
    elastic-siem

    This rule detects the creation of a new AWS CloudTrail trail using the CreateTrail API. Adversaries may create new trails to exfiltrate data to attacker-controlled S3 buckets or CloudWatch destinations, or to subvert existing monitoring by creating trails with limited regional scope. Legitimate creation is expected during initial setup or for auditing enhancements, but any new trail should be validated for proper configuration, including destination ownership, encryption, and multi-region coverage. Relevant MITRE ATT&CK tactics: TA0009, TA0005 Relevant MITRE ATT&CK techniques: T1530, T1562

    [metadata] creation_date = "2020/06/10" integration = ["aws"] maturity = "production" updated_date = "2026/01/16" [rule] author = ["Elastic"] description = """ Detects creation of a new AWS CloudTrail trail via CreateTrail API. While legitimate during onboarding or auditing improvements, adversaries can create trails that write to attacker-controlled destinations, limit regions, or otherwise subvert monitoring objectives. New trails should be validated for destination ownership, encryption, multi-region coverage, and organizational scope. """ false_positives = [ """ Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "...

    cloud-security collection TA0009 TA0005 T1530 T1562 Elastic License 2.0

  • [Impact: negligible][Scope: metadata] Update to "AWS CloudTrail Log Created" rule

    The rule's metadata was updated. Specifically, the 'updated_date' field was advanced, and a disclaimer regarding the use of generative AI for the investigation guide was removed from the 'note' field for conciseness. No changes were made to the detection logic.

  • AWS CloudTrail Log Deleted
    elastic-siem

    This rule detects the deletion of an AWS CloudTrail trail through the 'DeleteTrail' API call. Deleting CloudTrail logs is a significant defense evasion technique as it removes the audit trail for actions performed within an AWS account. The detection focuses on successful 'DeleteTrail' events originating from 'cloudtrail.amazonaws.com'. Relevant MITRE ATT&CK tactics: TA0005 Relevant MITRE ATT&CK techniques: T1562, T1562.001, T1562.008

    [metadata] creation_date = "2020/05/26" integration = ["aws"] maturity = "production" updated_date = "2026/01/16" [rule] author = ["Elastic"] description = """ Detects deletion of an AWS CloudTrail trail via DeleteTrail API. Removing trails is a high-risk action that destroys an audit control plane and is frequently paired with other destructive or stealthy operations. Validate immediately and restore compliant logging. """ false_positives = [ """ Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" name = "AWS CloudTrail Log Deleted" note = """## Triage and analysis ### Investiga...

    defense-evasion cloud-security malicious-activity TA0005 T1562 T1562.001 T1562.008 Elastic License 2.0

  • [Impact: low][Scope: metadata] Update to "AWS CloudTrail Log Deleted" rule

    The rule's metadata was updated, including changing the `updated_date` and removing a disclaimer regarding generative AI from the 'note' field, which contains the investigation guide. The core detection logic remains unchanged.

  • AWS CloudTrail Log Suspended
    elastic-siem

    This rule detects the suspension of AWS CloudTrail logging via the 'StopLogging' API call. Disabling CloudTrail logging is a common defense evasion technique used by adversaries to hide their activities before performing sensitive actions or exfiltrating data. The detection logic specifically looks for successful 'StopLogging' events from the 'cloudtrail.amazonaws.com' provider within AWS CloudTrail logs. Relevant MITRE ATT&CK tactics: TA0005 Relevant MITRE ATT&CK techniques: T1562, T1562.001, T1562.008

    [metadata] creation_date = "2020/06/10" integration = ["aws"] maturity = "production" updated_date = "2026/01/16" [rule] author = ["Elastic"] description = """ Detects Cloudtrail logging suspension via StopLogging API. Stopping CloudTrail eliminates forward audit visibility and is a classic defense evasion step before sensitive changes or data theft. Investigate immediately and determine what occurred during the logging gap. """ false_positives = [ """ Suspending the recording of a trail may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail suspensions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-6m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" name = "AWS CloudTrail Log Suspended" note = """##...

    cloud-security defense-evasion malicious-activity TA0005 T1562 T1562.001 T1562.008 Elastic License 2.0

  • [Impact: low][Scope: metadata] Update to "AWS CloudTrail Log Suspended" rule

    The rule's metadata was updated, specifically changing the 'updated_date' field. Additionally, a disclaimer regarding the use of generative AI for the investigation guide was removed from the rule's 'note' section. The core detection logic remains unchanged.