This week’s update highlights the most significant changes to detection rules from 10 of the 40+ monitored GitHub repositories. Between Oct 13 and Oct 20, 2025, contributors added 82 new (💥) rules and updated 328 (🤯) existing ones.

Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

• New rules target Microsoft 365 Copilot account compromise, policy violations, and prompt injection attempts. This covers suspicious authentication, usage anomalies, and eDiscovery log analysis. Detections also address attacks against Ollama servers, including DDoS, RCE, data exfiltration, and prompt injection. (splunk/security_content)

• New rules detect destructive actions in Azure like Restore Point Collection and Storage Account deletions. Critical identity compromises in Microsoft Entra ID are identified, including admin confirmed compromise and PIM failures. AWS coverage improves with federated user logins without MFA, plus refined root user and IAM privilege escalation monitoring. Auth0 now correlates successful logins with suspicious TLS fingerprints. (elastic/detection-rules, auth0/auth0-customer-detections, jkerai1/KQL-Queries, benscha/KQLAdvancedHunting)

• Updates refine detection of process and memory manipulation, including API calls from spoofed parents, ROP gadgets, image hollowing, and direct syscalls. New rules cover system tampering like boot file ownership changes and a CLFS vulnerability. Persistence via registry, scheduled tasks, and Windows services is tuned. Proxy execution and binary masquerading detections are also refined. (elastic/protections-artifacts, SigmaHQ/sigma)

• New YARA rules identify several Windows malware families including HiddenDriver, CastleLoader, Tollbooth, Stealc Trojan, and AveMaria RAT. Linux/MSIL backdoors Veaty and BPFDoor also get new YARA signatures. Comprehensive detection for the ‘Shai Hulud’ NPM supply chain attack covers malicious GitHub workflows, token theft, data exfiltration, and TruffleHog execution. EDR-Freeze tool execution to suspend security processes is also now detected. (reversinglabs/reversinglabs-yara-rules, elastic/protections-artifacts, SigmaHQ/sigma)

• New rules detect email-based brand impersonation for various entities and social engineering abusing Apple services. Detections also target executable file links, HTML bidirectional text override for obfuscation, and ghostwriting scams. Existing image-based lure detections (OCR, QR, EXIF) have been refactored to use new beta functions. General refinements for email impersonation and spam improve coverage and accuracy. (sublime-security/sublime-rules)

🚀 Make updates from this digest operational → All detection rules from this digest are available in our MISP and STIX/TAXII feeds ready for direct integration into your SIEM, TIP, or SOAR solution, boosting your automated threat detection and enriching your existing intel.

Explore the feeds

Table Of Contents

• Corporate repositories (7)

  • splunk/security_content (+17, ✎28)

  • elastic/detection-rules (+6, ✎11)

  • reversinglabs/reversinglabs-yara-rules (+2)

  • elastic/protections-artifacts (+35, ✎234)

  • sublime-security/sublime-rules (+9, ✎31)

  • SigmaHQ/sigma (+7, ✎24)

  • auth0/auth0-customer-detections (+1)

• Personal repositories (3)

  • benscha/KQLAdvancedHunting (+3)

  • Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+1)

  • jkerai1/KQL-Queries (+1)

• Feedback

• Disclaimer

• Powered by

Corporate repositories (7)

splunk/security_content (+17, ✎28)

+ New rules

New detections monitor Microsoft 365 Copilot user activity for signs of account compromise and policy violations. These rules identify suspicious authentication patterns like multi-city access, failed logins, MFA failures, and access from non-compliant or unmanaged devices. They also flag anomalous usage volumes or access across multiple Copilot applications, providing coverage for credential stuffing and unauthorized access. (M365 Copilot Failed Authentication Patterns, M365 Copilot Non Compliant Devices Accessing M365 Copilot, M365 Copilot Application Usage Pattern Anomalies, M365 Copilot Session Origin Anomalies)

Several rules target jailbreak and prompt injection attempts against Microsoft 365 Copilot. These detections analyze eDiscovery logs for keywords and patterns indicating efforts to manipulate the AI into adopting alternate personas, bypass safety controls, or extract sensitive data. They cover persona injection, rule injection, system overrides, and information extraction keywords. (M365 Copilot Impersonation Jailbreak Attack, M365 Copilot Agentic Jailbreak Attack, M365 Copilot Information Extraction Jailbreak Attack, M365 Copilot Jailbreak Attempts)

