Skip to content

Pull requests: elastic/detection-rules

New pull request New
29 Open 2,953 Closed
29 Open 2,953 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Reviews
Filter by reviews
No reviews Review required Approved review Changes requested
Assignee
Filter by who’s assigned
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
👍 👎 😄 🎉 😕 ❤️ 🚀 👀

Pull requests list

[New Rule] PowerShell Obfuscation via Negative Index String Reversal backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4610 opened Apr 14, 2025 by w0rk3r Loading…
@w0rk3r
2
[New Rule] Potential PowerShell Obfuscation via Reverse Keywords backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4609 opened Apr 14, 2025 by w0rk3r Loading…
@w0rk3r
2
[New Rule] Potential PowerShell Obfuscation via Character Array Reconstruction backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#4608 opened Apr 14, 2025 by w0rk3r Loading…
@w0rk3r
2
[New Rule] Potential PowerShell Obfuscation via String Concatenation backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4607 opened Apr 14, 2025 by w0rk3r Loading…
@w0rk3r
3
[New] Windows Sandbox with Sensitive Configuration backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4606 opened Apr 14, 2025 by Samirbous Loading…
@Samirbous
2
[New] RemoteMonologue Attack rules backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4604 opened Apr 14, 2025 by Samirbous Loading…
@Samirbous
2
[New Rule] Threat Intel Email Indicator Match backport: auto patch python Internal python for the repository Rule: New Proposal for new rule schema
#4598 opened Apr 4, 2025 by w0rk3r Loading…
1
@w0rk3r
5
[New Rule] Potential PowerShell Obfuscation via String Reordering backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4595 opened Apr 3, 2025 by w0rk3r Loading…
@w0rk3r
10
[Enhancement] Add flag to export rules via KQL search on name backport: auto community enhancement New feature or request python Internal python for the repository
#4594 opened Apr 3, 2025 by frederikb96 Loading…
5 tasks done
@frederikb96
8
Feature exclude tactic name backport: auto community patch python Internal python for the repository
#4593 opened Apr 3, 2025 by frederikb96 Loading…
5 tasks done
@frederikb96
8
[Rule Tuning] SSH Authorized Keys File Deletion backport: auto Domain: Endpoint OS: Linux Rule: Tuning tweaking or tuning an existing rule
#4591 opened Apr 3, 2025 by w0rk3r Loading…
@w0rk3r
4
[FR] Add Kibana Action Connector Error to Exception List Workaround backport: auto enhancement New feature or request patch python Internal python for the repository
#4583 opened Mar 30, 2025 by eric-forte-elastic Loading…
5 tasks
1
@eric-forte-elastic
3
[FR] Add Support for Local Dates Flag backport: auto community enhancement New feature or request patch python Internal python for the repository
#4582 opened Mar 29, 2025 by eric-forte-elastic Draft
1 of 5 tasks
1
@eric-forte-elastic
5
[FR] Update Detection Rules MITRE Workflow to SHA Pin backport: auto ci/cd enhancement New feature or request patch
#4581 opened Mar 28, 2025 by eric-forte-elastic Loading…
5 tasks
1
@eric-forte-elastic
1
[enhancement] In esql validation, allow any order of metadata backport: auto community patch python Internal python for the repository
#4579 opened Mar 28, 2025 by frederikb96 Loading…
5 tasks done
@frederikb96
2
[Rule Tuning] Tuning Azure Service Principal Credentials Added backport: auto Domain: Cloud Hunt: New Hunting Integration: Azure azure related rules patch Rule: Hunt bit noisy but useful for hunting Rule: Tuning tweaking or tuning an existing rule threat hunting Related to hunting/ library.
#4570 opened Mar 26, 2025 by terrancedejesus Loading…
5 tasks
@terrancedejesus
8
[Bug] Update Schema Prompt to include new_terms_fields backport: auto bug Something isn't working patch python Internal python for the repository
#4567 opened Mar 26, 2025 by eric-forte-elastic Loading…
5 tasks
1
@eric-forte-elastic
3
[Rule Tuning] Adjusting Microsoft Entra ID Rare Authentication Requirement for Principal User backport: auto Domain: Cloud Integration: Azure azure related rules patch Rule: Tuning tweaking or tuning an existing rule
#4562 opened Mar 25, 2025 by terrancedejesus Loading…
5 tasks
@terrancedejesus
4
[Deprecate] LaunchDaemon Creation or Modification and Immediate Loading backport: auto OS: macOS Rule: Deprecation removal of a rule
#4547 opened Mar 19, 2025 by DefSecSentinel Loading…
@DefSecSentinel
11
[Tuning] MacOS DR Tuning PR backport: skip Domain: Endpoint OS: macOS Rule: Tuning tweaking or tuning an existing rule
#4546 opened Mar 19, 2025 by DefSecSentinel Loading…
@DefSecSentinel
36
[Security Content] Windows Audit Policies Config Guides - Repo Edition backport: auto Domain: Endpoint OS: Windows windows related rules Security Content
#4501 opened Feb 26, 2025 by w0rk3r Loading…
@w0rk3r
1
[Security Content] Basic EDR Setup Guides - Phase 1 backport: auto Domain: Endpoint OS: Windows windows related rules Security Content
#4492 opened Feb 24, 2025 by w0rk3r Draft
@w0rk3r
4
[Rule Tuning] Add exceptions for non-interactive signin failures for Entra M365 Bruteforce backport: auto community Domain: Cloud Integration: Azure azure related rules Rule: Tuning tweaking or tuning an existing rule
#4405 opened Jan 22, 2025 by jvalente-salemstate Loading…
2 tasks done
1
@terrancedejesus
6
Revert "[Bug] Handle formatting empty list" backport: auto python Internal python for the repository wontfix This will not be worked on
#4087 opened Sep 17, 2024 by brokensound77 Loading…
7
[New Rule] Active Directory Forced Authentication from Linux Host backlog backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#3912 opened Jul 22, 2024 by w0rk3r Draft
@w0rk3r
15
ProTip! Adding no:label will show everything without a label.