Skip to content

Pull requests: elastic/detection-rules

New pull request New
45 Open 3,893 Closed
45 Open 3,893 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Reviews
Filter by reviews
No reviews Review required Approved review Changes requested
Assignee
Filter by who’s assigned
Assigned to nobody Loading
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
👍 👎 😄 🎉 😕 ❤️ 🚀 👀

Pull requests list

[Rule Tuning] Multiple Device Token Hashes for Single Okta Session backport: auto Domain: Cloud Domain: Identity Domain: SaaS Integration: Okta okta related rules Rule: Tuning tweaking or tuning an existing rule
#5948 opened Apr 13, 2026 by terrancedejesus Contributor Loading…
5 tasks
1
@terrancedejesus
1
Update dependency tabulate to v0.10.0 backport: auto community
#5946 opened Apr 12, 2026 by elastic-renovate-prod bot Loading…
1 task
Pin elastic/docs-actions action to 7227c43 backport: auto community
#5945 opened Apr 12, 2026 by elastic-renovate-prod bot Loading…
1 task
[FR] Workflow Updates for Automatically Bumping Stack Version backport: auto ci/cd enhancement New feature or request
#5941 opened Apr 9, 2026 by eric-forte-elastic Contributor Loading…
5 tasks
@eric-forte-elastic
1
[New Rules] False Negatives for New BPFDoor Variants backport: auto Domain: Endpoint OS: Linux Rule: New Proposal for new rule Team: TRADE
#5939 opened Apr 9, 2026 by Aegrah Contributor Loading…
@Aegrah
10
[New Rule] DNS to Commonly Abused Web Services backport: auto Domain: Endpoint OS: Linux Rule: New Proposal for new rule Team: TRADE
#5938 opened Apr 9, 2026 by Aegrah Contributor Loading…
@Aegrah
3
[Hunt Tuning] Entra ID Device Code Phishing / Update Drifted Docs backport: auto Domain: Cloud Domain: Identity Hunt: Tuning Hunting Integration: AWS AWS related rules Integration: Azure azure related rules
#5936 opened Apr 8, 2026 by terrancedejesus Contributor Loading…
5 tasks
1
@terrancedejesus
1
[Rule Tuning] RDP (Remote Desktop Protocol) from the Internet backport: auto Domain: Network Integration: Network Traffic integration: PANW integration: Zeek patch Rule: Tuning tweaking or tuning an existing rule
#5932 opened Apr 8, 2026 by eric-forte-elastic Contributor Loading…
5 tasks
1
@eric-forte-elastic
15
Fix TOML transform sections for Tomlet / docs-builder backport: auto Domain: Endpoint OS: Windows windows related rules
#5931 opened Apr 8, 2026 by Mpdreamz Member Loading…
5 tasks
3
[Rule Tuning] Update MDE tags to "Microsoft Defender XDR" backport: auto bbr Building Block Rules Domain: Endpoint OS: Windows windows related rules patch Rule: Tuning tweaking or tuning an existing rule
#5927 opened Apr 7, 2026 by w0rk3r Contributor Loading…
1
@w0rk3r
5
[Rule Tuning] Abnormally Large DNS Response backport: auto Domain: Network Integration: Network Traffic
#5922 opened Apr 6, 2026 by eric-forte-elastic Contributor Loading…
5 tasks
1
@eric-forte-elastic
16
[New] Diverse AWS rules backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: New Proposal for new rule Rule: Tuning tweaking or tuning an existing rule
#5913 opened Apr 3, 2026 by Samirbous Contributor Loading…
@Samirbous
43
Update actions/checkout digest backport: auto community
#5912 opened Apr 3, 2026 by elastic-renovate-prod bot Loading…
1 task
Add Entity related integrations ML rules with _ea job IDs and min_stack_version 9.4.0 backport: auto Integration: DED Integration: DGA Integration: LMD Integration: LotL integration: ProblemChild ML machine learning related rule Rule: Tuning tweaking or tuning an existing rule
#5909 opened Apr 1, 2026 by susan-shu-c Member Loading…
5 tasks
@susan-shu-c
2
Update dependency requests to ~=2.33.1 backport: auto community
#5907 opened Apr 1, 2026 by elastic-renovate-prod bot Loading…
1 task
Update dependency PyGithub to v2.9.0 backport: auto community
#5898 opened Mar 30, 2026 by elastic-renovate-prod bot Loading…
1 task
Add FreeIPA detection rules (26 rules across 4 data streams) community
#5896 opened Mar 28, 2026 by Oddly Draft
1
[Tuning] Execution via GitHub Actions Runner backport: auto Domain: Endpoint Rule: Tuning tweaking or tuning an existing rule
#5892 opened Mar 27, 2026 by Samirbous Contributor Loading…
@Samirbous
21
[New] Long Base64 Encoded Command via Scripting Interpreter backport: auto Domain: Endpoint Rule: New Proposal for new rule
#5891 opened Mar 27, 2026 by Samirbous Contributor Loading…
@Samirbous
15
[New Rule] Kubernetes Pod Creation Using Common Debug or Base Images backport: auto container Integration: Kubernetes Kubernetes Integration OS: Linux Rule: New Proposal for new rule Team: TRADE
#5890 opened Mar 27, 2026 by Aegrah Contributor Loading…
@Aegrah
7
Fix: Add comprehensive unit tests for non-ecs-schema.json and clean up data (#2322) backport: auto community
#5879 opened Mar 24, 2026 by chidoziemanagwu Loading…
6 of 7 tasks
1
2
[New Rules] macOS Unified Logs Login Window and XProtect Detections backport: auto dev rule meant to be non-prod / non-shipping integration: Unified_Logs OS: macOS patch Rule: New Proposal for new rule
#5874 opened Mar 23, 2026 by DefSecSentinel Contributor Loading…
4 tasks
@DefSecSentinel
25
[New Rules] macOS Unified Logs TCC Detection Rules backport: auto dev rule meant to be non-prod / non-shipping integration: Unified_Logs OS: macOS patch Rule: New Proposal for new rule
#5870 opened Mar 23, 2026 by DefSecSentinel Contributor Loading…
6 tasks
@DefSecSentinel
28
[New Rules] macOS Unified Logs Apple Event Detections backport: auto dev rule meant to be non-prod / non-shipping Hunting integration: Unified_Logs OS: macOS patch Rule: New Proposal for new rule
#5867 opened Mar 23, 2026 by DefSecSentinel Contributor Loading…
5 tasks
@DefSecSentinel
36
[Feature] Add support for immutable and rule_source fields in TOML export/import backport: auto python Internal python for the repository
#5840 opened Mar 17, 2026 by aarju Contributor Loading…
5 tasks
@aarju
3
ProTip! Type g p on any issue or pull request to go back to the pull request listing page.