Skip to content

Pull requests: elastic/detection-rules

New pull request New
44 Open 3,725 Closed
44 Open 3,725 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Reviews
Filter by reviews
No reviews Review required Approved review Changes requested
Assignee
Filter by who’s assigned
Assigned to nobody Loading
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
👍 👎 😄 🎉 😕 ❤️ 🚀 👀

Pull requests list

[Rule Tuning] Potential Timestomp in Executable Files backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#5727 opened Feb 12, 2026 by w0rk3r Loading…
1
@w0rk3r
3
[New] Correlated Alerts on Similar User Identities backport: auto Domain: GenAI Rule: New Proposal for new rule
#5726 opened Feb 12, 2026 by Samirbous Loading…
@Samirbous
10
[New Rule] AWS SSM Inventory Reconnaissance by Rare User backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: New Proposal for new rule Team: TRADE
#5724 opened Feb 11, 2026 by imays11 Loading…
@imays11
1
[Rule Tuning] Okta Credential Stuffing, Password Spraying, and Brute Force Detection Improvements Domain: Identity Integration: Okta okta related rules Rule: Tuning tweaking or tuning an existing rule
#5723 opened Feb 11, 2026 by terrancedejesus Draft
5 tasks
1
@terrancedejesus
1
[Rule Deprecation] M365 Teams Guest & External Access Rules backport: auto Domain: Cloud Domain: SaaS Domain: Web Integration: Microsoft 365 Rule: Deprecation removal of a rule
#5721 opened Feb 11, 2026 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
2
[Tuning] Adds host metadata to the setup requirements backport: auto Rule: Tuning tweaking or tuning an existing rule
#5719 opened Feb 11, 2026 by Samirbous Loading…
@Samirbous
25
[New Rule] AWS Sensitive IAM Operations Performed via CloudShell backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: New Proposal for new rule Team: TRADE
#5718 opened Feb 10, 2026 by imays11 Loading…
@imays11
10
[Rule Tuning & Deprecation] Tuning & Deprecating Promotion Rule backport: auto Integration: Cloud Defend Cloud Defend Integration Rule: Deprecation removal of a rule Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5712 opened Feb 10, 2026 by Aegrah Loading…
@Aegrah
3
fix: Change bulk rule actions by updating deprecated rule_ids to ids backport: auto community
#5711 opened Feb 10, 2026 by IOITI Loading…
2 tasks done
1
[tuning] LLM DNS queries backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#5709 opened Feb 10, 2026 by Samirbous Loading…
@Samirbous
12
[Rule Tuning] PowerShell Rules Revamp - 9 backport: auto bbr Building Block Rules Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#5706 opened Feb 10, 2026 by w0rk3r Loading…
@w0rk3r
5
[Rule Tuning] Entra ID Federated Identity Credential Persistence Detection backport: auto Domain: Cloud Domain: Identity Integration: Azure azure related rules Rule: New Proposal for new rule Rule: Tuning tweaking or tuning an existing rule
#5702 opened Feb 9, 2026 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
4
[New Rule] AWS API Activity from Uncommon S3 Client by Rare User backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: New Proposal for new rule Team: TRADE
#5694 opened Feb 6, 2026 by imays11 Loading…
@imays11
10
[New Rules] AWS IAM new identity federation provider rules backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: New Proposal for new rule Team: TRADE
#5691 opened Feb 6, 2026 by imays11 Loading…
@imays11
5
WIP - Add Exception Duplication Checking
#5689 opened Feb 5, 2026 by eric-forte-elastic Draft
5 tasks
1
[New Rule] AWS GuardDuty Member Account Manipulation backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: New Proposal for new rule Team: TRADE
#5688 opened Feb 5, 2026 by imays11 Loading…
@imays11
7
[Rule Tuning] Entra ID Suspicious Cloud Device Registration backport: auto Domain: Identity Integration: Azure azure related rules Rule: Tuning tweaking or tuning an existing rule
#5683 opened Feb 5, 2026 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
1
[Rule Tuning] Entra ID SharePoint Accessed by Unusual User and Microsoft Authentication Broker Client backport: auto Domain: Cloud Domain: Identity Integration: Azure azure related rules Rule: Tuning tweaking or tuning an existing rule
#5681 opened Feb 4, 2026 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
1
[Rule Tuning] Deprecate Individual MSFT Compliance Rules / Create BBR MSFT Purview Compliance Rule backport: auto bbr Building Block Rules Domain: Cloud Domain: Identity Domain: SaaS Integration: Microsoft 365 Rule: New Proposal for new rule Rule: Tuning tweaking or tuning an existing rule
#5679 opened Feb 4, 2026 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
1
[Rule Tuning] M365 Identity Excessive SSO Login Errors Reported backport: auto Domain: Identity Integration: Microsoft 365 Rule: Tuning tweaking or tuning an existing rule
#5677 opened Feb 4, 2026 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
1
[New Rule] Kubernetes Anonymous User Bound to ClusterRole container Integration: Kubernetes Kubernetes Integration Rule: New Proposal for new rule Team: TRADE
#5674 opened Feb 4, 2026 by Aegrah Draft
@Aegrah
1
[New Rule] Okta Admin Console Login Failure backport: auto bbr Building Block Rules Domain: Identity Integration: Okta okta related rules Rule: New Proposal for new rule
#5669 opened Feb 3, 2026 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
4
[New Rule] Potential Service Masquerading backport: auto Domain: Endpoint OS: Linux Rule: New Proposal for new rule Team: TRADE
#5650 opened Jan 29, 2026 by Aegrah Loading…
@Aegrah
7
Update actions/checkout digest backport: auto community
#5613 opened Jan 25, 2026 by elastic-renovate-prod bot Loading…
1 task
Update fjogeleit/http-request-action digest to c0b95d0 backport: auto community
#5605 opened Jan 23, 2026 by elastic-renovate-prod bot Loading…
1 task
ProTip! What’s not been updated in a month: updated:<2026-01-13.