Skip to content

Pull requests: elastic/detection-rules

New pull request New
24 Open 3,170 Closed
24 Open 3,170 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Reviews
Filter by reviews
No reviews Review required Approved review Changes requested
Assignee
Filter by who’s assigned
Assigned to nobody Loading
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
👍 👎 😄 🎉 😕 ❤️ 🚀 👀

Pull requests list

[New Rules] External Promotion Alerts patch Rule: New Proposal for new rule
#4903 opened Jul 11, 2025 by Mikaayenson Draft
1 of 5 tasks
@Mikaayenson
4
[Rule Tuning] AWS IAM API Calls via Temporary Session Tokens backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#4901 opened Jul 10, 2025 by imays11 Loading…
@imays11
1
[New Rule] Azure Key Vault Secret Key Usage by Unusual Identity backport: auto Domain: Cloud Domain: Identity Domain: Storage Integration: Azure azure related rules Rule: New Proposal for new rule
#4900 opened Jul 10, 2025 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
1
[New Rule] Excessive Secret or Key Retrieval from Azure Key Vault backport: auto Domain: Cloud Domain: Identity Domain: Storage Integration: Azure azure related rules Rule: New Proposal for new rule
#4898 opened Jul 10, 2025 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
1
[Rule Tuning] Azure Key Vault Modified backport: auto Domain: Cloud Domain: Identity Integration: Azure azure related rules Rule: Tuning tweaking or tuning an existing rule
#4896 opened Jul 10, 2025 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
1
[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#4892 opened Jul 10, 2025 by imays11 Loading…
@imays11
1
[Rule Deprecation] Azure Virtual Network Device Modified or Deleted backport: auto Domain: Cloud Domain: Network Integration: Azure azure related rules Rule: Deprecation removal of a rule
#4889 opened Jul 9, 2025 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
1
[New Rule/Tuning] Linux User or Group Deletion/Creation backport: auto Domain: Endpoint OS: Linux Rule: New Proposal for new rule Team: TRADE
#4861 opened Jun 30, 2025 by Aegrah Loading…
@Aegrah
8
[New] Command Line Obfuscation via Whitespace Padding backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4860 opened Jun 30, 2025 by Samirbous Loading…
@Samirbous
14
[New Rule] Kubectl Secret Access container OS: Linux Rule: New Proposal for new rule Team: TRADE
#4834 opened Jun 19, 2025 by Aegrah Draft
@Aegrah
3
[New Rule] Potential Impersonation Attempt via Kubectl backport: auto container Domain: Endpoint OS: Linux Rule: New Proposal for new rule Team: TRADE
#4833 opened Jun 19, 2025 by Aegrah Loading…
@Aegrah
4
[New Rule] Kubernetes Unusual Decision by User Agent backport: auto Integration: Kubernetes Kubernetes Integration OS: Linux Rule: New Proposal for new rule Team: TRADE
#4829 opened Jun 19, 2025 by Aegrah Loading…
@Aegrah
12
[New Rules] Potential Relay Attack against a Computer Account backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule Rule: Tuning tweaking or tuning an existing rule
#4826 opened Jun 18, 2025 by w0rk3r Loading…
@w0rk3r
2
[Rule: New] Potential Web Server Fuzzing Attempts Detected backport: auto community stale 60 days of inactivity
#4720 opened May 12, 2025 by MakoWish Loading…
1 of 5 tasks
1
[New] Microsoft Entra ID Protection Alert and Device Registration backport: auto Domain: Cloud Workloads Domain: Cloud Integration: Azure azure related rules Integration: Microsoft 365 patch Rule: New Proposal for new rule
#4688 opened Apr 30, 2025 by Samirbous Loading…
@Samirbous
6
[New] Potential SAP NetWeaver Exploitation rules backport: auto OS: Linux OS: Windows windows related rules Rule: New Proposal for new rule
#4666 opened Apr 26, 2025 by Samirbous Loading…
@Samirbous
10
[enhancement] In esql validation, allow any order of metadata backport: auto community patch python Internal python for the repository
#4579 opened Mar 28, 2025 by frederikb96 Loading…
5 tasks done
@frederikb96
7
[Security Content] Windows Audit Policies Config Guides - Repo Edition backlog backport: auto Domain: Endpoint OS: Windows windows related rules Security Content
#4501 opened Feb 26, 2025 by w0rk3r Loading…
@w0rk3r
3
[Security Content] Basic EDR Setup Guides - Phase 1 backlog backport: auto Domain: Endpoint OS: Windows windows related rules Security Content
#4492 opened Feb 24, 2025 by w0rk3r Draft
@w0rk3r
6
Revert "[Bug] Handle formatting empty list" backport: auto bug Something isn't working python Internal python for the repository wontfix This will not be worked on
#4087 opened Sep 17, 2024 by brokensound77 Loading…
9
[New Rule] Active Directory Forced Authentication from Linux Host backlog backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#3912 opened Jul 22, 2024 by w0rk3r Draft
@w0rk3r
15
[FR] Add white space checking for KQL parse backport: auto enhancement New feature or request kql related to the kql module patch python Internal python for the repository
#3789 opened Jun 14, 2024 by eric-forte-elastic Loading…
1
@eric-forte-elastic
3
WIP: [POC] Refactor: port unittest to pytest backlog backport: auto bug Something isn't working detections-as-code enhancement New feature or request python Internal python for the repository test-suite unit and other testing components
#3361 opened Jan 3, 2024 by Mikaayenson Draft
@Mikaayenson
11
[Rule Tuning] Update rules using NPC integration and non-ECS fields backlog backport: auto blocked Domain: Network Rule: Tuning tweaking or tuning an existing rule
#3194 opened Oct 16, 2023 by brokensound77 Loading…
@brokensound77
11
ProTip! Find all pull requests that aren't related to any open issues with -linked:issue.