Description:
Premium feed that expands "Detection Rules Pro" Feed with analysis and guidance. The feed includes rule change analysis with impact guidance, correlation to active CVEs and threat campaigns, and a weekly detection engineering brief, all designed to support strategic decision-making, prioritization of efforts, and a robust, proactive detection posture. The feed is best suited for mature security operations centers, threat intelligence teams, and proactive detection engineers requiring advanced context.
Use cases:
- Risk-based prioritization - focus your team's efforts on deploying and tuning detections that address the most current and impactful threats.
- Improved situational awareness - gain a deeper understanding of how community detections align with the evolving threat landscape, active vulnerabilities, and adversary TTPs.
- Proactive detection posture management - move beyond reactive alerting to strategically curating and maintaining your detection capabilities based on actionable intelligence.
- Reduced fatigue and improved resource allocation - maximize the impact of your detection engineering by providing decision support with tactical and strategic intelligence about threat detection landscape.
Rules:
anvilogic: 75elastic-edr: 684elastic-siem: 779fibratus: 82kql: 181osquery: 100sentinel: 3sigma: 1676splunk: 1939sublime: 3sublime-security: 363wazuh: 1yara: 417
Entities:
Identity: 52 Indicator: 12087 Note: 10361 Report: 20 Directory: 6101Domain-Name: 1992Email-Addr: 38File: 10339Ipv4-Addr: 145Ipv6-Addr: 65Process: 10931Relationship: 56780Windows-Registry-Key: 1279
MISP feed:
STIX/TAXII feed:
Content preview:
Latest 10 entities:
This rule detects unsolicited inbound emails that claim to have identified errors on a recipient's website. It analyzes email content for keywords like 'error', 'report', 'issues', and 'screenshot' in the subject and body, in conjunction with common salutations. The detection logic is structured to handle single-thread messages (with or without an unsubscribe link) and multi-thread conversations by evaluating message length, link/attachment counts, and specific keyword combinations. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566
name: "Spam: Website errors solicitation" description: "This rule detects messages claiming to have identified errors on a website. The messages typically offer to send pricing or information upon request." type: "rule" severity: "low" source: | type.inbound and ( sender.email.email not in $recipient_emails or not profile.by_sender().solicited ) and 1 of ( // Single thread message groups ( length(attachments) == 0 and length(body.links) == 0 and length(body.previous_threads) == 0 and 20 < length(body.current_thread.text) < 500 and regex.icontains(body.current_thread.text, "screenshot") and regex.icontains(body.current_thread.text, '.*(hi|hello|hey)') and regex.icontains(body.current_thread.text, ".*(error|report|issues)") and regex.icontains(subject.subject, ".*(proposal|cost|report|error|audit|screenshot)") ), // Single thread message groups but with 1 unsubscribe link ( length(attachments) == ...- sublime-security
This rule detects credential phishing emails that masquerade as voicemail notifications. The detection logic analyzes the subject, display name, and body for voicemail-related keywords and regular expressions. It correlates these findings with sender reputation data, such as first-time or unsolicited senders, and uses Natural Language Understanding (NLU) to identify a 'cred_theft' intent. The rule also inspects attachments and links for patterns commonly associated with this phishing vector. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566
name: "Fake voicemail notification (untrusted sender)" description: | This rule detects a common credential phishing vector enticing the user to engage with links under the premise that they have a voicemail to retrieve. The rule looks for voicemail verbiage in the display name, body, subject or a combination of those elements with emojis or a medium to high credential theft NLU Intent from first-time + unsolicited sender. type: "rule" severity: "medium" source: | type.inbound // contains links or attachments and ( (0 < length(body.links) <= 25 or 0 < length(distinct(attachments, .md5)) <= 3) and 0 <= length(distinct(attachments, .md5)) <= 8 ) // the subject or display_name need some keywords which are voicemail related and ( any([subject.subject, sender.display_name], regex.icontains(., // split phrases that occur within 3 words between or only punctuation between them '(?:v[nm](\b|[[:punct:]])?|\bv...credential-access malicious-activity TA0001 T1566 MIT License
[Impact: medium][Scope: coverage] Update to "Fake voicemail notification (untrusted sender)" rule
The rule logic was updated to enhance detection coverage. A new regular expression, 'new (?:message|call|voicemail).{0,15}(?:info|notification|alert)', was added to the list of strong phrases to catch additional variations of voicemail lures in the subject or display name. Additionally, a new condition was added to the sender profile logic to trigger on messages where the sender's email address is blank or null, a characteristic sometimes seen in malicious or malformed emails.
