This week's update highlights the most significant changes to detection rules from 8 of the 40+ monitored GitHub repositories. Between Mar 10 and Mar 17, 2025, contributors added 27 new rules and updated 72 existing ones.

Stay informed on the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

Auth0 authentication anomalies — Introduced multiple rules to catch failed logins, token reuse, expired tokens, and unusual location logins in Auth0 events (anvilogic-forge/armory).

Azure Entra ID rare events — Rolled out detections for uncommon app IDs, rare authentication requirements, and password spraying against principal users (elastic/detection-rules).

Cloud IAM and snapshot alerts — Added rules to monitor IAM policy changes, snapshot creation events, and external user invites in GCP and AWS environments (panther-labs/panther-analysis).

Refined Azure AD queries in Splunk — Updated numerous rules by removing redundant field aliases and adjusting stats grouping to improve precision in role assignments, MFA events, and service principal actions (splunk/security_content).

Hunting queries for emerging threats — New KQL rules now detect internet-facing Kibana instances, ransomware activity, and Kerberos roasting along with RMM anomalies (SlimKQL/Hunting-Queries-Detection-Rules).

Phishing and impersonation enhancements — Improved email detection by fine-tuning sender domain checks, updating regex patterns, and expanding exclusion lists to lower false positives (sublime-security/sublime-rules).

Host and process behavior tuning — Modified detection conditions for hidden account creation and long-running processes by switching registry modifications and equality checks (chainguard-dev/osquery-defense-kit).

Suspicious network beaconing detection — Added a rule aggregating network event counts to identify potential beaconing activity from endpoint telemetry (Cyb3r-Monk/Threat-Hunting-and-Detection).

Table Of Contents

• Corporate repositories (6)

  • anvilogic-forge/armory (+5)

  • elastic/detection-rules (+4, ✎1)

  • panther-labs/panther-analysis (+7, ✎2)

  • chainguard-dev/osquery-defense-kit (✎2)

  • sublime-security/sublime-rules (+4, ✎17)

  • splunk/security_content (✎50)

• Personal repositories (2)

  • Cyb3r-Monk/Threat-Hunting-and-Detection (+1)

  • SlimKQL/Hunting-Queries-Detection-Rules (+6)

• Feedback

• Disclaimer

• Powered by

Cybersec Feeds Overview summarizes updates from 80+ security RSS feeds by vendors, government agencies, security research teams, experts, and communities of practitioners. Created by CTIChef.com

Read the latest issue

Corporate repositories (6)

anvilogic-forge/armory (+5)

https://github.com/anvilogic-forge/armory

+ New rules

Three Auth0 rules target authentication misuse. Two rules monitor token use: one flags the use of expired tokens from multiple IPs and another watches for token reuse under similar conditions. A third rule counts a burst of failed logins on a single account to catch abuse. (Auth0: Attempted Use of Expired Token, Auth0: Multiple Failed Logins for Single Account, Auth0: Potential Token Reuse)

Two Auth0 rules focus on user location behavior. One rule checks login attempts from unexpected locations compared to past patterns, and another flags sign-ins that imply travel between distant points in an impractical time. (Auth0: Login Attempts from Inconsistent Locations, Auth0: Impossible travel Sign-In)

elastic/detection-rules (+4, ✎1)

https://github.com/elastic/detection-rules

+ New rules

Two new rules focus on unusual authentication events in Azure Entra ID. One rule tracks rare app IDs that request authentication for users, while the other flags rare authentication requirements during principal user logins. These rules target potential signs of credential theft or skipped authentication checks. (Azure Entra ID Rare App ID for Principal Authentication, Azure Entra ID Rare Authentication Requirement for Principal User)

A separate rule monitors non-interactive login failures on Azure Entra ID to catch signs of password spraying attempts. (Azure Entra ID Password Spraying (Non-Interactive SFA))

