Skip to content

Pull requests: elastic/detection-rules

New pull request New
63 Open 4,142 Closed
63 Open 4,142 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Reviews
Filter by reviews
No reviews Review required Approved review Changes requested
Assignee
Filter by who’s assigned
Assigned to nobody Loading
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
👍 👎 😄 🎉 😕 ❤️ 🚀 👀

Pull requests list

[New Rule] AWS SES Sending Enabled or Identity Verified by Rare User backport: auto community Domain: Cloud Integration: AWS AWS related rules
#6258 opened Jun 7, 2026 by Aryu-RU Loading…
4 of 5 tasks
[Rule Tuning] Host File System Changes via Windows Subsystem for Linux backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#6255 opened Jun 5, 2026 by Aegrah Contributor Loading…
@Aegrah
5
[New Rule] Systemd Service Override Configuration File Created backport: auto Domain: Endpoint OS: Linux Rule: New Proposal for new rule Team: TRADE
#6254 opened Jun 5, 2026 by Aegrah Contributor Loading…
@Aegrah
7
Allow filter-only KQL custom rule exports backport: auto community enhancement New feature or request patch python Internal python for the repository
#6253 opened Jun 4, 2026 by srkyn Loading…
1
5
[Rule Tuning] Multiple Alerts in Different ATT&CK Tactics on a Single Host backport: auto Rule: Tuning tweaking or tuning an existing rule
#6252 opened Jun 4, 2026 by Mikaayenson Contributor Loading…
1 of 5 tasks
1
@Mikaayenson
3
[Rule Tuning] Misc. Linux DRs backport: auto Domain: Endpoint OS: Linux Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#6250 opened Jun 4, 2026 by Aegrah Contributor Loading…
@Aegrah
4
[New Rule] Potential EDR-Freeze via WerFaultSecure Abuse backport: auto community Domain: Endpoint OS: Windows windows related rules
#6248 opened Jun 3, 2026 by Aryu-RU Loading…
6 tasks done
[New Rule] GlobalProtect Cookie Authentication from Unusual Source backport: auto community
#6234 opened Jun 3, 2026 by Aryu-RU Loading…
4 tasks done
[Rule Tunings] Google Workspace minor rule updates backport: auto Domain: Cloud Integration: Google Workspace Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#6233 opened Jun 2, 2026 by imays11 Contributor Loading…
@imays11
1
[New Rule] GenAI CLI Started with Unsafe Permission Bypass backport: auto Domain: GenAI Rule: New Proposal for new rule
#6232 opened Jun 2, 2026 by Mikaayenson Contributor Loading…
@Mikaayenson
2
[Rule Tuning] Misc GenAI Rule Tuning backport: auto Domain: GenAI Rule: Tuning tweaking or tuning an existing rule
#6231 opened Jun 2, 2026 by Mikaayenson Contributor Loading…
@Mikaayenson
5
[New Rule] M365 Identity Unusual Device Code Granting backport: auto Domain: Cloud Domain: Identity Domain: SaaS Integration: Microsoft 365 Rule: New Proposal for new rule
#6230 opened Jun 2, 2026 by terrancedejesus Contributor Loading…
5 tasks
@terrancedejesus
2
[Tuning] Kubernetes Secret get or list from Node or Pod Service Account backport: auto Rule: Tuning tweaking or tuning an existing rule
#6229 opened Jun 2, 2026 by Samirbous Contributor Loading…
@Samirbous
1
[Rule Tunings][Rule Deprecation] Google Workspace authentication policy modification rules backport: auto Domain: Cloud Integration: Google Workspace Rule: Deprecation removal of a rule Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#6226 opened Jun 1, 2026 by imays11 Contributor Loading…
@imays11
2
[New Rules] Megalodon GitHub Actions supply chain backdoor — Linux endpoint detection (May 2026) backport: auto community
#6218 opened May 30, 2026 by StuLast Loading…
2 of 3 tasks
1
1
[New Rule] GCP IAM Service Account Impersonation Role Granted backport: auto community Domain: Cloud Integration: GCP GCP related rules
#6215 opened May 30, 2026 by Aryu-RU Loading…
3 tasks done
19
[Rule Tunings] Google Workspace Admin Role lifecycle rules backport: auto Domain: Cloud Integration: Google Workspace Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#6214 opened May 29, 2026 by imays11 Contributor Loading…
@imays11
1
[FR] [DaC] Add support for Kibana workflows backport: auto detections-as-code enhancement New feature or request patch python Internal python for the repository schema
#6211 opened May 29, 2026 by eric-forte-elastic Contributor Loading…
5 tasks
1
@eric-forte-elastic
3
[Rule Tunings] GWS Rules w/ zero alerts backport: auto Domain: Cloud Integration: Google Workspace Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#6210 opened May 28, 2026 by imays11 Contributor Loading…
@imays11
2
WIP - Java Wrapper for Elasticsearch's ES|QL Parser enhancement New feature or request minor python Internal python for the repository
#6207 opened May 27, 2026 by eric-forte-elastic Contributor Draft
5 tasks
@eric-forte-elastic
1
[Rule Tuning] Add Zeek Index Support backport: auto Domain: Network enhancement New feature or request integration: Zeek patch Rule: Tuning tweaking or tuning an existing rule
#6206 opened May 27, 2026 by eric-forte-elastic Contributor Loading…
5 tasks
1
@eric-forte-elastic
12
[Rule: Tuning] Rule triggers for false positive due to broad wildcard backport: auto community Domain: Endpoint OS: Linux
#6205 opened May 27, 2026 by litemars Contributor Loading…
@Aegrah
[Rule: Tuning] Increase coverage for the Remote SSH Login Enabled rule backport: auto community Domain: Endpoint OS: macOS Rule: Tuning tweaking or tuning an existing rule
#6202 opened May 27, 2026 by litemars Contributor Loading…
1 task
@shashank-elastic
2
[New Rule] Azure AD Graph Access with Unusual Client and User backport: auto Domain: Cloud Domain: Identity Integration: Azure azure related rules Rule: New Proposal for new rule
#6182 opened May 22, 2026 by terrancedejesus Contributor Loading…
5 tasks
@terrancedejesus
3
[New Rule] Entra ID OAuth Device Code Sign-in to Azure AD Graph Enumeration backport: auto Domain: Cloud Domain: Identity Integration: Azure azure related rules Rule: New Proposal for new rule
#6181 opened May 22, 2026 by terrancedejesus Contributor Loading…
5 tasks
@terrancedejesus
2
ProTip! Follow long discussions with comments:>50.