Skip to content

Pull requests: elastic/detection-rules

New pull request New
54 Open 4,112 Closed
54 Open 4,112 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Reviews
Filter by reviews
No reviews Review required Approved review Changes requested
Assignee
Filter by who’s assigned
Assigned to nobody Loading
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
👍 👎 😄 🎉 😕 ❤️ 🚀 👀

Pull requests list

[New Rule] GCP IAM Service Account Impersonation Role Granted backport: auto community Domain: Cloud Integration: GCP GCP related rules
#6215 opened May 30, 2026 by Aryu-RU Loading…
3 tasks done
2
[Rule Tunings] Google Workspace Admin Role lifecycle rules backport: auto Domain: Cloud Integration: Google Workspace Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#6214 opened May 29, 2026 by imays11 Contributor Loading…
@imays11
1
[FR] [DaC] Add support for Kibana workflows backport: auto detections-as-code enhancement New feature or request patch python Internal python for the repository
#6211 opened May 29, 2026 by eric-forte-elastic Contributor Loading…
5 tasks
1
@eric-forte-elastic
1
[Rule Tunings] GWS Rules w/ zero alerts backport: auto Domain: Cloud Integration: Google Workspace Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#6210 opened May 28, 2026 by imays11 Contributor Loading…
@imays11
1
Fix stack-dependent related_integrations.version export backport: auto bug Something isn't working patch python Internal python for the repository
#6208 opened May 27, 2026 by Mikaayenson Contributor Loading…
3 of 5 tasks
1
@Mikaayenson
14
WIP - Java Wrapper for Elasticsearch's ES|QL Parser enhancement New feature or request minor python Internal python for the repository
#6207 opened May 27, 2026 by eric-forte-elastic Contributor Draft
5 tasks
@eric-forte-elastic
1
[Rule Tuning] Add Zeek Index Support backport: auto Domain: Network enhancement New feature or request integration: Zeek patch Rule: Tuning tweaking or tuning an existing rule
#6206 opened May 27, 2026 by eric-forte-elastic Contributor Loading…
5 tasks
1
@eric-forte-elastic
12
[Rule: Tuning] Rule triggers for false positive due to broad wildcard backport: auto community Domain: Endpoint OS: Linux
#6205 opened May 27, 2026 by litemars Contributor Loading…
@Aegrah
[Rule: Tuning] Increase coverage for the Remote SSH Login Enabled rule backport: auto community Domain: Endpoint OS: macOS
#6202 opened May 27, 2026 by litemars Contributor Loading…
1 task
@shashank-elastic
[Rule Tuning] Not ECS field in rule Suspicious Web Browser Sensitive File Access backport: auto community Domain: Endpoint enhancement New feature or request OS: macOS Rule: Tuning tweaking or tuning an existing rule
#6200 opened May 27, 2026 by litemars Contributor Loading…
1 task done
@shashank-elastic
4
[Tuning] Diverse Recently Created Rules backport: auto Domain: Endpoint OS: Linux Rule: Tuning tweaking or tuning an existing rule
#6191 opened May 26, 2026 by Samirbous Contributor Loading…
@Samirbous
2
[New Rule] Azure AD Graph Access with Unusual Client and User Domain: Cloud Domain: Identity Integration: Azure azure related rules Rule: New Proposal for new rule
#6182 opened May 22, 2026 by terrancedejesus Contributor Draft
5 tasks
@terrancedejesus
1
[New Rule] Entra ID OAuth Device Code Sign-in to Azure AD Graph Enumeration Domain: Cloud Domain: Identity Integration: Azure azure related rules Rule: New Proposal for new rule
#6181 opened May 22, 2026 by terrancedejesus Contributor Draft
5 tasks
@terrancedejesus
1
Allow filter-only KQL rule exports backport: auto community enhancement New feature or request patch python Internal python for the repository
#6180 opened May 22, 2026 by srkyn Loading…
1
@eric-forte-elastic
5
[New Rule] Azure AD Graph Access with Suspicious User-Agent Domain: Cloud Integration: Azure azure related rules Rule: New Proposal for new rule
#6175 opened May 21, 2026 by terrancedejesus Contributor Draft
5 tasks
@terrancedejesus
1
[New Rule] Azure AD Graph 4xx Error Surge from User backport: auto Domain: Cloud Integration: Azure azure related rules Rule: New Proposal for new rule
#6174 opened May 21, 2026 by terrancedejesus Contributor Loading…
5 tasks
@terrancedejesus
1
[New Rule] Azure AD Graph Access with Unusual User and ASN backport: auto Domain: Cloud Domain: Identity Integration: Azure azure related rules Rule: New Proposal for new rule
#6171 opened May 20, 2026 by terrancedejesus Contributor Loading…
5 tasks
@terrancedejesus
1
[New Rule] Azure AD Graph Potential Enumeration (ROADrecon) backport: auto Domain: Cloud Integration: Azure azure related rules Rule: New Proposal for new rule
#6170 opened May 20, 2026 by terrancedejesus Contributor Loading…
5 tasks
@terrancedejesus
1
[New] Azure Run Command Correlated with Process Execution backport: auto Domain: Endpoint Integration: Azure azure related rules OS: Linux OS: Windows windows related rules Rule: New Proposal for new rule
#6169 opened May 20, 2026 by Samirbous Contributor Loading…
@Samirbous
17
Add Entra ID identity attack rules: TAP creation, guest-to-member promotion, OAuth redirect URI (3 rules) backport: auto community Domain: Cloud Integration: Azure azure related rules
#6168 opened May 20, 2026 by descambiado Loading…
2
[Rule Tuning] Forwarded Google Workspace Security Alert backport: auto Domain: Cloud Integration: Google Workspace Rule: Tuning tweaking or tuning an existing rule
#6166 opened May 19, 2026 by imays11 Contributor Loading…
@imays11
5
[New Rule] Microsoft Entra ID Impossible Travel Sign-in backport: auto Domain: Cloud Integration: Azure azure related rules Rule: New Proposal for new rule
#6150 opened May 15, 2026 by terrancedejesus Contributor Draft
5 tasks
@terrancedejesus
1
[New Rule] Google Workspace Impossible Travel Login backport: auto Domain: Cloud Integration: Google Workspace Rule: New Proposal for new rule
#6148 opened May 15, 2026 by terrancedejesus Contributor Draft
5 tasks
@terrancedejesus
1
Update elastic/docs-actions digest to b507b2c backport: auto community
#6137 opened May 13, 2026 by elastic-renovate-prod Bot Loading…
1 task
Update tj-actions/changed-files action to v47 backport: auto community
#6132 opened May 12, 2026 by elastic-renovate-prod Bot Loading…
1 task
ProTip! Adding no:label will show everything without a label.