elastic / detection-rules Public

Notifications You must be signed in to change notification settings
Fork 669
Star 2.6k

Code
Issues 133
Pull requests 76
Actions
Security and quality
Insights

Additional navigation options

Code
Issues
Pull requests
Actions
Security and quality
Insights

Pull requests: elastic/detection-rules

Labels 148 Milestones 1

New pull request New

76 Open 4,158 Closed

Author

Filter by author

Uh oh!

There was an error while loading. Please reload this page.

Label

Filter by label

Uh oh!

There was an error while loading. Please reload this page.

Use alt + click/return to exclude labels

or ⇧ + click/return for logical OR

Projects

Filter by project

Uh oh!

There was an error while loading. Please reload this page.

Milestones

Filter by milestone

Uh oh!

There was an error while loading. Please reload this page.

Reviews

Filter by reviews

No reviews Review required Approved review Changes requested

Assignee

Filter by who’s assigned

Assigned to nobody

Uh oh!

There was an error while loading. Please reload this page.

Sort

Sort by

Newest Oldest Most commented Least commented Recently updated Least recently updated Best match

Most reactions

Pull requests list

[Bug] Update Min Stack Calculation to Include Patch Version backport: auto bug

Something isn't working

patch python

Internal python for the repository

#6289 opened Jun 17, 2026 by eric-forte-elastic Contributor

Loading…

5 tasks

[Rule Tuning] Misc. Linux DR Tunings backport: auto Domain: Endpoint OS: Linux Rule: Tuning

tweaking or tuning an existing rule

Team: TRADE

#6285 opened Jun 17, 2026 by Aegrah Contributor

Loading…

[New Rule] Azure VM Managed Run Command Created or Updated with Unusual Principal backport: auto Domain: Cloud Domain: Endpoint Integration: Azure

azure related rules

Rule: New

Proposal for new rule

#6284 opened Jun 16, 2026 by terrancedejesus Contributor

Loading…

5 tasks

[Rule Tunings] Google Workspace Domain-Wide Delegation and First Time OAuth Login backport: auto Domain: Cloud Integration: Google Workspace Rule: Tuning

tweaking or tuning an existing rule

Team: TRADE

#6281 opened Jun 16, 2026 by imays11 Contributor

Loading…

[Rule Tunings] Google Workspace Update Application Added and Object Copied to External Drive backport: auto Domain: Cloud Integration: Google Workspace Rule: Tuning

tweaking or tuning an existing rule

Team: TRADE

#6280 opened Jun 15, 2026 by imays11 Contributor

Loading…

[New Rule] Splunk Enterprise PostgreSQL Sidecar Pre-Auth RCE (CVE-2026-20253) backport: auto Domain: Network Integration: Endpoint

Elastic Endpoint Security

Integration: Network Traffic integration: Zeek Rule: New

Proposal for new rule

#6279 opened Jun 15, 2026 by eric-forte-elastic Contributor

Loading…

5 tasks

[New Rule] Azure Virtual Machine Configuration Modified Domain: Cloud Domain: Endpoint Integration: Azure

azure related rules

Rule: New

Proposal for new rule

#6278 opened Jun 15, 2026 by terrancedejesus Contributor • Draft

5 tasks

[New Rule] Unusual Azure VM Extension Installed; Suspicious Child Process via Azure VM CustomScript Extension backport: auto Domain: Cloud Domain: Endpoint Integration: Azure

azure related rules

Rule: New

Proposal for new rule

#6277 opened Jun 15, 2026 by terrancedejesus Contributor • Draft

5 tasks

[New Rule] Azure VM Extension CRUD Operation with Unusual Source ASN backport: auto Domain: Cloud Domain: Endpoint Integration: Azure

azure related rules

Rule: New

Proposal for new rule

#6276 opened Jun 15, 2026 by terrancedejesus Contributor

Loading…

5 tasks

[New Rule] Azure VM Boot Diagnostics Retrieved backport: auto Domain: Cloud Domain: Endpoint Integration: Azure

azure related rules

Rule: New

Proposal for new rule

#6275 opened Jun 15, 2026 by terrancedejesus Contributor

Loading…

5 tasks

[New Rule] PAN-OS GlobalProtect CVE-2026-0257 Authentication Bypass Detection backport: auto Domain: Network integration: PANW Rule: New