A set of new rules addresses threats to Ollama servers, covering various attack vectors. Detections include monitoring for DDoS and API reconnaissance, remote code execution attempts during model loading, and abnormal network activity. It also covers data exfiltration of model metadata, resource exhaustion attacks, and prompt injection attempts identified by long response times, aiming to maintain API and model integrity. (Ollama Excessive API Requests, Ollama Possible API Endpoint Scan Reconnaissance, Ollama Possible RCE via Model Loading, Ollama Abnormal Network Connectivity, Ollama Abnormal Service Crash Availability Attack, Ollama Possible Model Exfiltration Data Leakage, Ollama Suspicious Prompt Injection Jailbreak, Ollama Possible Memory Exhaustion Resource Abuse)

A new rule identifies the use of expand.exe to extract Microsoft Cabinet (CAB) files into staging directories like C:\ProgramData. This technique is linked to APT37 and helps detect ingress tool transfer through abuse of a legitimate Windows binary. (Windows Cabinet File Extraction Via Expand)

✎ Modified rules

Many existing detection rules across various platforms and techniques have been associated with the ‘Hellcat Ransomware’ analytic story. This update spans detections for ransomware indicators like notes and service termination, exploitation of vulnerabilities (CrushFTP, FortiNAC, Jenkins), credential theft (Mimikatz, VaultCLI, SSH keys), post-exploitation tools (PowerShell Empire, SliverC2), data exfiltration, and phishing attempts. This contextual tagging supports threat hunting and incident response for Hellcat Ransomware operations. (Common Ransomware Notes, Azure AD New Federated Domain Added, Detect Mimikatz With PowerShell Script Block Logging, CrushFTP Server Side Template Injection, Detect Empire with PowerShell Script Block Logging, File with Samsam Extension, Linux Auditd Data Transfer Size Limits Via Split, MacOS AMOS Stealer - Virtual Machine Check Activity, Linux Auditd Find Ssh Private Keys, Linux SSH Remote Services Script Execute, PowerShell Loading DotNET into Memory via Reflection, Ryuk Wake on LAN Command, Suspicious Curl Network Connection, Schedule Task with HTTP Command Arguments, Windows Credentials Access via VaultCli Module, Svchost LOLBAS Execution Process Spawn, Windows Cisco Secure Endpoint Related Service Stopped, Windows File Transfer Protocol In Non-Common Process Path, Suspicious Rundll32 no Command Line Arguments, Windows Exfiltration Over C2 Via Invoke RestMethod, Trickbot Named Pipe, Windows Service Create SliverC2, CrushFTP Authentication Bypass Exploitation, Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952, Jenkins Arbitrary File Read CVE-2024-23897, Windows Security And Backup Services Stop, Zscaler Phishing Activity Threat Blocked)

The ‘Active Directory User Object DACL Modification’ rule (2058) was refined. The Splunk query for Windows Security Event ID 5136 now includes a more explicit comparison between the user performing the action and the user in the new Access Control Entry. This change makes detection of self-assigned DACL permissions more accurate and reduces false positives. (Windows AD Self DACL Assignment)

elastic/detection-rules (+6, ✎11)

+ New rules

New rules detect destructive activity against Azure resources. This includes mass deletion of Azure Restore Point Collections, anomalous deletion of these collections by infrequent users, and both mass and single deletions of Azure Storage Accounts. These actions often indicate ransomware, denial of service, or evidence destruction tactics. (Azure Compute Restore Point Collections Deleted, Azure Compute Restore Point Collection Deleted by Unusual User, Azure Storage Account Deletions by User, Azure Storage Account Deletion by Unusual User)

A new rule detects when an administrator confirms a user or sign-in as compromised within Microsoft Entra ID Protection. This is a high-confidence signal of account compromise requiring immediate investigation. (Entra ID Protection Admin Confirmed Compromise)

A new rule monitors federated user logins to the AWS Management Console, specifically noting when MFA is not recorded by CloudTrail. This helps identify potential security risks related to federated authentication, including token relay and abuse, and suggests correlating with IdP logs for full MFA context. (AWS Sign-In Console Login with Federated User)

