Description:
Premium feed that expands "Detection Rules Pro" Feed with analysis and guidance. The feed includes rule change analysis with impact guidance, correlation to active CVEs and threat campaigns, and a weekly detection engineering brief, all designed to support strategic decision-making, prioritization of efforts, and a robust, proactive detection posture. The feed is best suited for mature security operations centers, threat intelligence teams, and proactive detection engineers requiring advanced context.
Application:
- Risk-based prioritization - focus your team's efforts on deploying and tuning detections that address the most current and impactful threats.
- Improved situational awareness - gain a deeper understanding of how community detections align with the evolving threat landscape, active vulnerabilities, and adversary TTPs.
- Proactive detection posture management - move beyond reactive alerting to strategically curating and maintaining your detection capabilities based on actionable intelligence.
- Reduced fatigue and improved resource allocation - maximize the impact of your detection engineering by providing decision support with tactical and strategic intelligence about threat detection landscape.
Entities:
Identity: 39 Indicator: 8211 Note: 7227 Directory: 3696Domain-Name: 1159Email-Addr: 28File: 5232Ipv4-Addr: 54Ipv6-Addr: 12Process: 6733Relationship: 28987Windows-Registry-Key: 926
Rules:
anvilogic: 58elastic-edr: 332elastic-siem: 415fibratus: 81kql: 76osquery: 78sigma: 944splunk: 1811sublime-security: 192wazuh: 1yara: 314
STIX/TAXII endpoints:
Content preview:

Latest 10 entities:
Details | |
---|---|
Suspicious Microsoft OAuth Flow via Auth Broker to DRS elastic-siem New rule This rule detects a potential OAuth phishing attack in Microsoft Entra ID. It identifies scenarios where two successful sign-in events share the same user principal and session ID but originate from different IP addresses within a five-minute window. The detection logic specifically targets OAuth flows where the client application is the Microsoft Authentication Broker (MAB) and the resource is the Device Registration Service (DRS), a pattern highly indicative of an attacker using a stolen authorization code to gain access. Relevant MITRE ATT&CK tactics: TA0001, TA0006 Relevant MITRE ATT&CK techniques: T1566, T1566.002, T1528 initial-access credential-access cloud-security malicious-activity TA0001 TA0006 T1566 T1566.002 T1528 | |
Potential Kerberos SPN Spoofing via Suspicious DNS Query elastic-siem New rule This rule identifies DNS queries on Windows systems containing a specific Base64-encoded pattern (`*UWhRC*BAAAA*`). This pattern is indicative of a marshaled CREDENTIAL_TARGET_INFORMATION structure, which is a key component in Kerberos coercion attacks. Adversaries exploit this by creating malicious DNS records to spoof a Service Principal Name (SPN), tricking a victim system into authenticating to an attacker-controlled host. This technique facilitates credential theft, often through NTLM reflection. Relevant MITRE ATT&CK tactics: TA0006 Relevant MITRE ATT&CK techniques: T1557, T1557.001, T1187 credential-access malicious-activity endpoint-security TA0006 T1557 T1557.001 T1187 | |
Potential Kerberos Coercion via DNS-Based SPN Spoofing elastic-siem New rule This rule detects the creation of a DNS record containing a specific base64-encoded pattern (`UWhRCA...BAAAA`), which corresponds to a marshaled `CREDENTIAL_TARGET_INFORMATION` structure. This activity is indicative of Kerberos coercion attacks that leverage DNS-based SPN spoofing. Adversaries use this technique to force systems to authenticate to attacker-controlled hosts, enabling reflective Kerberos relay attacks to gain privileged access, potentially as `NT AUTHORITY\SYSTEM`. Relevant MITRE ATT&CK tactics: TA0006 Relevant MITRE ATT&CK techniques: T1557, T1557.001, T1187 credential-access endpoint-security malicious-activity TA0006 T1557 T1557.001 T1187 | |
Brand Impersonation: Meta and Subsidiaries sublime-security This rule detects email-based impersonation of Meta and its subsidiaries like Facebook and Instagram. It analyzes sender display names for variations of 'Facebook Ads', 'Meta Support', and others, and also checks sender domain names. The logic combines these indicators with advanced checks, including logo detection, Natural Language Understanding (NLU) to identify credential theft intentions, and looks for specific physical addresses like '1 Facebook Way' in the email body. The rule is designed to reduce false positives by excluding known legitimate domains and considering sender reputation. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566, T1566.002 | |
[Impact: low][Scope: coverage] Update to "Brand Impersonation: Meta and Subsidiaries" rule The rule's exclusion list for sender root domains has been updated to include 'facebookblueprint.com'. This change refines the detection logic to prevent legitimate emails from this domain from being incorrectly flagged as impersonation, thereby reducing potential false positives. | |
AWS IAM Assume Role Policy Update elastic-siem This rule detects updates to an AWS IAM role's trust policy by an IAM user or Assumed Role identity. This action, identified via the 'UpdateAssumeRolePolicy' event in CloudTrail logs, can be leveraged by attackers to modify which principals can assume a role, potentially gaining its privileges. The rule employs a 'New Terms' logic, triggering only on the first observation of a unique combination of `cloud.account.id`, `user.name`, and `roleName` within a 14-day period to reduce noise from legitimate administrative activities. Relevant MITRE ATT&CK tactics: TA0004 Relevant MITRE ATT&CK techniques: T1078, T1078.004, T1098.003 privilege-escalation cloud-security malicious-activity TA0004 T1078 T1078.004 T1098.003 | |
[Impact: medium][Scope: coverage] Update to "AWS IAM Assume Role Policy Update" rule The rule's detection logic was refined by changing the fields used for suppression in the 'New Terms' configuration; it now uses `cloud.account.id` and `user.name` instead of `aws.cloudtrail.user_identity.arn` for better accuracy. The MITRE ATT&CK mapping was updated to include the sub-technique T1078.004 (Cloud Accounts). Additionally, a dedicated list of investigation fields was added, investigation guidance in the note was expanded, and the query time window was adjusted for better performance. | |
domain-name--8dbf1c3a-2d0b-512b-a5d2-d7d749ce25db | |
relationship--3484f7e3-7f55-4fa2-a45f-8c3008155845 | |
relationship--afde75de-71c2-4cc5-a069-2cbd38c96991 |