Skip to content

Pull requests: elastic/detection-rules

New pull request New
41 Open 3,779 Closed
41 Open 3,779 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Reviews
Filter by reviews
No reviews Review required Approved review Changes requested
Assignee
Filter by who’s assigned
Assigned to nobody Loading
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
👍 👎 😄 🎉 😕 ❤️ 🚀 👀

Pull requests list

[Rule Tuning] Unusual Process For a Windows Host - from/interval for … backport: auto ML machine learning related rule Rule: Tuning tweaking or tuning an existing rule
#5797 opened Feb 27, 2026 by yuriShafet Loading…
5 tasks
2
[Rule Tuning] AWS STS Role Assumption by User backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5796 opened Feb 27, 2026 by imays11 Loading…
@imays11
2
[New Rule] M365 SharePoint Site Sharing Policy Weakened backport: auto Domain: Cloud Domain: SaaS Integration: Microsoft 365 Rule: New Proposal for new rule
#5795 opened Feb 27, 2026 by terrancedejesus Loading…
3 of 5 tasks
1
@terrancedejesus
1
Update Entity related jobs with EUID ML job ID and updated minimum stack versions Rule: Tuning tweaking or tuning an existing rule
#5794 opened Feb 27, 2026 by susan-shu-c Draft
5 tasks
2
[New] Elastic Defend Alert from GenAI Utility or Descendant backport: auto Rule: New Proposal for new rule
#5793 opened Feb 27, 2026 by Samirbous Loading…
@Samirbous
17
[Bug] Ignore Other Keep Wildcards backport: auto bug Something isn't working patch python Internal python for the repository
#5792 opened Feb 26, 2026 by eric-forte-elastic Loading…
5 tasks
1
@eric-forte-elastic
1
[Rule Tuning] Entra ID OAuth Device Code Grant by Unusual User backport: auto Domain: Cloud Domain: Identity Integration: Azure azure related rules Rule: Tuning tweaking or tuning an existing rule
#5791 opened Feb 26, 2026 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
3
[New] Suspicious Execution from VS Code Extension backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#5786 opened Feb 26, 2026 by Samirbous Loading…
@Samirbous
10
[Rule Tuning] AWS Access Token Used from Multiple Addresses backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5785 opened Feb 25, 2026 by imays11 Loading…
@imays11
6
[FR] Minor Typo Fixes backport: auto documentation Improvements or additions to documentation Domain: Cloud Domain: Endpoint Hunting Integration: Microsoft 365 OS: Windows windows related rules patch Rule: Tuning tweaking or tuning an existing rule
#5784 opened Feb 25, 2026 by eric-forte-elastic Loading…
5 tasks
@eric-forte-elastic
6
[New Rules] New Terms rules for malicious Python/Pickle model activity on macOS backport: auto Domain: Endpoint OS: macOS Rule: New Proposal for new rule
#5780 opened Feb 25, 2026 by DefSecSentinel Loading…
@DefSecSentinel
12
[New] Potential Account Takeover - Logon from New Source IP backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#5770 opened Feb 24, 2026 by Samirbous Loading…
@Samirbous
10
[Bug] [DAC] Add filtering to export-rules-from-repo backport: auto bug Something isn't working detections-as-code patch python Internal python for the repository
#5769 opened Feb 24, 2026 by eric-forte-elastic Loading…
5 tasks
1
@eric-forte-elastic
2
[Bug] KQL Validation Add Wildcard w/ Space token value backport: auto bug Something isn't working patch python Internal python for the repository Team: TRADE
#5753 opened Feb 20, 2026 by imays11 Loading…
5 tasks done
@imays11
4
Update dependency marko to v2.2.2 backport: auto community patch
#5735 opened Feb 18, 2026 by elastic-renovate-prod bot Loading…
1 task
2
[Rule Tuning & Deprecation] Tuning & Deprecating Promotion Rule backport: auto Integration: Cloud Defend Cloud Defend Integration Rule: Deprecation removal of a rule Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5712 opened Feb 10, 2026 by Aegrah Draft
@Aegrah
3
fix: Change bulk rule actions by updating deprecated rule_ids to ids backport: auto community
#5711 opened Feb 10, 2026 by IOITI Loading…
2 tasks done
1
[New Rule] AWS API Activity from Uncommon S3 Client by Rare User backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: New Proposal for new rule Team: TRADE
#5694 opened Feb 6, 2026 by imays11 Draft
@imays11
12
[FR] [DAC] Add Exception Duplication Checking backport: auto detections-as-code enhancement New feature or request patch python Internal python for the repository
#5689 opened Feb 5, 2026 by eric-forte-elastic Loading…
5 tasks
1
@eric-forte-elastic
8
[New Rule] Kubernetes Anonymous User Bound to ClusterRole container Integration: Kubernetes Kubernetes Integration Rule: New Proposal for new rule Team: TRADE
#5674 opened Feb 4, 2026 by Aegrah Draft
@Aegrah
1
[New Rule] Potential Service Masquerading backport: auto Domain: Endpoint OS: Linux Rule: New Proposal for new rule Team: TRADE
#5650 opened Jan 29, 2026 by Aegrah Loading…
@Aegrah
7
Update actions/checkout digest backport: auto community
#5613 opened Jan 25, 2026 by elastic-renovate-prod bot Loading…
1 task
Update fjogeleit/http-request-action digest to c0b95d0 backport: auto community
#5605 opened Jan 23, 2026 by elastic-renovate-prod bot Loading…
1 task
[Hunt Tuning] Fix Invalid ES|QL Syntax in Hunting Queries backport: auto Hunt: Tuning Hunting
#5566 opened Jan 16, 2026 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
8
[New Rule] Multiple High-Severity Alerts for Privileged AD User backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#5555 opened Jan 13, 2026 by w0rk3r Draft
@w0rk3r
2
ProTip! Updated in the last three days: updated:>2026-02-24.