✎ Modified rules

Detection for AWS root user activity is updated across multiple rules. This covers creation of console login profiles, password recovery requests, brute-force attempts, and successful logins. Updates include EQL query conversions, reduced detection lookback windows, and detailed investigation guidance. The rule for root login without MFA (6163) is deprecated. (AWS IAM Login Profile Added for Root, AWS Sign-In Root Password Recovery Requested, Deprecated - AWS Root Login Without MFA, AWS Management Console Brute Force of Root User Identity, AWS Management Console Root Login)

Rules detecting AWS IAM privilege escalation and persistence techniques have been refactored. This includes identifying AdministratorAccess policy attachments to IAM groups, roles, and users, as well as CreateAccessKey operations for other users. Changes involve ESQL to EQL query conversions, query refinements, and expanded investigation guides. (AWS IAM AdministratorAccess Policy Attached to Group, AWS IAM User Created Access Keys For Another User, AWS IAM AdministratorAccess Policy Attached to Role, AWS IAM AdministratorAccess Policy Attached to User)

Detection for simple HTTP web servers created by adversaries (Python/PHP) is improved. The rule now correlates suspicious process creation with subsequent network connections, using process event data to reduce false positives. (Simple HTTP Web Server Connection)

The rule for Entra ID OAuth user_impersonation scope for unusual users has been refined. The query now includes exclusions for benign activity, such as specific conditional access statuses, user agents, mobile operating systems, and known application IDs, to improve accuracy. (Entra ID OAuth user_impersonation Scope for Unusual User and Client)

reversinglabs/reversinglabs-yara-rules (+2)

+ New rules

New YARA rules detect the Veaty and BPFDoor backdoors. The ‘Veaty backdoor’ rule targets MSIL executables, identifying byte sequences related to email-based command and control. The ‘BPFDoor backdoor’ rule finds specific hexadecimal patterns in Linux ELF binaries associated with packet processing and reverse shell functions, covering two malware versions. (ByteCode_MSIL_Backdoor_Veaty, Linux_Backdoor_BPFDoor)

elastic/protections-artifacts (+35, ✎234)

+ New rules

New macOS rules identify adversary techniques including payload delivery with wget to suspicious directories, Apfell agent execution through osascript, suspicious Perl usage for file access and child process creation, dd command abuse for infostealer activity, and shell commands piped to osascript. Detection also covers execution of unsigned binaries or scripts from mounted devices. (Executable File Download via Wget, Osascript Payload Drop and Execute, Sensitive File Access via Perl, Suspicious DD Execution, Shell Command Piped to Osascript via Shell Script, Suspicious Perl Child Process Execution, Suspicious Script or Process Execution from Mounted Device)

A suite of rules targets Active Directory reconnaissance through various LDAP queries. These rules identify attempts to enumerate DFS shares, dump AD databases, discover password policies, list certificate services, find domain computers, identify domain trusts, search for sensitive attributes like LAPS passwords, locate password spraying candidates, and enumerate privileged groups for Kerberoasting or AS-REP Roasting. (Distributed File System Shares Enumeration via LDAP, Active Directory Data Collection via LDAP, Domain Password Policy Enumeration via LDAP, AD Certificate Services Enumeration via LDAP, etc)

New rules detect Windows defense evasion and system tampering. This includes attempts to bypass NTDLL hooks via tprtdll.dll syscalls, shellcode injection and memory mapping with RWX permissions from .NET applications, changes to critical boot file ownership, and destructive actions targeting core system files. A rule for CLFS vulnerability (CVE-2025-29824) exploitation is also included. (API via Trusted App Runtime DLL, Shellcode Behavior via .NET Core, Suspicious File Memory Mapping via Managed .NET, System Boot Files Permission Change, Suspicious Critical System Files Modification, BLF File Creation by an Unusual Process)

New rules identify suspicious command execution patterns across Windows and Linux. On Windows, this covers commands run via the Windows Run dialog and PowerShell from the Start Menu, often connected to phishing. On Linux, detections target the sleep command from world-writable or hidden locations and suspicious Python command-line arguments. (Sleep Execution from Suspicious Process Path, Suspicious Python Command Execution, Suspicious Descendant Process Execution via Windows Run, Suspicious Powershell via Windows Power User Menu)

