Skip to content

Pull requests: elastic/detection-rules

New pull request New
44 Open 3,422 Closed
44 Open 3,422 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Reviews
Filter by reviews
No reviews Review required Approved review Changes requested
Assignee
Filter by who’s assigned
Assigned to nobody Loading
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
👍 👎 😄 🎉 😕 ❤️ 🚀 👀

Pull requests list

[Rule Tuning] Remove host.os.type Unit Test Exception backport: auto Domain: Endpoint OS: Windows windows related rules patch Rule: Tuning tweaking or tuning an existing rule
#5317 opened Nov 14, 2025 by w0rk3r Loading…
1
@w0rk3r
2
[Rule Tunings] AWS CloudWatch Deletion Rules backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5316 opened Nov 14, 2025 by imays11 Loading…
@imays11
1
[Rule Tuning] Microsoft Entra ID Exccessive Account Lockouts backport: auto Domain: Cloud Domain: Identity Integration: Azure azure related rules Rule: Tuning tweaking or tuning an existing rule
#5315 opened Nov 13, 2025 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
2
[Tuning] Agent Spoofing - Multiple Hosts Using Same Agent backport: auto Rule: Tuning tweaking or tuning an existing rule
#5313 opened Nov 13, 2025 by Samirbous Loading…
@Samirbous
5
[Rule Tuning] AWS IAM API Calls via Temporary Session Tokens backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5310 opened Nov 12, 2025 by imays11 Loading…
@imays11
1
[Rule Tuning] AWS GuardDuty Detector Deletion backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5309 opened Nov 12, 2025 by imays11 Loading…
@imays11
1
[Rule Tunings] AWS IAM Roles Anywhere Rules backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5307 opened Nov 12, 2025 by imays11 Loading…
@imays11
1
[New] Potential Masquerading as Svchost backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#5305 opened Nov 12, 2025 by Samirbous Loading…
@Samirbous
13
[Rule Tuning] Remote File Creation in World Writeable Directory backport: auto community Domain: Endpoint OS: Linux Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5304 opened Nov 12, 2025 by Aegrah Loading…
1
@Aegrah
3
[Rule Tuning] Rapid Secret Retrieval Attempts from AWS SecretsManager backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5291 opened Nov 7, 2025 by imays11 Loading…
@imays11
2
[Tuning] Outbound Scheduled Task Activity via PowerShell backport: auto bug Something isn't working Domain: Endpoint Integration: Windows OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#5287 opened Nov 6, 2025 by Samirbous Loading…
1
2
[Rule Tuning] AWS EC2 Instance Console Login via Assumed Role backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5285 opened Nov 5, 2025 by imays11 Loading…
@imays11
3
[Rule Tuning] AWS IAM SAML Provider Updated backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5284 opened Nov 5, 2025 by imays11 Loading…
@imays11
2
[Rule Tuning] AWS IAM Brute Force of Assume Role Policy backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5282 opened Nov 4, 2025 by imays11 Loading…
@imays11
7
[Rule Tuning] AWS IAM CompromisedKeyQuarantine Policy Attached to User backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5281 opened Nov 4, 2025 by imays11 Loading…
@imays11
1
[Rule Tunings] AWS IAM Virtual MFA Device Rules backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5275 opened Nov 3, 2025 by imays11 Loading…
@imays11
1
Renovate Updates backport: auto enhancement New feature or request patch python Internal python for the repository
#5258 opened Oct 28, 2025 by shashank-elastic Loading…
5 tasks
@shashank-elastic
3
Update dependency requests to ~=2.32.5 backport: auto community
#5257 opened Oct 28, 2025 by elastic-renovate-prod bot Loading…
1 task
[New Rule] Okta Multiple OS Names Detected for a Single DT Hash Domain: Identity Integration: Okta okta related rules Rule: New Proposal for new rule
#5241 opened Oct 22, 2025 by terrancedejesus Draft
5 tasks
1
@terrancedejesus
6
[Rule Tunings] AWS Multiple API Calls ESQL rules backport: auto bbr Building Block Rules Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5238 opened Oct 21, 2025 by imays11 Loading…
@imays11
5
Update lateral_movement_scheduled_task_target.toml to fix null values backport: auto community Domain: Endpoint OS: Windows windows related rules
#5228 opened Oct 16, 2025 by theusername-sudo Loading…
@w0rk3r
1
[New Rule] File Creation with Curly Braces or Command Substitution backport: auto Domain: Endpoint OS: Linux Rule: New Proposal for new rule Team: TRADE
#5219 opened Oct 14, 2025 by Aegrah Loading…
@Aegrah
5
[New Rule] Azure Compute Snapshot Deletion(s) backport: auto Domain: Cloud Domain: Data Domain: Storage Integration: Azure azure related rules Rule: New Proposal for new rule
#5211 opened Oct 13, 2025 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
6
Add rules for Azure Activity Logs/GCP Audit ML jobs backport: skip Domain: Cloud Integration: Azure azure related rules Integration: GCP GCP related rules minor ML machine learning related rule Rule: New Proposal for new rule
#5191 opened Oct 6, 2025 by jmcarlock Loading…
5 tasks
@jmcarlock
20
Update README for the installation of kibana and kql packages backport: auto community documentation Improvements or additions to documentation
#5177 opened Oct 2, 2025 by pberba Loading…
5 tasks
2
ProTip! Add no:assignee to see everything that’s not assigned.