elastic / detection-rules Public

Notifications You must be signed in to change notification settings
Fork 629
Star 2.5k

Code
Issues 160
Pull requests 44
Actions
Security
Insights

Additional navigation options

Code
Issues
Pull requests
Actions
Security
Insights

Pull requests: elastic/detection-rules

Labels 141 Milestones 1

New pull request New

44 Open 3,787 Closed

Author

Filter by author

Uh oh!

There was an error while loading. Please reload this page.

Label

Filter by label

Uh oh!

There was an error while loading. Please reload this page.

Use alt + click/return to exclude labels

or ⇧ + click/return for logical OR

Projects

Filter by project

Uh oh!

There was an error while loading. Please reload this page.

Milestones

Filter by milestone

Uh oh!

There was an error while loading. Please reload this page.

Reviews

Filter by reviews

No reviews Review required Approved review Changes requested

Assignee

Filter by who’s assigned

Assigned to nobody

Uh oh!

There was an error while loading. Please reload this page.

Sort

Sort by

Newest Oldest Most commented Least commented Recently updated Least recently updated Best match

Most reactions

Pull requests list

Includes deprecated rule stubs to the package

#5813 opened Mar 5, 2026 by dplumlee • Draft

5 tasks

[New/Tuning] TeamPCP Simulation - New & Tuned Rules backport: auto Domain: Cloud Integration: Cloud Defend

Cloud Defend Integration

Integration: Kubernetes

Kubernetes Integration

Rule: New

Proposal for new rule

Rule: Tuning

tweaking or tuning an existing rule

Team: TRADE

#5812 opened Mar 5, 2026 by Aegrah

Loading…

[Rule Tuning] Base64 Decoded Payload Piped to Interpreter backport: auto Domain: Endpoint OS: Linux Rule: Tuning

tweaking or tuning an existing rule

Team: TRADE

#5811 opened Mar 4, 2026 by Aegrah

Loading…

[Tuning/New] RMM Rules backport: auto Domain: Endpoint OS: Windows

windows related rules

Rule: New

Proposal for new rule

Rule: Tuning

tweaking or tuning an existing rule

#5810 opened Mar 3, 2026 by Samirbous

Loading…

[New Rule] Entra ID Domain Federation Abuse backport: auto Domain: Cloud Domain: Identity Integration: Azure

azure related rules

Rule: New

Proposal for new rule

#5809 opened Mar 3, 2026 by terrancedejesus

Loading…

[New Rule] M365 SharePoint Site Administrator Added backport: auto Domain: Cloud Domain: Identity Domain: SaaS Integration: Microsoft 365 Rule: New

Proposal for new rule

#5806 opened Mar 2, 2026 by terrancedejesus

Loading…

5 tasks

Update dependency nodeenv to v1.10.0 backport: auto community

#5800 opened Feb 28, 2026 by elastic-renovate-prod bot

Loading…

1 task

[New Rule] M365 SharePoint Site Sharing Policy Weakened backport: auto Domain: Cloud Domain: SaaS Integration: Microsoft 365 Rule: New

Proposal for new rule

#5795 opened Feb 27, 2026 by terrancedejesus

Loading…

3 of 5 tasks

Update Entity related jobs with EUID ML job ID and updated minimum stack versions Rule: Tuning

tweaking or tuning an existing rule

#5794 opened Feb 27, 2026 by susan-shu-c • Draft

5 tasks

[New] Elastic Defend Alert from GenAI Utility or Descendant backport: auto Rule: New

Proposal for new rule

#5793 opened Feb 27, 2026 by Samirbous

Loading…

[Bug] Ignore Other Keep Wildcards backport: auto bug

Something isn't working

patch python

Internal python for the repository

#5792 opened Feb 26, 2026 by eric-forte-elastic

Loading…

5 tasks

[Rule Tuning] Entra ID OAuth Device Code Grant by Unusual User backport: auto Domain: Cloud Domain: Identity Integration: Azure

azure related rules

Rule: Tuning

tweaking or tuning an existing rule

#5791 opened Feb 26, 2026 by terrancedejesus

Loading…

5 tasks

[New] Suspicious Execution from VS Code Extension backport: auto Domain: Endpoint OS: Windows

windows related rules

Rule: New

Proposal for new rule

#5786 opened Feb 26, 2026 by Samirbous

Loading…

[Rule Tuning] AWS Access Token Used from Multiple Addresses backport: auto Domain: Cloud Integration: AWS

AWS related rules

Rule: Tuning

tweaking or tuning an existing rule

Team: TRADE

#5785 opened Feb 25, 2026 by imays11

Loading…

[FR] Minor Typo Fixes backport: auto documentation

Improvements or additions to documentation

Domain: Cloud Domain: Endpoint Hunting Integration: Microsoft 365 OS: Windows

windows related rules

patch Rule: Tuning

tweaking or tuning an existing rule

#5784 opened Feb 25, 2026 by eric-forte-elastic

Loading…

5 tasks

[New Rules] New Terms rules for malicious Python/Pickle model activity on macOS backport: auto Domain: Endpoint OS: macOS Rule: New

Proposal for new rule

#5780 opened Feb 25, 2026 by DefSecSentinel

Loading…

[New] Potential Account Takeover - Logon from New Source IP backport: auto Domain: Endpoint OS: Windows

windows related rules

Rule: New

Proposal for new rule

#5770 opened Feb 24, 2026 by Samirbous

Loading…

[Bug] [DAC] Add filtering to export-rules-from-repo backport: auto bug

Something isn't working

detections-as-code patch python

Internal python for the repository

#5769 opened Feb 24, 2026 by eric-forte-elastic

Loading…

5 tasks

[Bug] KQL Validation Add Wildcard w/ Space token value backport: auto bug

Something isn't working

patch python

Internal python for the repository

Team: TRADE

#5753 opened Feb 20, 2026 by imays11

Loading…

5 tasks done

Update dependency marko to v2.2.2 backport: auto community patch

#5735 opened Feb 18, 2026 by elastic-renovate-prod bot

Loading…

1 task

[Rule Tuning & Deprecation] Tuning & Deprecating Promotion Rule backport: auto Integration: Cloud Defend

Cloud Defend Integration

Rule: Deprecation

removal of a rule

Rule: Tuning

tweaking or tuning an existing rule

Team: TRADE

#5712 opened Feb 10, 2026 by Aegrah • Draft

fix: Change bulk rule actions by updating deprecated rule_ids to ids backport: auto community

#5711 opened Feb 10, 2026 by IOITI

Loading…

2 tasks done

[New Rule] AWS API Activity from Uncommon S3 Client by Rare User backport: auto Domain: Cloud Integration: AWS

AWS related rules

Rule: New

Proposal for new rule

Team: TRADE

#5694 opened Feb 6, 2026 by imays11 • Draft

[FR] [DAC] Add Exception Duplication Checking backport: auto detections-as-code enhancement

New feature or request

patch python

Internal python for the repository

#5689 opened Feb 5, 2026 by eric-forte-elastic

Loading…

5 tasks

[New Rule] Kubernetes Anonymous User Bound to ClusterRole container Integration: Kubernetes

Kubernetes Integration

Rule: New

Proposal for new rule

Team: TRADE

#5674 opened Feb 4, 2026 by Aegrah • Draft

Previous 1 2 Next

Previous Next

ProTip! Type g p on any issue or pull request to go back to the pull request listing page.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!