New YARA rules detect several Windows malware families: HiddenDriver, HiddenCli, CastleLoader, Tollbooth, Stealc Trojan, and AveMaria (Warzone) RAT. These rules identify unique byte patterns and strings associated with each threat’s execution and functionality. (Windows_Trojan_HiddenDriver_e26590fd, Windows_Trojan_HiddenCli_a9aa62d1, Windows_Trojan_CastleLoader_173548b8, Windows_Trojan_Tollbooth_85bfcc68, Windows_Trojan_Stealc_41db1d4d, Windows_Trojan_AveMaria_e01305a0)

✎ Modified rules

Updates refine detection of advanced Windows process and memory manipulation. This includes tuning alerts for network connections from suspicious memory regions, API calls with spoofed parent PIDs, ROP gadget usage, image hollowing, and unusual DLL loading by signed binaries. Changes also improve detections for AMSI bypass, shellcode execution from low-reputation modules, and direct syscalls by adjusting call stack analysis and adding specific exclusions for benign activity. (Network Connect API from Modified Memory, Network Connect API from Unbacked Memory, API Call from a Process with a Spoofed Parent, API Call via Jump ROP Gadget, Hollow Image Behavior via Native API, DLL Side Loading via a Copied Microsoft Executable, Direct Syscall from Unsigned Module, Managed .NET Code Execution via PowerShell, Memory Allocation from a High Entropy Module, etc)

Updates refine detection of persistence and execution mechanisms. This covers modifications to Run/RunOnce registry keys, scheduled tasks, and Windows services. It includes changes for WMI-based execution, DLL hijacking, proxy execution via signed binaries, and masquerading techniques. Rules are also tuned for suspicious activity from Office applications and scripting interpreters, including obfuscated PowerShell, execution from archives, and unusual child processes. (Suspicious Executable File Creation, Ingress Tool Transfer via INET Cache, Potential Protocol Tunneling via Legit Utilities, Potential Remote Desktop Protocol Tunneling, Connection to WebService by a Signed Binary Proxy, Library Load of a File Written by a Signed Binary Proxy, Binary Proxy Execution via Rundll32, etc)

Another group of updates focuses on evasion and data access across macOS and Linux platforms. Refinements target remote tunnel activity in VSCode, hidden process interactive shells, Busybox shell execution, and use of system binaries (curl, wget, sudo, Ditto) for file downloads, exfiltration, and persistence. macOS-specific detections for keychain/wallet access, Electron app abuse, multi-layered deobfuscation, and XPC service child processes are also tuned. (Potential VScode Remote Tunnel Established, Interactive Shell Spawned via Hidden Process, Proxy Shell Execution via Busybox, Linux Suspicious Child Process Execution via Interactive Shell, Curl or Wget Egress Network Connection via LoLBin, Execution of In-Memory File via Interactive Session, System Binary Copied or Moved, etc)

In addition, multiple updates improve detection accuracy for credential theft and keylogging on Windows systems. This includes refining rules for PowerShell accessing password vaults, unusual processes accessing DPAPI master keys, and browser cookie theft via debugging arguments. Keylogging detections targeting various processes and API calls are also refined with new exclusions for common legitimate activities. (Access to Windows Passwords Vault via Powershell, Potential Discovery of DPAPI Master Keys, Browser Debugging from Unusual Parent, PowerShell Script with Passwords Vault Access Capability, etc)

New YARA rule updates introduce or refine signatures for specific malware families. This includes a detection update for the Stop ransomware family and the addition of new rules to identify the Stealc Trojan and AveMaria (Warzone) RAT, targeting their unique byte sequences and strings. (Windows_Ransomware_Stop_1e8d48ff, Windows_Trojan_Stealc_41db1d4d, Windows_Trojan_AveMaria_e01305a0)

sublime-security/sublime-rules (+9, ✎31)

+ New rules

New rules detect email-based brand impersonation for Evite, Shein, Square, and Punchbowl. Detection relies on identifying brand-specific content, logo patterns, security/financial themes, and checking sender authenticity to catch phishing and scam attempts. (Brand impersonation: Evite, Brand Impersonation: Shein, Brand impersonation: Square, Brand impersonation: Punchbowl)

