Skip to content

Pull requests: elastic/detection-rules

New pull request New
36 Open 3,644 Closed
36 Open 3,644 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Reviews
Filter by reviews
No reviews Review required Approved review Changes requested
Assignee
Filter by who’s assigned
Assigned to nobody Loading
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
👍 👎 😄 🎉 😕 ❤️ 🚀 👀

Pull requests list

Update fjogeleit/http-request-action digest to c0b95d0 backport: auto community
#5605 opened Jan 23, 2026 by elastic-renovate-prod bot Loading…
1 task
[Tuning] Rare Connection to WebDAV Target backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#5604 opened Jan 23, 2026 by Samirbous Loading…
@Samirbous
8
[doc fix] Adjust wording in the docs for Kibana import/export commands backport: auto enhancement New feature or request patch python Internal python for the repository
#5600 opened Jan 22, 2026 by traut Loading…
5 tasks
@traut
2
[New] Multiple Vulnerabilities by Asset via Wiz backport: auto patch Rule: New Proposal for new rule Rule: Tuning tweaking or tuning an existing rule
#5598 opened Jan 22, 2026 by Samirbous Loading…
@Samirbous
15
[fix] Preserve actions[].params.message field formatting during rule export from the repo backport: auto bug Something isn't working maintenance Internal changes patch python Internal python for the repository
#5597 opened Jan 22, 2026 by traut Loading…
1 of 5 tasks
@traut
5
[New Rule] Curl SOCKS Proxy Detected via Defend for Containers backport: auto container Integration: Cloud Defend Cloud Defend Integration OS: Linux Rule: New Proposal for new rule Team: TRADE
#5596 opened Jan 22, 2026 by Aegrah Loading…
@Aegrah
4
[Tuning] Potential Ransomware Behavior - Note Files by System backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#5595 opened Jan 21, 2026 by Samirbous Loading…
@Samirbous
5
[Rule Tuning] Unsigned DLL Side-Loading from a Suspicious Folder: Add Downloads path and fix subdirectory evasion backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#5592 opened Jan 21, 2026 by ailiffa Loading…
4 tasks
1
4
[New/Tuning] General API Abuse D4C/K8s Rules backport: auto container Integration: Cloud Defend Cloud Defend Integration Integration: Kubernetes Kubernetes Integration OS: Linux Rule: New Proposal for new rule Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5591 opened Jan 21, 2026 by Aegrah Loading…
@Aegrah
17
[Rule Tuning] Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource backport: auto Domain: Cloud Domain: Identity Integration: Azure azure related rules Rule: Tuning tweaking or tuning an existing rule
#5589 opened Jan 20, 2026 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
1
[Rule Tuning] Adding D4C Compatibility to Compatible K8s-related Rules backport: auto bbr Building Block Rules container Domain: Endpoint OS: Linux patch Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5578 opened Jan 19, 2026 by Aegrah Loading…
@Aegrah
12
[Tuning] ESQL Dynamic unique value fields backport: auto Domain: Endpoint OS: Linux OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#5569 opened Jan 16, 2026 by Samirbous Loading…
@Samirbous
25
[Hunt Tuning] Fix Invalid ES|QL Syntax in Hunting Queries backport: auto Hunt: Tuning Hunting
#5566 opened Jan 16, 2026 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
6
[New Rules] Reintroduction of Defend for Containers (D4C) Ruleset backport: auto container Integration: Cloud Defend Cloud Defend Integration OS: Linux Rule: Deprecation removal of a rule Rule: New Proposal for new rule Team: TRADE
#5561 opened Jan 15, 2026 by Aegrah Loading…
@Aegrah
10
[New] Lateral Movement Alerts from a Newly Observed Entity backport: auto Rule: New Proposal for new rule
#5557 opened Jan 14, 2026 by Samirbous Loading…
@Samirbous
30
[New Rule] Multiple High-Severity Alerts for Privileged AD User backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#5555 opened Jan 13, 2026 by w0rk3r Draft
@w0rk3r
2
[New Rule] Potential PowerShell Obfuscated Script via High Entropy backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#5554 opened Jan 12, 2026 by w0rk3r Loading…
@w0rk3r
12
[New Rule] PowerShell Script Block Entropy Outlier via MAD Z-Score backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#5539 opened Jan 8, 2026 by w0rk3r Draft
@w0rk3r
6
Add investigation fields to beaconing rules
#5536 opened Jan 7, 2026 by susan-shu-c Draft
5 tasks
Update actions/setup-python digest to a309ff8 backport: auto community
#5527 opened Jan 3, 2026 by elastic-renovate-prod bot Loading…
1 task
Added logic to main.py to use the created_at and updated_at values if they exist backport: auto enhancement New feature or request patch python Internal python for the repository
#5444 opened Dec 10, 2025 by aarju Loading…
2 tasks
15
Update actions/checkout action to v6 backport: auto community
#5349 opened Nov 20, 2025 by elastic-renovate-prod bot Loading…
1 task
Update dependency marshmallow to v4 backport: auto community
#5330 opened Nov 17, 2025 by elastic-renovate-prod bot Loading…
1 task
Update dependency elasticsearch to v9 backport: auto community
#5329 opened Nov 17, 2025 by elastic-renovate-prod bot Loading…
1 task
Update actions/upload-artifact action to v6 backport: auto community
#5328 opened Nov 17, 2025 by elastic-renovate-prod bot Loading…
1 task
ProTip! Follow long discussions with comments:>50.