Skip to content

Pull requests: elastic/detection-rules

New pull request New
73 Open 4,205 Closed
73 Open 4,205 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Reviews
Filter by reviews
No reviews Review required Approved review Changes requested
Assignee
Filter by who’s assigned
Assigned to nobody Loading
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
👍 👎 😄 🎉 😕 ❤️ 🚀 👀

Pull requests list

[New Rule] AWS Bedrock Agent Credential Exfiltration Pattern in Invocation Content backport: auto community
#6336 opened Jun 28, 2026 by eeee2345 Loading…
1
[Rule Tuning] Align Microsoft Graph Email Access /me Path Predicate backport: auto community Domain: Cloud Integration: Azure azure related rules
#6335 opened Jun 27, 2026 by raylee-hawkins Loading…
1
[FR] Allow filter-only KQL and Indicator Match rules backport: auto detections-as-code enhancement New feature or request patch python Internal python for the repository Team: TRADE
#6334 opened Jun 26, 2026 by eric-forte-elastic Contributor Loading…
5 tasks
1
@eric-forte-elastic
6
[New] Protected Storage Service Access via SMB backport: auto Domain: Endpoint Integration: Windows OS: Windows windows related rules Rule: New Proposal for new rule
#6333 opened Jun 26, 2026 by Samirbous Contributor Loading…
@Samirbous
7
[Rule Tuning] Persistence via Suspicious Launch Agent or Launch Daemon backport: auto Domain: Endpoint OS: macOS Rule: Tuning tweaking or tuning an existing rule
#6332 opened Jun 25, 2026 by Mikaayenson Contributor Loading…
@Mikaayenson
4
[Rule Tuning] Multiple Remote Management Tool Vendors on Same Host backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#6331 opened Jun 24, 2026 by w0rk3r Contributor Loading…
@w0rk3r
8
[New Rule] Potential SSH Reverse Port Forwarding backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#6330 opened Jun 24, 2026 by w0rk3r Contributor Loading…
@w0rk3r
8
[Rule Tuning] Migrate Phase 1 vendor fields to ECS and trim non-ecs schema patch Rule: Tuning tweaking or tuning an existing rule schema
#6328 opened Jun 23, 2026 by Mikaayenson Contributor Draft
3 of 5 tasks
1
@Mikaayenson
7
[Rule Tuning] First Time Seen Remote Monitoring and Management Tool backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#6326 opened Jun 23, 2026 by w0rk3r Contributor Loading…
@w0rk3r
3
[New Rule] Entra ID Potential Conditional Access MFA Bypass via First-Party Microsoft Graph Access backport: auto Domain: Cloud Domain: Identity Integration: Azure azure related rules Rule: New Proposal for new rule
#6325 opened Jun 22, 2026 by terrancedejesus Contributor Loading…
5 tasks
@terrancedejesus
4
docs: Add missing docstring to get_data_file community
#6324 opened Jun 22, 2026 by Lang-Qiu Draft
1
[New Rule] Command Interpreter Spawned by Obsidian backport: auto community
#6317 opened Jun 20, 2026 by Aryu-RU Loading…
5 of 6 tasks
1
[New Rule] AWS Backup Monitoring or Audit Controls Disabled backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: New Proposal for new rule
#6315 opened Jun 19, 2026 by bryans3c Contributor Loading…
5 tasks
@bryans3c
5
[New Rule] AWS Backup Recovery Point Lifecycle Modified backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: New Proposal for new rule
#6314 opened Jun 19, 2026 by bryans3c Contributor Loading…
5 tasks
@bryans3c
10
[New Rule] AWS Backup Vault Access Policy Modified or Deleted backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: New Proposal for new rule
#6313 opened Jun 19, 2026 by bryans3c Contributor Loading…
5 tasks
@bryans3c
9
[New Rule] AWS Backup Plan or Selection Deleted backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: New Proposal for new rule
#6312 opened Jun 19, 2026 by bryans3c Contributor Loading…
5 tasks
@bryans3c
6
[New Rule] AWS Backup Vault Deleted or Vault Lock Removed backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: New Proposal for new rule
#6311 opened Jun 19, 2026 by bryans3c Contributor Loading…
5 tasks
@bryans3c
7
[DaC] [Bug] Raw rule loading fails when deprecated and active rules share a name backport: auto bug Something isn't working detections-as-code patch python Internal python for the repository
#6309 opened Jun 18, 2026 by eric-forte-elastic Contributor Loading…
1 of 5 tasks
1
@eric-forte-elastic
3
[New Rule] AWS IAM Login Profile Created or Modified for an IAM User backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: New Proposal for new rule
#6303 opened Jun 18, 2026 by bryans3c Contributor Loading…
5 tasks
@bryans3c
11
[New Rule] AWS Lambda Function High-Frequency Invocation by a Single Principal backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: New Proposal for new rule
#6298 opened Jun 18, 2026 by bryans3c Contributor Loading…
5 tasks
@bryans3c
10
[New Rule] AWS Lambda Execution Role Credentials Used Outside Lambda backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: New Proposal for new rule
#6292 opened Jun 18, 2026 by bryans3c Contributor Loading…
5 tasks
@bryans3c
14
[New Rule] Splunk Enterprise PostgreSQL Sidecar Pre-Auth RCE (CVE-2026-20253) backport: auto Domain: Network Integration: Endpoint Elastic Endpoint Security Integration: Network Traffic integration: Zeek Rule: New Proposal for new rule
#6279 opened Jun 15, 2026 by eric-forte-elastic Contributor Loading…
5 tasks
@eric-forte-elastic
30
[New Rule] Azure Virtual Machine Configuration Modified backport: auto bbr Building Block Rules Domain: Cloud Domain: Endpoint Integration: Azure azure related rules Rule: New Proposal for new rule
#6278 opened Jun 15, 2026 by terrancedejesus Contributor Loading…
5 tasks
@terrancedejesus
1
[New Rule] Unusual Azure VM Extension Installed; Suspicious Child Process via Azure VM CustomScript Extension backport: auto Domain: Cloud Domain: Endpoint Integration: Azure azure related rules OS: Windows windows related rules Rule: New Proposal for new rule
#6277 opened Jun 15, 2026 by terrancedejesus Contributor Loading…
5 tasks
@terrancedejesus
17
[New Rule] PAN-OS GlobalProtect CVE-2026-0257 Authentication Bypass Detection backport: auto Domain: Network integration: PANW Rule: New Proposal for new rule
#6273 opened Jun 12, 2026 by eric-forte-elastic Contributor Draft
5 tasks
@eric-forte-elastic
3
ProTip! Adding no:label will show everything without a label.