Skip to content

Pull requests: elastic/detection-rules

New pull request New
21 Open 3,213 Closed
21 Open 3,213 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Reviews
Filter by reviews
No reviews Review required Approved review Changes requested
Assignee
Filter by who’s assigned
Assigned to nobody Loading
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
👍 👎 😄 🎉 😕 ❤️ 🚀 👀

Pull requests list

[Rule Tuning] Fixes FPs related to a process.args_count bug backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#4971 opened Aug 12, 2025 by w0rk3r Loading…
1
@w0rk3r
6
[Rule Tuning] Creation or Modification of Root Certificate backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#4970 opened Aug 12, 2025 by w0rk3r Loading…
1
@w0rk3r
2
Add all rule types DaC testing backport: auto enhancement New feature or request patch
#4969 opened Aug 12, 2025 by shashank-elastic Draft
1
@shashank-elastic
1
[Rule Tuning] Potential RemoteMonologue Attack backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#4967 opened Aug 8, 2025 by w0rk3r Loading…
1
@w0rk3r
4
[Rule Tuning] Suspicious Windows Powershell Arguments backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#4961 opened Aug 4, 2025 by w0rk3r Loading…
@w0rk3r
2
feat: ESQL query validation against Elastic cluster
#4955 opened Aug 1, 2025 by traut Draft
5 tasks
5
[Rule Tuning] Microsoft Entra ID Suspicious Session Reuse to Graph Access backport: auto Domain: Cloud Domain: Identity Integration: Azure azure related rules Rule: Tuning tweaking or tuning an existing rule
#4954 opened Aug 1, 2025 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
3
[New Rule] Potential Web Shell ASPX File Creation backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4939 opened Jul 29, 2025 by w0rk3r Loading…
@w0rk3r
3
[New Rule] Multi-Base64 Decoding Attempt from Suspicious Location backport: auto Domain: Endpoint OS: Linux Team: TRADE
#4931 opened Jul 24, 2025 by Aegrah Loading…
@Aegrah
1
[New Rule] Toolshell Exploit Chain Detections backport: auto bbr Building Block Rules Domain: Network Integration: Network Traffic Rule: New Proposal for new rule
#4928 opened Jul 23, 2025 by terrancedejesus Loading…
5 tasks
@terrancedejesus
22
[New Rule/Tuning] Linux User or Group Deletion/Creation backport: auto Domain: Endpoint OS: Linux Rule: New Proposal for new rule Team: TRADE
#4861 opened Jun 30, 2025 by Aegrah Draft
@Aegrah
8
[New] Command Line Obfuscation via Whitespace Padding backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4860 opened Jun 30, 2025 by Samirbous Loading…
@Samirbous
14
[New Rule] Kubectl Secret Access container OS: Linux Rule: New Proposal for new rule Team: TRADE
#4834 opened Jun 19, 2025 by Aegrah Draft
@Aegrah
3
[New Rules] Potential Relay Attack against a Computer Account backport: auto blocked Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule Rule: Tuning tweaking or tuning an existing rule
#4826 opened Jun 18, 2025 by w0rk3r Loading…
@w0rk3r
3
[Rule: New] Potential Web Server Fuzzing Attempts Detected backlog backport: auto community
#4720 opened May 12, 2025 by MakoWish Loading…
1 of 5 tasks
1
[New] Microsoft Entra ID Protection Alert and Device Registration backport: auto Domain: Cloud Workloads Domain: Cloud Integration: Azure azure related rules Integration: Microsoft 365 patch Rule: New Proposal for new rule
#4688 opened Apr 30, 2025 by Samirbous Loading…
@Samirbous
6
[New] Potential SAP NetWeaver Exploitation rules backlog backport: auto OS: Linux OS: Windows windows related rules Rule: New Proposal for new rule
#4666 opened Apr 26, 2025 by Samirbous Loading…
@Samirbous
11
[Security Content] Windows Audit Policies Config Guides - Repo Edition backlog backport: auto Domain: Endpoint OS: Windows windows related rules Security Content
#4501 opened Feb 26, 2025 by w0rk3r Loading…
@w0rk3r
3
[Security Content] Basic EDR Setup Guides - Phase 1 backlog backport: auto Domain: Endpoint OS: Windows windows related rules Security Content
#4492 opened Feb 24, 2025 by w0rk3r Draft
@w0rk3r
6
[New Rule] Active Directory Forced Authentication from Linux Host backlog backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#3912 opened Jul 22, 2024 by w0rk3r Draft
@w0rk3r
15
[Rule Tuning] Update rules using NPC integration and non-ECS fields backlog backport: auto blocked Domain: Network Rule: Tuning tweaking or tuning an existing rule
#3194 opened Oct 16, 2023 by brokensound77 Loading…
@brokensound77
11
ProTip! no:milestone will show everything without a milestone.