Skip to content

Pull requests: elastic/detection-rules

New pull request New
39 Open 3,841 Closed
39 Open 3,841 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Reviews
Filter by reviews
No reviews Review required Approved review Changes requested
Assignee
Filter by who’s assigned
Assigned to nobody Loading
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
👍 👎 😄 🎉 😕 ❤️ 🚀 👀

Pull requests list

[Rule Tuning] Python Path File (pth) Creation backport: auto Domain: Endpoint OS: Linux Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5880 opened Mar 24, 2026 by Aegrah Loading…
@Aegrah
2
Fix: Add comprehensive unit tests for non-ecs-schema.json and clean up data (#2322) backport: auto community
#5879 opened Mar 24, 2026 by chidoziemanagwu Loading…
6 of 7 tasks
1
1
[New Rule] M365 Azure Monitor Alert Email with Financial or Billing Theme backport: auto Domain: Email Integration: Azure azure related rules patch Rule: New Proposal for new rule schema
#5878 opened Mar 24, 2026 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
4
[Rule Tuning] Update Mitre Mappings and tags backport: auto Domain: Cloud enhancement New feature or request Integration: AWS AWS related rules Integration: Azure azure related rules Integration: CyberArkPas CyberArkPas integration Integration: GCP GCP related rules Integration: Google Workspace ML machine learning related rule Rule: Tuning tweaking or tuning an existing rule Security Content test-suite unit and other testing components
#5876 opened Mar 23, 2026 by Mikaayenson Loading…
1 of 5 tasks
@Mikaayenson
15
[New Rules] macOS Unified Logs Login Window and XProtect Detections backport: auto dev rule meant to be non-prod / non-shipping integration: Unified_Logs OS: macOS patch Rule: New Proposal for new rule
#5874 opened Mar 23, 2026 by DefSecSentinel Loading…
4 tasks
@DefSecSentinel
22
[Rule Tuning] M365 SharePoint/OneDrive File Access via PowerShell - Convert to new_terms backport: auto Domain: Cloud Domain: SaaS Domain: Storage Integration: Azure azure related rules Integration: Microsoft 365 Rule: Tuning tweaking or tuning an existing rule
#5873 opened Mar 23, 2026 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
1
[New Rules] macOS Unified Logs TCC Detection Rules backport: auto dev rule meant to be non-prod / non-shipping integration: Unified_Logs OS: macOS patch Rule: New Proposal for new rule
#5870 opened Mar 23, 2026 by DefSecSentinel Loading…
6 tasks
@DefSecSentinel
24
[New Rules] macOS Unified Logs Apple Event Detections backport: auto dev rule meant to be non-prod / non-shipping Hunting integration: Unified_Logs OS: macOS patch Rule: New Proposal for new rule
#5867 opened Mar 23, 2026 by DefSecSentinel Loading…
5 tasks
@DefSecSentinel
19
[Rule Tuning] M365 Identity Login from Atypical Travel Location - Reduce FP Noise backport: auto Domain: Cloud Domain: SaaS Integration: Microsoft 365 Rule: Tuning tweaking or tuning an existing rule
#5866 opened Mar 23, 2026 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
1
[Rule Tuning] Entra ID OAuth User Impersonation to Microsoft Graph backport: auto Domain: Cloud Domain: Identity Domain: Web Integration: Azure azure related rules Rule: Tuning tweaking or tuning an existing rule
#5864 opened Mar 23, 2026 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
4
[Feature] Add support for immutable and rule_source fields in TOML export/import backport: auto python Internal python for the repository
#5840 opened Mar 17, 2026 by aarju Loading…
5 tasks
@aarju
2
WIP - Add batch processing to Kibana import-rules enhancement New feature or request patch
#5834 opened Mar 13, 2026 by eric-forte-elastic Draft
5 tasks
1
@eric-forte-elastic
1
WIP - [FR] [DAC] Initial Yaml Support backport: auto enhancement New feature or request patch python Internal python for the repository
#5821 opened Mar 10, 2026 by eric-forte-elastic Draft
5 tasks
@eric-forte-elastic
1
Update dependency nodeenv to v1.10.0 backport: auto community
#5800 opened Feb 28, 2026 by elastic-renovate-prod bot Loading…
1 task
Update Entity related rules with new _ea ML job ID and update minimum stack versions backport: auto Rule: Tuning tweaking or tuning an existing rule
#5794 opened Feb 27, 2026 by susan-shu-c Loading…
5 tasks
@susan-shu-c
14
Update dependency marko to v2.2.2 backport: auto community patch
#5735 opened Feb 18, 2026 by elastic-renovate-prod bot Loading…
1 task
2
[Rule Tuning & Deprecation] Tuning & Deprecating Promotion Rule backport: auto Integration: Cloud Defend Cloud Defend Integration Rule: Deprecation removal of a rule Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5712 opened Feb 10, 2026 by Aegrah Draft
@Aegrah
3
fix: Change bulk rule actions by updating deprecated rule_ids to ids backport: auto community
#5711 opened Feb 10, 2026 by IOITI Loading…
2 tasks done
@IOITI
4
[FR] [DAC] Add Exception Duplication Checking backport: auto detections-as-code enhancement New feature or request patch python Internal python for the repository
#5689 opened Feb 5, 2026 by eric-forte-elastic Loading…
5 tasks
1
@eric-forte-elastic
8
[New Rule] Kubernetes Anonymous User Bound to ClusterRole container Integration: Kubernetes Kubernetes Integration Rule: New Proposal for new rule Team: TRADE
#5674 opened Feb 4, 2026 by Aegrah Draft
@Aegrah
1
[New Rule] Potential Service Masquerading backport: auto Domain: Endpoint OS: Linux Rule: New Proposal for new rule Team: TRADE
#5650 opened Jan 29, 2026 by Aegrah Draft
@Aegrah
7
Update actions/checkout digest backport: auto community
#5613 opened Jan 25, 2026 by elastic-renovate-prod bot Loading…
1 task
Update fjogeleit/http-request-action digest to c0b95d0 backport: auto community stale 60 days of inactivity
#5605 opened Jan 23, 2026 by elastic-renovate-prod bot Loading…
1 task
1
[Hunt Tuning] Fix Invalid ES|QL Syntax in Hunting Queries backport: auto Hunt: Tuning Hunting
#5566 opened Jan 16, 2026 by terrancedejesus Draft
5 tasks
1
@terrancedejesus
8
[New Rule] Multiple High-Severity Alerts for Privileged AD User backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#5555 opened Jan 13, 2026 by w0rk3r Draft
@w0rk3r
2
ProTip! Type g p on any issue or pull request to go back to the pull request listing page.