Proposal for new rule

#6273 opened Jun 12, 2026 by eric-forte-elastic Contributor • Draft

5 tasks

[New Rule] Repeated Stalled TLS Handshakes via ALPN acme-tls/1 Extension backport: auto Domain: Network Integration: Network Traffic Rule: New

Proposal for new rule

#6272 opened Jun 12, 2026 by eric-forte-elastic Contributor • Draft

5 tasks

WIP - [FR] Add optional user agent string for DaC commands detections-as-code enhancement

New feature or request

kibana-module

related to the kibana module

patch python

Internal python for the repository

#6268 opened Jun 11, 2026 by eric-forte-elastic Contributor • Draft

5 tasks

[New Rule] SMB (Windows File Sharing) Activity from the Internet backport: auto Domain: Network Integration: Corelight Integration: Network Traffic Integration: pfSense integration: Zeek Rule: New

Proposal for new rule

Team: TRADE

#6267 opened Jun 10, 2026 by eric-forte-elastic Contributor • Draft

5 tasks

[Rule Tuning] Azure Compute VM Command Executed backport: auto Domain: Cloud Domain: Endpoint Integration: Azure

azure related rules

Rule: Tuning

tweaking or tuning an existing rule

#6266 opened Jun 10, 2026 by terrancedejesus Contributor

Loading…

5 tasks

Update dependency Click to ~=8.4.1 backport: auto community

#6265 opened Jun 10, 2026 by elastic-renovate-prod Bot

Loading…

1 task

[New Rules] Add Anthropic compliance audit detection rules backport: auto Integration: Anthropic minor Rule: New

Proposal for new rule

#6264 opened Jun 9, 2026 by Mikaayenson Contributor • Draft

[Rule Tuning] Add Corelight support for existing rules backport: auto Domain: Network Integration: Corelight patch python

Internal python for the repository

Rule: Tuning

tweaking or tuning an existing rule

schema Team: TRADE

#6261 opened Jun 9, 2026 by eric-forte-elastic Contributor

Loading…

5 tasks

[Rule Tuning] Add pfSense support for existing rules backport: auto Domain: Network Integration: pfSense patch python

Internal python for the repository

Rule: Tuning

tweaking or tuning an existing rule

schema Team: TRADE

#6260 opened Jun 9, 2026 by eric-forte-elastic Contributor

Loading…

5 tasks

[New Rule] Azure Serial Console Connect to Virtual Machine with Unusual User and ASN backport: auto Domain: Cloud Integration: Azure

azure related rules

Rule: New

Proposal for new rule

#6259 opened Jun 9, 2026 by terrancedejesus Contributor

Loading…

5 tasks

[New Rule] AWS SES Sending Enabled or Identity Verified by Rare User backport: auto community Domain: Cloud Integration: AWS

AWS related rules

#6258 opened Jun 7, 2026 by Aryu-RU

Loading…

4 of 5 tasks

[New Rule] Systemd Service Override Configuration File Created backport: auto Domain: Endpoint OS: Linux Rule: New

Proposal for new rule

Team: TRADE

#6254 opened Jun 5, 2026 by Aegrah Contributor

Loading…

Allow filter-only KQL custom rule exports backport: auto community enhancement

New feature or request

patch python

Internal python for the repository

#6253 opened Jun 4, 2026 by srkyn

Loading…

[Rule Tuning] Multiple Alerts in Different ATT&CK Tactics on a Single Host backport: auto Rule: Tuning

tweaking or tuning an existing rule

#6252 opened Jun 4, 2026 by Mikaayenson Contributor

Loading…

1 of 5 tasks

[Rule Tuning] Misc. Linux DRs backport: auto Domain: Endpoint OS: Linux Rule: Tuning

tweaking or tuning an existing rule

Team: TRADE

#6250 opened Jun 4, 2026 by Aegrah Contributor

Loading…

Previous 1 2 3 4 Next

Previous Next

ProTip! Add no:assignee to see everything that’s not assigned.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!