Skip to content

Pull requests: elastic/detection-rules

New pull request New
35 Open 3,698 Closed
35 Open 3,698 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Reviews
Filter by reviews
No reviews Review required Approved review Changes requested
Assignee
Filter by who’s assigned
Assigned to nobody Loading
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
👍 👎 😄 🎉 😕 ❤️ 🚀 👀

Pull requests list

[Rule Tuning] Transform Dormant SharePoint Rule to Detect OAuth Phishing Domain: Cloud Domain: Identity Integration: Azure azure related rules Rule: Tuning tweaking or tuning an existing rule
#5681 opened Feb 4, 2026 by terrancedejesus Draft
5 tasks
1
@terrancedejesus
1
[Rule Tuning] Deprecate Individual MSFT Defender Rules / Create BBR MSFT Defender Rule bbr Building Block Rules Domain: Cloud Domain: Identity Domain: SaaS Integration: Microsoft 365 Rule: New Proposal for new rule Rule: Tuning tweaking or tuning an existing rule
#5679 opened Feb 4, 2026 by terrancedejesus Draft
5 tasks
1
@terrancedejesus
1
[Rule Tuning] M365 Identity Excessive SSO Login Errors Reported Domain: Identity Integration: Microsoft 365 Rule: Tuning tweaking or tuning an existing rule
#5677 opened Feb 4, 2026 by terrancedejesus Draft
5 tasks
1
@terrancedejesus
1
[New Rule] Kubernetes Anonymous User Bound to ClusterRole container Integration: Kubernetes Kubernetes Integration Rule: New Proposal for new rule Team: TRADE
#5674 opened Feb 4, 2026 by Aegrah Draft
@Aegrah
1
[New Rules] Misc. K8s RBAC Abuse Rules backport: auto Integration: Kubernetes Kubernetes Integration Rule: New Proposal for new rule Team: TRADE
#5673 opened Feb 4, 2026 by Aegrah Loading…
@Aegrah
3
[Rule Tuning] Dormant & Deprecated Rule Clean-Up backport: auto OS: Linux Rule: Deprecation removal of a rule Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5672 opened Feb 4, 2026 by Aegrah Loading…
@Aegrah
7
[Rule Tuning] Okta User Assigned Administrator Role backport: auto Domain: Cloud Domain: Identity Integration: Okta okta related rules Rule: Tuning tweaking or tuning an existing rule
#5671 opened Feb 3, 2026 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
6
[New Rule] Okta Admin Console Login Failure backport: auto bbr Building Block Rules Domain: Identity Integration: Okta okta related rules Rule: New Proposal for new rule
#5669 opened Feb 3, 2026 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
3
MacOS detection rules tuning backport: auto Domain: Endpoint OS: macOS Rule: Tuning tweaking or tuning an existing rule
#5667 opened Feb 2, 2026 by DefSecSentinel Loading…
@DefSecSentinel
6
[New] Endpoint Rule Conversion PR backport: auto Domain: Endpoint OS: macOS Rule: New Proposal for new rule
#5658 opened Jan 30, 2026 by DefSecSentinel Loading…
@DefSecSentinel
57
[Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#5657 opened Jan 30, 2026 by imays11 Loading…
@imays11
11
[New Rule] Potential Service Masquerading backport: auto Domain: Endpoint OS: Linux Rule: New Proposal for new rule Team: TRADE
#5650 opened Jan 29, 2026 by Aegrah Loading…
@Aegrah
7
[Tuning] M365 Exchange Inbox Phishing Evasion Rule Created backport: auto community Domain: Cloud Integration: Microsoft 365 Rule: Tuning tweaking or tuning an existing rule
#5648 opened Jan 29, 2026 by Samirbous Loading…
@Samirbous
5
Update actions/checkout digest backport: auto community
#5613 opened Jan 25, 2026 by elastic-renovate-prod bot Loading…
1 task
Update fjogeleit/http-request-action digest to c0b95d0 backport: auto community
#5605 opened Jan 23, 2026 by elastic-renovate-prod bot Loading…
1 task
[Hunt Tuning] Fix Invalid ES|QL Syntax in Hunting Queries backport: auto Hunt: Tuning Hunting
#5566 opened Jan 16, 2026 by terrancedejesus Loading…
5 tasks
1
@terrancedejesus
8
[New Rule] Multiple High-Severity Alerts for Privileged AD User backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#5555 opened Jan 13, 2026 by w0rk3r Draft
@w0rk3r
2
[New Rule] Potential PowerShell Obfuscated Script via High Entropy backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#5554 opened Jan 12, 2026 by w0rk3r Loading…
@w0rk3r
16
[New Rule] PowerShell Script Block Entropy Outlier via MAD Z-Score backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#5539 opened Jan 8, 2026 by w0rk3r Draft
@w0rk3r
6
Add investigation fields to beaconing rules
#5536 opened Jan 7, 2026 by susan-shu-c Draft
5 tasks
Update actions/setup-python digest to a309ff8 backport: auto community
#5527 opened Jan 3, 2026 by elastic-renovate-prod bot Loading…
1 task
Update actions/checkout action to v6 backport: auto community
#5349 opened Nov 20, 2025 by elastic-renovate-prod bot Loading…
1 task
Update dependency marshmallow to v4 backport: auto community
#5330 opened Nov 17, 2025 by elastic-renovate-prod bot Loading…
1 task
Update dependency elasticsearch to v9 backport: auto community
#5329 opened Nov 17, 2025 by elastic-renovate-prod bot Loading…
1 task
1
Update actions/upload-artifact action to v6 backport: auto community
#5328 opened Nov 17, 2025 by elastic-renovate-prod bot Loading…
1 task
ProTip! Type g p on any issue or pull request to go back to the pull request listing page.