Description:

Premium feed that expands "Detection Rules Pro" Feed with analysis and guidance. The feed includes rule change analysis with impact guidance, correlation to active CVEs and threat campaigns, and a weekly detection engineering brief, all designed to support strategic decision-making, prioritization of efforts, and a robust, proactive detection posture. The feed is best suited for mature security operations centers, threat intelligence teams, and proactive detection engineers requiring advanced context.

Use cases:

  • Risk-based prioritization - focus your team's efforts on deploying and tuning detections that address the most current and impactful threats.
  • Improved situational awareness - gain a deeper understanding of how community detections align with the evolving threat landscape, active vulnerabilities, and adversary TTPs.
  • Proactive detection posture management - move beyond reactive alerting to strategically curating and maintaining your detection capabilities based on actionable intelligence.
  • Reduced fatigue and improved resource allocation - maximize the impact of your detection engineering by providing decision support with tactical and strategic intelligence about threat detection landscape.

Rules:

anvilogic: 62elastic-edr: 436elastic-siem: 531fibratus: 82kql: 90osquery: 88sentinel: 1sigma: 1122splunk: 1868sublime: 1sublime-security: 243wazuh: 1yara: 352

Entities:

Identity: 46 Indicator: 9187 Note: 8002 Report: 7 Directory: 4277Domain-Name: 1392Email-Addr: 31File: 7563Ipv4-Addr: 55Ipv6-Addr: 14Process: 7613Relationship: 37796Windows-Registry-Key: 1019

MISP feed:

https://dispatch.ctichef.com/misp/95114f32-5047-4df7-99ac-20d4ba07a38f

STIX/TAXII feed:

API root:
https://dispatch.ctichef.com/

Content preview:

Latest 10 entities:

  • This rule detects inbound emails with subjects and attachments themed around employee compensation, policy, or handbook updates, a common social engineering lure. It specifically flags emails containing Microsoft Word or PDF attachments with filenames that match keywords like 'salary', 'bonus', 'handbook', or 'update'. The detection logic correlates suspicious keywords in both the subject line and attachment filename and is intended to identify credential phishing attempts delivered via malicious documents. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566, T1566.001

    name: "Attachment: Suspicious Employee Policy Update Document Lure" description: "Inbound message containing subject line and attachments related to handbook, compensation, or policy updates. Attachments are limited to Microsoft Word documents and PDF files that match similar update-related terminology. This pattern has been observed used to deliver credential phishing via QR codes." type: "rule" severity: "medium" source: | type.inbound and ( // the subject contains pay related items ( strings.icontains(subject.subject, 'salary') or regex.icontains(subject.subject, '\bpay(?:roll|\b)') or strings.icontains(subject.subject, 'remuneration') or strings.icontains(subject.subject, 'bonus') or strings.icontains(subject.subject, 'incentive') or strings.icontains(subject.subject, 'merit') or strings.icontains(subject.subject, 'handbook') or strings.icontains(subject.subject, 'benefits') ) and ( strings.icontains(subject...

    credential-access malicious-activity TA0001 T1566 T1566.001 MIT License

  • [Impact: medium][Scope: coverage] Update to "Attachment: Suspicious Employee Policy Update Document Lure" rule

    The detection logic has been expanded to increase coverage. The rule now includes '.pdf' files in its attachment analysis, in addition to Microsoft Word documents. New keywords such as 'remuneration', 'details', and 'adjustment' have been added to the subject and filename checks. A new condition was also introduced to detect if an attachment filename contains the recipient's email address, a common tactic for personalizing lures.

  • This rule detects email-based brand impersonation attacks posing as Booking.com. It identifies inbound messages with a low number of links, topics related to travel or customer service, and mentions of "Booking.com". The detection logic triggers on signs of credential theft, suspicious links (mismatched display URLs, new domains, redirect paths), or specific intent phrases like "book a room". The rule ensures the sender is not from the legitimate "booking.com" domain and has a history of malicious/spam activity or no prior solicited communication. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566, T1036

    name: "Brand Impersonation: Booking.com" description: "Detects messages purporting to be from Booking.com's support team that contain suspicious credential collection patterns. The sender is not from a legitimate Booking.com domain and shows a history of problematic behavior or lacks prior solicited communication. Additional checks enforce DMARC authentication for trusted domains." type: "rule" severity: "medium" source: | type.inbound and length(body.links) < 10 and any(beta.ml_topic(body.current_thread.text).topics, .name in ( "Travel and Transportation", "Customer Service and Support", "Security and Authentication" ) and .confidence != "low" ) and ( any(ml.nlu_classifier(body.current_thread.text).entities, .name == "org" and .text == "Booking.com" or strings.icontains(body.current_thread.text, ' booking.com ') or strings.icontains(sender.display_name, "booking.com") ) ) an...

    credential-access malicious-activity TA0001 T1566 T1036 MIT License

  • [Impact: medium][Scope: coverage] Update to "Brand Impersonation: Booking.com" rule

    The detection logic was expanded to improve coverage of Booking.com impersonation attempts. New conditions were added to check for "booking.com" in the sender's display name and to search the email body for intent-revealing phrases such as "book a room" or variations of "available". A minor formatting change was also made to an existing XPath check.