A final rule checks for file creation in the /var/log directory by processes that fall outside normal system behavior. The rule uses KQL with data from Elastic Defend and SentinelOne to spot suspicious process activity in log directories. (File Creation in /var/log via Suspicious Process)

✎ Modified rules

The rule update revised the updated_date and query logic. The logic now checks both process names and executable paths to improve detection accuracy for DLL side-loading events (Potential DLL Side-Loading via Trusted Microsoft Programs).

panther-labs/panther-analysis (+7, ✎2)

https://github.com/panther-labs/panther-analysis

+ New rules

Two new rules focus on GCP external user ownership invites. They detect when an external user is added as an owner via the InsertProjectOwnershipInvite event, check request and authentication details, and include detailed runbooks and test cases. (GCP External User Ownership Invite, gcp_invite_external_user_as_owner)

Two new rules monitor IAM policy changes in GCP. They track modifications for Compute Disks, Images, and Snapshots by checking specific method names and providing thorough tests to validate suspicious updates. (gcp_compute_set_iam_policy, GCP Compute IAM Policy Update Detection)

Two new snapshot detection rules for GCP have been added. They detect snapshot creation events when the principal email is outside the expected domain. The rules include specific error handling and test cases, with one rule currently disabled pending configuration changes. (GCP Snapshot Insert, GCP Snapshot Creation Detection)

New tests were added to the AWS resource detection rule. They cover scenarios with invalid JSON policies and various restrictive conditions that should not trigger alerts, refining detection of public exposure in AWS resource policies. (AWS Resource Made Public)

✎ Modified rules

GCP IAM Corp Email Validation now parses the authenticated principal email for domain parts to check for unexpected email domains instead of hardcoding Gmail, broadening its coverage of misconfigurations (GCP IAM Corp Email Validation).

AWS Resource Made Public now uses a structured method to check IAM policies for public access by handling policy types distinctly and modularizing the extraction process for different AWS event types, which improves clarity and maintainability (AWS Resource Made Public).

chainguard-dev/osquery-defense-kit (✎2)

https://github.com/chainguard-dev/osquery-defense-kit

✎ Modified rules

The rule for detecting long-running processes as root has been updated to refine and improve its focus around the dovecot service. The detection logic now applies a direct equality check on the cgroup path and working directory and excludes processes running under `dovecot.service`, reducing false positives (Unexpected long-running processes running as root).

The rule for surface webmail downloads has been updated to check for files with an `.avi` extension, improving the detection of unexpected file types sent by e-mail (Surface webmail downloads of an unexpected sort).

sublime-security/sublime-rules (+4, ✎17)

https://github.com/sublime-security/sublime-rules

+ New rules

Two rules check for sender spoofing. One flags WeTransfer impersonation by scanning sender emails and subjects for misspelled domains and non-standard TLDs, filtering out messages that pass DMARC. The other identifies Sharepoint file links with a sender-subdomain mismatch by using set thresholds. (Brand Impersonation: WeTransfer, Sharepoint Link Likely Unrelated to Sender)

Two rules target phishing tactics. One looks for callback phishing attempts via Adobe Sign by matching specific string patterns, while the other flags email subjects that contain long, procedurally generated text blobs using regex and machine analysis. (Callback Phishing via Adobe Sign comment, Suspicious subject with long procedurally generated blob)

✎ Modified rules

Impersonation and brand rules were updated to improve the accuracy of phishing detection by refining content checks, adding specific string and sender conditions, and revising negative lists to reduce false alerts. (Impersonation: Fake Gmail Attachment, Impersonation: Human Resources with link or attachment and engaging language, Attachment: Callback Phishing solicitation via image file, Brand impersonation: FedEx, Brand Impersonation: PayPal, Brand impersonation: Amazon, Brand impersonation: DocuSign, Brand impersonation: LinkedIn)