A new rule identifies inbound email messages that link to executable files. This rule considers high-confidence security, financial, or credential theft content indicators, combined with untrusted sender domains, to stop malicious file distribution. (Link: Executable file download with suspicious message content)

A new rule identifies obfuscation techniques in email HTML bodies. It specifically counts multiple instances of right-to-left text direction override markup, a method used to visually manipulate text and bypass string-based detections. (HTML: Bidirectional (BIDI) HTML override with right to left obfuscation)

New rules detect social engineering campaigns that abuse Apple’s legitimate services. These rules identify links to Apple App Store (targeting ‘suite’, ‘ads’, ‘manager’, ‘campaigns’ keywords) and Apple TestFlight domains when sent from free email providers, indicating phishing or service abuse. (Link: Apple App Store malicious ad manager themed apps from free email provider, Link: Apple TestFlight from free email provider)

A new rule targets unsolicited ghostwriting or book publishing scams. It identifies manipulative language patterns in email subject and body content, such as offers of complimentary samples or requests for personal information, which are common in these types of scams. (Spam: Ghostwriting services scam with manipulative language)

✎ Modified rules

Detection rules using Optical Character Recognition (OCR), QR code scanning, and EXIF parsing from email screenshots or attachments have been updated to use new beta functions (beta.ocr, beta.scan_qr, beta.parse_exif). This refactors detection logic for image-based lures and improves processing capabilities. (Service abuse: Google classroom solicitation, Callback phishing via SignFree e-signature request, Brand impersonation: DocuSign with embedded QR code, Callback phishing via Adobe Sign comment, Callback Phishing via Signable E-Signature Request, Callback phishing solicitation in message body, Brand impersonation: DocuSign branded attachment lure with no DocuSign links, Brand Impersonation: Google (QR Code),etc)

Updates to email impersonation and spam detection include specific rule refinements for Social Security Administration (SSA) impersonation, DocuSign lures, macro-enabled attachment phishing, cryptocurrency spam, and IRS impersonation. These updates include new keywords, adjusted exclusion logic, and expanded detection patterns for social engineering tactics, aiming to reduce false positives and broaden coverage. (Impersonation: Social Security Administration (SSA), Brand impersonation: DocuSign (QR code), Attachment: Office file with document sharing and browser instruction lures, Spam: Cryptocurrency airdrop/giveaway, Brand impersonation: Internal Revenue Service, Link: Multistage landing - JotForm abuse)

SigmaHQ/sigma (+7, ✎24)

+ New rules

New rules detect WinRAR creating files in Windows startup locations, addressing persistence via path traversal vulnerabilities (CVE-2025-6218, CVE-2025-8088). A separate rule identifies EDR-Freeze tool execution, which suspends security processes using MiniDumpWriteDump and WerFaultSecure.exe for evasion. (WinRAR Creating Files in Startup Locations, Hacktool - EDR-Freeze Execution)

Multiple new rules target the ‘Shai Hulud’ NPM supply chain attack. These rules identify the creation of malicious GitHub Action workflow files (shai-hulud-workflow.yml), GitHub activity indicating token theft and repository manipulation, and data exfiltration attempts via curl. Additionally, rules detect the execution of TruffleHog on both Linux and Windows, a tool used by Shai Hulud for secret discovery and theft across various platforms. (Shai-Hulud NPM Package Malicious Exfiltration via Curl, Shai-Hulud Malicious GitHub Workflow Creation, Shai-Hulud NPM Attack GitHub Activity, PUA - TruffleHog Execution - Linux, PUA - TruffleHog Execution)

✎ Modified rules

Improved detection of defense evasion and command obfuscation techniques. Detection of programs executed via SSH proxy is refined by requiring PermitLocalCommand=yes and adding a leading space for LocalCommand. Detection of alternate PowerShell hosts is expanded by including patterns for inverted forward slashes and Windows object namespace prefixes (\?). Precision for hex-encoded IP addresses in ping commands is improved by using a specific regex. Detection for WinRAR execution is expanded to include its process description. (Program Executed Using Proxy/Local Command Via SSH.EXE, Alternate PowerShell Hosts - PowerShell Module, Ping Hex IP, WinRAR Execution in Non-Standard Folder)