  • Identifies brute force attempts against Microsoft Entra ID multi-factor authentication (MFA) using Time-based One-Time Password (TOTP) codes. The rule triggers when a high number of failed TOTP code attempts from at least 10 distinct sessions are observed for a single user within a short time frame. This behavior is indicative of an adversary with valid primary credentials programmatically attempting to guess the MFA code to gain unauthorized access. Relevant MITRE ATT&CK tactics: TA0006 Relevant MITRE ATT&CK techniques: T1110, T1110.001, T1621

    [metadata] creation_date = "2024/12/11" integration = ["azure"] maturity = "production" updated_date = "2025/07/28" [rule] author = ["Elastic"] description = """ Identifies brute force attempts against Azure Entra multi-factor authentication (MFA) Time-based One-Time Password (TOTP) verification codes. This rule detects high frequency failed TOTP code attempts for a single user in a short time-span with a high number of distinct session IDs. Adversaries may programmatically attemopt to brute-force TOTP codes by generating several sessions and attempt to guess the correct code. """ false_positives = [ """ Based on the high-frequency threshold, it would be unlikely for a legitimate user to exceed the threshold for failed TOTP code attempts in a short time-span over multiple sessions. """, ] from = "now-9m" language = "esql" license = "Elastic License v2" name = "Microsoft Entra ID MFA TOTP Brute Force Attempts" note = """## Triage and analysis ### Investigating Microsof...

    credential-access cloud-security identity-and-access-management TA0006 T1110 T1110.001 T1621 Elastic License 2.0

  • [Impact: high][Scope: coverage] Update to "Microsoft Entra ID MFA TOTP Brute Force Attempts" rule

    The rule was substantially updated to improve detection accuracy. The query logic was rewritten to filter on member user types, include an additional failure error code (500121), and now requires a high count of distinct session IDs (>=10) in addition to a high event count (>=20) per user. This refines the detection from a simple high-frequency count to a more specific brute-force pattern across multiple sessions. Metadata, including the rule name, description, and triage steps, were updated to reflect these changes.

  • This rule detects inbound emails with subjects related to compensation reviews (e.g., 'salary', 'bonus', 'raise') that also contain an attached EML file. The detection logic further inspects the attached EML's own attachments, triggering an alert if they contain a QR code or barcode, identified either through direct analysis or via OCR of scanned documents. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566, T1566.001

    name: "Compensation Review With QR Code in Attached EML" description: "Detects inbound messages containing compensation-related terms (salary, bonus, merit, etc.) combined with review/change language that include EML attachments containing QR codes or barcodes in scanned documents." type: "rule" severity: "high" source: | type.inbound // the subject contains pay related items and ( strings.icontains(subject.subject, 'salary') or strings.icontains(subject.subject, 'compensation') or regex.icontains(subject.subject, 'comp\b') or regex.icontains(subject.subject, '\bpay(?:roll|\b)') or strings.icontains(subject.subject, 'bonus') or strings.icontains(subject.subject, 'incentive') or strings.icontains(subject.subject, 'merit') or strings.icontains(subject.subject, 'handbook') or strings.icontains(subject.subject, 'benefits') ) // subjects include review/updates/changes and ( strings.icontains(subject.subject, 'review') or strings.ico...

    malicious-activity credential-access TA0001 T1566 T1566.001 MIT License

  • [Impact: low][Scope: coverage] Update to "Compensation Review With QR Code in Attached EML" rule

    The detection logic was updated by replacing a regex match for 'update(d| to)' in the email subject with a broader and more performant string containment check for 'update'. This change simplifies the query and slightly expands detection coverage to include subjects containing only the root word 'update'.

  • This rule detects attempts to modify or delete critical Windows forensic artifacts, specifically the Amcache.hve file and the SYSTEM hive. The Amcache.hve file logs program execution details, while the SYSTEM hive contains the Shimcache, which tracks historical program activity. The query monitors for file events targeting `Amcache.hve` or the `SYSTEM` file within `C:\Windows\System32\config\`, as attackers may tamper with these files to erase evidence of their presence and actions on a compromised system. Relevant MITRE ATT&CK tactics: TA0005 Relevant MITRE ATT&CK techniques: T1070, T1070.004

    DeviceFileEvents | where (FileName contains "SYSTEM" and FolderPath contains "C:\\Windows\\System32\\config\\") or (FileName has "Amcache.hve") | project Timestamp, DeviceName,DeviceId, FileName, FolderPath, ActionType, InitiatingProcessFileName, ReportId

    defense-evasion endpoint-security TA0005 T1070 T1070.004

  • directory--17f59e4b-d5aa-52b5-9e04-a5ac7749236a