- sublime-security New rule
This rule detects inbound emails that use social engineering to deceive recipients about an attachment. The detection logic identifies messages that reference an attachment (e.g., 'see attached') but contain none. It specifically looks for links pointing to the 'fliphtml5.com' domain and leverages a Natural Language Understanding (NLU) classifier to confirm the presence of high-confidence credential theft language. Relevant MITRE ATT&CK tactics: TA0001, TA0006 Relevant MITRE ATT&CK techniques: T1566.002
name: "Service abuse: FlipHTML5 with attachment deception and credential theft language" description: "Detects messages that reference attachments without including any, contain links to FlipHTML5 services, and exhibit high-confidence credential theft language patterns." type: "rule" severity: "medium" source: | type.inbound // messages contain wording to "see attached" but contains no attachments and ( regex.icontains(body.current_thread.text, "attached|see.*attached|find.*attached|please{0,10}attached" ) and length(attachments) == 0 ) // and the link goes to fliphtml5 and contains suspect "click me" language and any(body.links, .href_url.domain.root_domain == "fliphtml5.com" ) // and we have confidence its cred theft and any(ml.nlu_classifier(body.current_thread.text).intents, .name == "cred_theft" and .confidence != "low" ) attack_types: - "Credential Phishing" tactics_and_techniques: - "Social engineering"...malicious-activity credential-access TA0001 TA0006 T1566.002 MIT License
domain-name--b350dabc-e831-573a-b509-70bb4f6ddb8d
relationship--7c0605e0-b64a-4749-860d-2aa71744b51f- sublime-security
This rule detects brand impersonation of Meta and its subsidiaries (Facebook, Instagram) by analyzing inbound email. It inspects sender display names for suspicious keywords using regex and Levenshtein distance, and examines email bodies for phishing indicators. The rule leverages machine learning for logo detection and Natural Language Understanding (NLU) to classify intent (e.g., credential theft) and topics (e.g., advertising), while also checking for deceptive links and excluding known legitimate domains. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566
name: "Brand impersonation: Meta and subsidiaries" description: | Impersonation of Meta or Meta's subsidiaries Facebook and Instagram. references: - "https://www.techrepublic.com/article/google-and-amazon-most-impersonated-brands-in-phishing-attacks/" type: "rule" severity: "low" source: | type.inbound and ( // sender display name is a strong enough indicator // that it can be used without any other impersonation logic ( regex.icontains(sender.display_name, 'facebook ?ads', 'facebook ?business', 'meta ?account', 'meta ?help', 'meta ?support', 'meta ?business', 'meta ?for ?business', 'meta ?policy', 'page ?ads ?support', 'Instagram ?Not', 'Instagram ?Policies', 'Instagram ?Report', ...malicious-activity credential-access TA0001 T1566 MIT License
[Impact: medium][Scope: coverage] Update to "Brand impersonation: Meta and subsidiaries" rule
The rule's detection logic was updated to enhance coverage. New regex patterns were added to the sender display name analysis to detect terms related to social media experts. A new condition was introduced to identify phishing links impersonating Coursera in 'Meta Professional Certificate' emails by verifying that the link's domain is not 'coursera.org'. Additionally, an internal function call was updated from a beta version (`beta.ml_topic`) to its production equivalent (`ml.nlu_classifier`).
domain-name--4bd288c1-69cc-5c70-bb3b-b17bfea7f093relationship--9e7dab50-537b-4ca1-9175-b96d0279e0ca
