Skip to content

Pull requests: elastic/detection-rules

New pull request New
31 Open 3,108 Closed
31 Open 3,108 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Reviews
Filter by reviews
No reviews Review required Approved review Changes requested
Assignee
Filter by who’s assigned
Assigned to nobody Loading
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
👍 👎 😄 🎉 😕 ❤️ 🚀 👀

Pull requests list

Clarify authentication settings to Kibana related to #4495 backport: auto
#4819 opened Jun 17, 2025 by m-a-leclercq Loading…
5 tasks
[New Rule] Forbidden Request from Unusual User Agent in Kubernetes backport: auto container OS: Linux Rule: New Proposal for new rule Team: TRADE
#4818 opened Jun 17, 2025 by Aegrah Loading…
@Aegrah
1
[New Rule] Kubernetes Service Account Secret Access backport: auto container Domain: Endpoint OS: Linux Rule: New Proposal for new rule Team: TRADE
#4816 opened Jun 17, 2025 by Aegrah Loading…
@Aegrah
2
[New Rules] SPN Spoofing / Coercion Rules backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4815 opened Jun 17, 2025 by w0rk3r Loading…
@w0rk3r
15
[Tuning] High Number of Process and/or Service Terminations" backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#4813 opened Jun 17, 2025 by Samirbous Loading…
@Samirbous
4
[Rule Tuning] AWS EC2 User Data Retrieval for EC2 Instance backport: auto Domain: Cloud Integration: AWS AWS related rules patch Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#4808 opened Jun 17, 2025 by imays11 Loading…
@imays11
6
[Rule Tuning] Suspicious Microsoft 365 Mail Access by Unusual ClientAppId backport: auto Domain: Cloud Domain: Email Integration: Microsoft 365 patch Rule: Tuning tweaking or tuning an existing rule
#4806 opened Jun 16, 2025 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
2
[New Rule] Entra ID User Signed In from Unusual Device backport: auto Domain: Cloud Domain: Identity Integration: Azure azure related rules patch Rule: New Proposal for new rule
#4804 opened Jun 16, 2025 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
1
[New Rule] Microsoft Entra ID Suspicious Cloud Device Registration Domain: Cloud Domain: Identity Integration: Azure azure related rules patch Rule: New Proposal for new rule
#4802 opened Jun 13, 2025 by terrancedejesus Draft
5 tasks
1
@terrancedejesus
2
[New Rule] Suspicious ADRS Token Request by Microsoft Auth Broker backport: auto Domain: Cloud Domain: Identity Integration: Azure azure related rules patch Rule: New Proposal for new rule
#4801 opened Jun 13, 2025 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
1
[Rule Tuning] AWS IAM Assume Role Policy Update backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#4799 opened Jun 13, 2025 by imays11 Loading…
@imays11
11
[Rule Tuning] Suspicious Activity via Auth Broker On-Behalf-of Principal User backport: auto Domain: Cloud Domain: Identity Integration: Azure azure related rules Rule: Tuning tweaking or tuning an existing rule
#4793 opened Jun 11, 2025 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
1
fix: type hinting fixes and additional code checks backport: auto ci/cd Hunting maintenance Internal changes minor python Internal python for the repository schema
#4790 opened Jun 11, 2025 by traut Loading…
5 tasks
@traut
1
[New Rule] AWS CloudTrail Log Evasion backport: auto Domain: Cloud Integration: AWS AWS related rules patch Rule: New Proposal for new rule Team: TRADE
#4788 opened Jun 10, 2025 by imays11 Loading…
@imays11
6
[Rule Tuning] AWS EC2 Deprecated AMI Discovery backport: auto Domain: Cloud Integration: AWS AWS related rules patch Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#4784 opened Jun 10, 2025 by imays11 Loading…
@imays11
3
[Rule Tuning] Expand Scope of Entra ID Brute Force Sign-In Attempts backport: auto Domain: Cloud Domain: Identity Integration: Azure azure related rules Rule: Tuning tweaking or tuning an existing rule
#4777 opened Jun 5, 2025 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
8
[New Hunt] Potential Spoofed microsoftonline.com via Fuzzy Match backport: auto Domain: Cloud Domain: Endpoint Domain: Identity Domain: Network Hunt: New Hunting Integration: Azure azure related rules Integration: Microsoft 365
#4770 opened Jun 3, 2025 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
3
Bump setuptools from 75.2.0 to 78.1.1 backport: auto community dependencies Pull requests that update a dependency file major python Internal python for the repository
#4730 opened May 19, 2025 by dependabot bot Loading…
2
[Rule: New] Potential Web Server Fuzzing Attempts Detected backport: auto community
#4720 opened May 12, 2025 by MakoWish Loading…
1 of 5 tasks
[New] Microsoft Entra ID Protection Alert and Device Registration backport: auto Domain: Cloud Workloads Domain: Cloud Integration: Azure azure related rules Integration: Microsoft 365 patch Rule: New Proposal for new rule
#4688 opened Apr 30, 2025 by Samirbous Loading…
@Samirbous
4
[New] Potential SAP NetWeaver Exploitation rules backport: auto OS: Linux OS: Windows windows related rules Rule: New Proposal for new rule
#4666 opened Apr 26, 2025 by Samirbous Loading…
@Samirbous
10
Mark extensions
#4643 opened Apr 23, 2025 by hop-dev Draft
5 tasks
[enhancement] In esql validation, allow any order of metadata backport: auto community patch python Internal python for the repository
#4579 opened Mar 28, 2025 by frederikb96 Loading…
5 tasks done
@frederikb96
4
[Security Content] Windows Audit Policies Config Guides - Repo Edition backlog backport: auto Domain: Endpoint OS: Windows windows related rules Security Content
#4501 opened Feb 26, 2025 by w0rk3r Loading…
@w0rk3r
3
[Security Content] Basic EDR Setup Guides - Phase 1 backlog backport: auto Domain: Endpoint OS: Windows windows related rules Security Content
#4492 opened Feb 24, 2025 by w0rk3r Draft
@w0rk3r
6
ProTip! Updated in the last three days: updated:>2025-06-14.