Public Detection Rules and Research

This repository is my public detection engineering workspace. It includes rules I have authored or contributed to across various formats, plus research notes and detection ideas for other telemetry.

Detection ideas

• Claude Code OpenTelemetry Detection Ideas

Sigma rules

• Azure Sign-In With Axios User Agent
• FortiGate - Firewall Address Object Added
• FortiGate - New Administrator Account Created
• FortiGate - New Firewall Policy Added
• FortiGate - New Local User Created
• FortiGate - New VPN SSL Web Portal Added
• FortiGate - User Group Modified
• FortiGate - VPN SSL Settings Modified
• Inbox Rules Creation Or Update Activity in O365
• Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet
• Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet
• OpenCanary - Host Port Scan (SYN Scan)
• OpenCanary - NMAP FIN Scan
• OpenCanary - NMAP NULL Scan
• OpenCanary - NMAP OS Scan
• OpenCanary - NMAP XMAS Scan
• OpenCanary - RDP New Connection Attempt
• Suspicious Email Delivered In Microsoft 365
• System Language Discovery via Reg.Exe

Nova rules

• Claude Conversation Enders
• Claude Refusal Magic String
• Honeypot Rules
• Inject Dynamic Context
• Skill Rules
• Hidden Unicode

Elastic rules

• M365 Exchange Inbox Forwarding Rule Created
• M365 Exchange Inbox Phishing Evasion Rule Created