The attachment rule for obfuscated HTML was modified to check recipients’ email addresses across multiple string types and to restructure conditions for avoiding misidentifications related to Cisco Secure Email Encryption. (Attachment: HTML with obfuscation and recipient's email in JavaScript strings)

Link-based detection was adjusted by adding filters on link length and by including checks for span elements in the final DOM, with minor text clarifications. (Open Redirect: retailrocket.net, Link: Multistage Landing - Microsoft Forms Abuse)

Content pattern updates were rolled out to refine language and regex checks across multiple email scams, including those related to tax preparation, purchase requests, voicemail notifications, unsolicited job offers, and urgent business email compromise patterns. (Fake request for tax preparation, Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern, Fake voicemail notification (untrusted sender), Job Scam (unsolicited sender), BEC/Fraud: Urgent Language and Suspicious Sending/Infrastructure Patterns)

splunk/security_content (✎50)

https://github.com/splunk/security_content

✎ Modified rules

Multiple Azure AD rules updated their search logic by removing or altering the renaming of key fields (for example, avoiding the conversion of "operationName" to "action") and by adjusting stats grouping to include fields such as "signature" (along with vendor_account or vendor_product where needed). The changes keep the original field values intact and promote more accurate counting and reporting for authentication, role assignment, consent, and service principal events (Azure AD AzureHound UserAgent Detected, Azure AD Application Administrator Role Assigned, Azure AD Block User Consent For Risky Apps Disabled, Azure AD Authentication Failed During MFA Challenge, Azure AD Concurrent Sessions From Different Ips, and 40 more).

Other modifications fix field naming and query filters for non–Azure AD detections. In the Azure Automation detections the search queries were adjusted for better variable naming and grouping. At the same time, the Windows Suspicious Process File Path rule removed an unneeded pattern to sharpen its conditions. The Azure Runbook Webhook detection now aggregates by destination, and the O365 BEC Email Hiding detection refined its drilldown filtering for user-specific activity (Azure Automation Account Created, Azure Automation Runbook Created, Azure Runbook Webhook Created, O365 BEC Email Hiding Rule Created, Windows Suspicious Process File Path).

Personal repositories (2)

Cyb3r-Monk/Threat-Hunting-and-Detection (+1)

https://github.com/Cyb3r-Monk/Threat-Hunting-and-Detection

+ New rules

A new rule was introduced to detect suspicious beaconing activity by analyzing DeviceNetworkEvents Aggregated Reports telemetry. The KQL query identifies potential beaconing based on unique event counts over a defined lookback period, helping to flag anomalous connection behavior (Suspicious Network Beacons - Microsoft Defender for Endpoint Aggregated Reports)

SlimKQL/Hunting-Queries-Detection-Rules (+6)

https://github.com/SlimKQL/Hunting-Queries-Detection-Rules

+ New rules

One rule flags internet-facing Elastic Kibana instances with likely vulnerabilities. Others count network attempts on specific ports to spot Medusa ransomware and sift through login events to catch Kerberos roasting using a whitelist for a known admin account. A further rule spots unsanctioned remote management tools by comparing connection URLs to a safe list. (Critical Vulnerability in Elastic Kibana, Medusa Ransomware Detection, Kerberos Roasting Detection, Detecting Unauthorized RMM Instances in Your MDE Environment)

Other new rules focus on monitoring unusual query and scan behavior. One rule counts LDAP queries from non-admin accounts to catch abnormal enumeration activity, while another scans weekly OSINT CSV data to match indicators across emails, URLs, files, and network events. (DefenderXDR LDAP Enumeration Detection, DefenderXDR Weekly OSINT Indicators Scan 10032025)

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have suggestions for new data sources to include, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving this resource for the detection engineering community.

Disclaimer

The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is made possible through our partnership with BlackStork, combining their content generation technology with our detection engineering expertise to deliver timely, high-quality updates straight to your inbox.

Looking for a customized version of this newsletter? We'd be happy to help — contact us.