Improved detection of account tampering and firewall rule modifications. Account tampering detection for failed logons now checks both ‘Status’ and ‘SubStatus’ fields, expanding coverage for suspicious error codes. Firewall rule deletion and flush operations are now detected by including nft command usage. (Account Tampering - Suspicious Failed Logon Reasons, Modify System Firewall)

Improved false positive reduction for lateral movement and credential access detections. \groups.xml is removed from sensitive file access checks over SMB (Zeek and Windows Security Events) due to high false positives. Admin share write access detection now excludes system accounts and IPv6 loopback addresses. Outbound SMB client connections to the internet detection is refined by adding more hexadecimal patterns for IPv4/IPv6 local IP ranges. (Suspicious Access to Sensitive File Extensions - Zeek, SMB Create Remote File Admin Share, Suspicious Access to Sensitive File Extensions, Potential CVE-2023-23397 Exploitation Attempt - SMB)

Broad false positive reduction across multiple general Windows system detections. Filters for system binaries running from uncommon locations now include WSL paths. Null Image fields are excluded for suspicious DLL loads (vsstrace.dll, vssapi.dll). Legitimate AppX packages from res[.]cdn[.]office[.]net are allowed. WSMAN provider detection uses full PowerShell paths and excludes mmc.exe. userinit.exe child process detection refines explorer.exe exclusion by command line. EC2Launch.exe activity is filtered for desktop background changes. Filters are refined for critical Windows ASEP modifications related to Group Policy Extensions, OneDrive, and Office. (System File Execution Location Anomaly, Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load, Suspicious Volume Shadow Copy Vssapi.dll Load, Uncommon AppX Package Locations, Suspicious WSMAN Provider Image Loads, Suspicious Userinit Child Process, Potentially Suspicious Desktop Background Change Via Registry, CurrentVersion NT Autorun Keys Modification, CurrentVersion Autorun Keys Modification)

Refined detection and false positive reduction for Microsoft Office activity. Office application network connections now filter additional common ports (LDAP, MSFT-GC). A new filter addresses Office Backstage In-App Navigation Cache paths during executable file creation. Legitimate Office add-in registry key (AddinTakeNotesService\FriendlyName) is added to exclusions. IP range filters for Microsoft and Akamai traffic are updated for Office app non-private IP connections. (Office Application Initiated Network Connection Over Uncommon Ports, File With Uncommon Extension Created By An Office Application, Office Autorun Keys Modification, Office Application Initiated Network Connection To Non-Local IP)

auth0/auth0-customer-detections (+1)

+ New rules

A new rule identifies potential Auth0 account compromise by correlating successful logins with suspicious TLS fingerprints (JA4 hash) from failed login attempts or attack protection events. This helps detect successful breaches from automated attack tools. (Successful login correlated with suspicious JA4/JA3 TLS fingerprint)

Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities) into one overview.

Read the latest issue

Personal repositories (3)

benscha/KQLAdvancedHunting (+3)

+ New rules

New rule detects deletion of IIS log files by common command-line interpreters. This covers adversary attempts to remove forensic evidence from \inetpub\logs\ after web server compromise. (Suspicious IIS Log Deletion by Command-Line Interpreters)

New rule identifies suspicious Azure AD sign-ins following network connections to ‘Lab539 Clickfix’ IPs. It correlates AAD risky sign-ins from non-compliant devices with network telemetry to detect potential credential compromise linked to this campaign. (Suspicisous Sign in after Network Connection to Lab539 Clickfix List)

New rule detects command line obfuscation. It identifies powershell.exe, pwsh.exe, or conhost.exe execution from explorer.exe with an unusual number of spaces or tabs, a common adversary obfuscation tactic. (Obfuscated ClickFix Powershell Command)

Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+1)

+ New rules

A new rule detects data exfiltration activity during RDP sessions. This KQL query identifies file creation, modification, or access on mapped local disks and redirected devices, addressing potential data theft via RDP file transfers. (Identifying File Exfiltration via RDP Sessions)

jkerai1/KQL-Queries (+1)

+ New rules

A new rule detects Microsoft Entra PIM failures to remove eligible role members. It targets ‘CannotDeleteLastAdminAssignment’ failures, identifying retained privileged access in Microsoft Entra ID. (Audit when PIM fails to remove an eligible member from role)

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we’d love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.

Disclaimer

The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is built with BlackStork.

Looking for a customized version of this newsletter? We’d be happy to help — contact us.