Skip to content

Issues: elastic/detection-rules

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clear current search query, filters, and sorts
29 Open 2,352 Closed
29 Open 2,352 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Assignee
Filter by who’s assigned
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
👍 👎 😄 🎉 😕 ❤️ 🚀 👀

Issues list

[New Rule] Manual Mount Discovery via /etc/exports backport: auto Domain: Endpoint OS: Linux Rule: New Proposal for new rule Team: TRADE
#4662 opened Apr 25, 2025 by Aegrah Loading…
@Aegrah
2
[New Rule] Docker Release File Creation backport: auto Domain: Endpoint OS: Linux Rule: New Proposal for new rule Team: TRADE
#4661 opened Apr 25, 2025 by Aegrah Loading…
@Aegrah
4
[New Rule] Manual Memory Dumping via Proc Filesystem backport: auto Domain: Endpoint OS: Linux Rule: New Proposal for new rule Team: TRADE
#4660 opened Apr 25, 2025 by Aegrah Loading…
@Aegrah
4
[FN Tuning] Suspicious /proc/maps Discovery backport: auto Domain: Endpoint OS: Linux Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#4659 opened Apr 25, 2025 by Aegrah Loading…
@Aegrah
7
[New Rule] Potential Linux Tunneling and/or Port Forwarding via SSH Option backport: auto Domain: Endpoint OS: Linux Rule: New Proposal for new rule Team: TRADE
#4658 opened Apr 25, 2025 by Aegrah Loading…
@Aegrah
2
[FR] Add check-version-lock dev command backport: auto enhancement New feature or request patch python Internal python for the repository
#4650 opened Apr 24, 2025 by eric-forte-elastic Loading…
5 tasks
@eric-forte-elastic
14
[New Rule] MSFT Tenant OAuth Phishing via First-Party VSCode Client backport: auto Domain: Cloud emerging-threat Integration: Azure azure related rules Integration: Microsoft 365 patch Rule: New Proposal for new rule Rule: Tuning tweaking or tuning an existing rule
#4642 opened Apr 23, 2025 by terrancedejesus Loading…
5 tasks
@terrancedejesus
2
[Rule Tuning] Reduce Severity from Critical to High backport: auto Rule: Tuning tweaking or tuning an existing rule
#4637 opened Apr 22, 2025 by w0rk3r Loading…
@w0rk3r
4
[New Rule] Potential Dynamic IEX Reconstruction via Environment Variables backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#4633 opened Apr 16, 2025 by w0rk3r Loading…
@w0rk3r
2
[New Rule] Potential PowerShell Obfuscation via Special Character Overuse backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4632 opened Apr 16, 2025 by w0rk3r Loading…
@w0rk3r
3
[New Rule] Potential PowerShell Obfuscation via High Numeric Character Proportion backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4631 opened Apr 16, 2025 by w0rk3r Loading…
@w0rk3r
2
[New Rule] Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4630 opened Apr 16, 2025 by w0rk3r Loading…
@w0rk3r
2
[New Rule][BBR] Potential PowerShell Obfuscation via High Special Character Proportion backport: auto bbr Building Block Rules Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4629 opened Apr 16, 2025 by w0rk3r Loading…
@w0rk3r
3
[New Rule] Adding Coverage for AWS S3 Static Site JavaScript File Uploaded backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: New Proposal for new rule
#4617 opened Apr 15, 2025 by terrancedejesus Loading…
5 tasks
@terrancedejesus
4
[New Rule] Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4615 opened Apr 15, 2025 by w0rk3r Loading…
@w0rk3r
2
[New Rule] Potential PowerShell Obfuscation via Invalid Escape Sequences backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#4614 opened Apr 15, 2025 by w0rk3r Loading…
@w0rk3r
6
[New Rule] PowerShell Obfuscation via Negative Index String Reversal backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4610 opened Apr 14, 2025 by w0rk3r Loading…
@w0rk3r
6
[New Rule] Potential PowerShell Obfuscation via Reverse Keywords backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4609 opened Apr 14, 2025 by w0rk3r Loading…
@w0rk3r
6
[New Rule] Potential PowerShell Obfuscation via Character Array Reconstruction backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#4608 opened Apr 14, 2025 by w0rk3r Loading…
@w0rk3r
7
[New Rule] Potential PowerShell Obfuscation via String Concatenation backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4607 opened Apr 14, 2025 by w0rk3r Loading…
@w0rk3r
6
[New] Windows Sandbox with Sensitive Configuration backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4606 opened Apr 14, 2025 by Samirbous Loading…
@Samirbous
2
[enhancement] In esql validation, allow any order of metadata backport: auto community patch python Internal python for the repository
#4579 opened Mar 28, 2025 by frederikb96 Loading…
5 tasks done
@frederikb96
3
[Security Content] Windows Audit Policies Config Guides - Repo Edition backport: auto Domain: Endpoint OS: Windows windows related rules Security Content
#4501 opened Feb 26, 2025 by w0rk3r Loading…
@w0rk3r
1
[Security Content] Basic EDR Setup Guides - Phase 1 backport: auto Domain: Endpoint OS: Windows windows related rules Security Content
#4492 opened Feb 24, 2025 by w0rk3r Draft
@w0rk3r
4
[Rule Tuning] Add exceptions for non-interactive signin failures for Entra M365 Bruteforce backport: auto community Domain: Cloud Integration: Azure azure related rules Rule: Tuning tweaking or tuning an existing rule
#4405 opened Jan 22, 2025 by jvalente-salemstate Loading…
2 tasks done
1
@terrancedejesus
10
ProTip! Mix and match filters to narrow down what you’re looking for.