Skip to content

Pull requests: elastic/detection-rules

New pull request New
45 Open 3,386 Closed
45 Open 3,386 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Reviews
Filter by reviews
No reviews Review required Approved review Changes requested
Assignee
Filter by who’s assigned
Assigned to nobody Loading
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
👍 👎 😄 🎉 😕 ❤️ 🚀 👀

Pull requests list

[New Rule] Privilege Escalation via SUID/SGID Proxy Execution backport: auto Domain: Endpoint OS: Linux Rule: New Proposal for new rule Team: TRADE
#5266 opened Oct 30, 2025 by Aegrah Loading…
@Aegrah
5
[Rule Tuning] AWS S3 Bucket Configuration Deletion backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5265 opened Oct 29, 2025 by imays11 Loading…
@imays11
1
[Rule Tuning] AWS S3 Static Site Javascript File Uploaded backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5264 opened Oct 29, 2025 by imays11 Loading…
@imays11
1
[Rule Tuning] AWS S3 Object Versioning Suspended backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5261 opened Oct 29, 2025 by imays11 Loading…
@imays11
1
[New] Suspicious Kerberos Authentication Ticket Request backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#5260 opened Oct 28, 2025 by Samirbous Loading…
@Samirbous
8
Renovate Updates backport: auto enhancement New feature or request patch
#5258 opened Oct 28, 2025 by shashank-elastic Loading…
5 tasks
@shashank-elastic
2
Update dependency requests to ~=2.32.5 backport: auto community
#5257 opened Oct 28, 2025 by elastic-renovate-prod bot Loading…
1 task
[Bug] [DAC] Auto Gen Schema Fails on Certain Subqueries backport: auto bug Something isn't working patch python Internal python for the repository schema
#5256 opened Oct 28, 2025 by eric-forte-elastic Loading…
5 tasks
1
@eric-forte-elastic
6
[Rule Tuning] AWS S3 Bucket Server Access Logging Disabled backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5254 opened Oct 27, 2025 by imays11 Loading…
@imays11
1
[Rule Tuning] Azure Diagnostic Settings Deletion backport: auto Domain: Cloud Integration: Azure azure related rules Rule: Tuning tweaking or tuning an existing rule
#5253 opened Oct 27, 2025 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
1
[Rule Tuning] AWS S3 Bucket Expiration Lifecycle Configuration Added backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5251 opened Oct 27, 2025 by imays11 Loading…
@imays11
1
[New] Windows Server Update Service Spawning Suspicious Processes backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#5250 opened Oct 24, 2025 by Samirbous Loading…
@Samirbous
2
[New Rule][Deprecation] AWS EC2 Export Task Rules backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Deprecation removal of a rule Rule: New Proposal for new rule Team: TRADE
#5248 opened Oct 24, 2025 by imays11 Loading…
@imays11
2
[Rule Tuning] AWS EC2 Full Network Packet Capture Detected backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5244 opened Oct 23, 2025 by imays11 Loading…
@imays11
3
[New Rule] Okta Multiple OS Names Detected for a Single DT Hash Domain: Identity Integration: Okta okta related rules Rule: New Proposal for new rule
#5241 opened Oct 22, 2025 by terrancedejesus Draft
5 tasks
1
@terrancedejesus
2
[Rule Tunings] AWS Multiple API Calls ESQL rules backport: auto bbr Building Block Rules Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5238 opened Oct 21, 2025 by imays11 Loading…
@imays11
5
[Tuning] Potential Ransomware Behavior - Note Files by System backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#5235 opened Oct 21, 2025 by Samirbous Loading…
@Samirbous
7
[Rule Tuning] Adds Crowdstrike Compatibility to Linux Process Rules backport: auto bbr Building Block Rules Domain: Endpoint OS: Linux Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5232 opened Oct 17, 2025 by Aegrah Loading…
@Aegrah
2
[Rule Tunings] AWS EC2 EBS Snapshot and Encryption Rules backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5229 opened Oct 16, 2025 by imays11 Loading…
@imays11
14
Update lateral_movement_scheduled_task_target.toml to fix null values backport: auto community Domain: Endpoint OS: Windows windows related rules
#5228 opened Oct 16, 2025 by theusername-sudo Loading…
1
[Rule Tuning] File Transfer or Listener Established via Netcat backport: auto Domain: Endpoint OS: Linux Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5223 opened Oct 15, 2025 by Aegrah Loading…
@Aegrah
9
[New Rule] File Creation with Curly Braces or Command Substitution backport: auto Domain: Endpoint OS: Linux Rule: New Proposal for new rule Team: TRADE
#5219 opened Oct 14, 2025 by Aegrah Loading…
@Aegrah
5
[New Rule] Azure Compute Snapshot Deletion(s) backport: auto Domain: Cloud Domain: Data Domain: Storage Integration: Azure azure related rules Rule: New Proposal for new rule
#5211 opened Oct 13, 2025 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
6
Add rules for Azure Activity Logs/GCP Audit ML jobs backport: skip Domain: Cloud Integration: Azure azure related rules Integration: GCP GCP related rules minor ML machine learning related rule Rule: New Proposal for new rule
#5191 opened Oct 6, 2025 by jmcarlock Loading…
5 tasks
@jmcarlock
20
Update README for the installation of kibana and kql packages backport: auto community documentation Improvements or additions to documentation
#5177 opened Oct 2, 2025 by pberba Loading…
5 tasks
2
ProTip! What’s not been updated in a month: updated:<2025-09-30.