-
Notifications
You must be signed in to change notification settings - Fork 675
Pull requests: elastic/detection-rules
Author
Label
Projects
Milestones
Reviews
Assignee
Sort
Pull requests list
[New/Tuning] DNS Tunneling via NsLookup
backport: auto
Domain: Endpoint
OS: Windows
windows related rules
Rule: Tuning
tweaking or tuning an existing rule
#6381
opened Jul 3, 2026 by
Samirbous
Contributor
Loading…
[Rule Tuning] First Time Seen DNS Query to RMM Domain
backport: auto
Domain: Endpoint
OS: Windows
windows related rules
Rule: Tuning
tweaking or tuning an existing rule
#6380
opened Jul 2, 2026 by
w0rk3r
Contributor
Loading…
[Rule Tuning] Windows Misc Tunings
backport: auto
Domain: Endpoint
OS: Windows
windows related rules
Rule: Tuning
tweaking or tuning an existing rule
#6379
opened Jul 2, 2026 by
w0rk3r
Contributor
Loading…
[Rule Tuning] Microsoft Graph Request Email Access by Unusual User and Client
backport: auto
Domain: Cloud
Domain: Web
Integration: Azure
azure related rules
Rule: Tuning
tweaking or tuning an existing rule
#6378
opened Jul 2, 2026 by
terrancedejesus
Contributor
Loading…
5 tasks
[New Rule] Entra ID / M365 - Unusual ROPC Auth and/or Legacy Clients
backport: auto
Domain: Cloud
Domain: Identity
Integration: Azure
azure related rules
Integration: Microsoft 365
Rule: New
Proposal for new rule
Rule: Tuning
tweaking or tuning an existing rule
#6377
opened Jul 2, 2026 by
terrancedejesus
Contributor
Loading…
5 tasks
[New Rules] Linux ER Rule Migrations - Part 1
backport: auto
Domain: Endpoint
OS: Linux
Rule: New
Proposal for new rule
Team: TRADE
#6371
opened Jul 2, 2026 by
Aegrah
Contributor
Loading…
[New Rule] AWS Bedrock AgentCore Gateway Repeated Tool Invocation Failures
backport: auto
community
#6368
opened Jul 1, 2026 by
eeee2345
Loading…
WIP - Initial MITRE v19 Support
detections-as-code
enhancement
New feature or request
patch
python
Internal python for the repository
#6367
opened Jul 1, 2026 by
eric-forte-elastic
Contributor
•
Draft
5 tasks
[New Rule] Microsoft Defender XDR Promotion Rules
backport: auto
bbr
Building Block Rules
Rule: New
Proposal for new rule
Rule: Tuning
tweaking or tuning an existing rule
#6360
opened Jun 30, 2026 by
terrancedejesus
Contributor
Loading…
5 tasks
[New Rule] Entra ID AiTM Phishing-Kit Chain Detected
backport: auto
Domain: Cloud
Domain: Identity
Integration: Azure
azure related rules
Rule: New
Proposal for new rule
#6359
opened Jun 30, 2026 by
terrancedejesus
Contributor
Loading…
5 tasks
[Rule Tuning] Entra ID OAuth Device Code Phishing via AiTM
backport: auto
Domain: Cloud
Domain: Identity
Integration: Azure
azure related rules
Rule: Tuning
tweaking or tuning an existing rule
#6358
opened Jun 30, 2026 by
terrancedejesus
Contributor
Loading…
5 tasks
[New] GKE Kubernetes Rules
backport: auto
Domain: Cloud
Integration: GCP
GCP related rules
Rule: New
Proposal for new rule
#6357
opened Jun 30, 2026 by
Samirbous
Contributor
Loading…
[New Rule] Potential DHCP Starvation via High Client MAC Cardinality
backport: auto
Domain: Network
Integration: Network Traffic
Rule: New
Proposal for new rule
#6355
opened Jun 29, 2026 by
eric-forte-elastic
Contributor
Loading…
5 tasks
[New Rule] Entra ID Device Registration with Phishing Kit Default OS Build
backport: auto
Domain: Cloud
Domain: Identity
Integration: Azure
azure related rules
Rule: New
Proposal for new rule
#6354
opened Jun 29, 2026 by
terrancedejesus
Contributor
Loading…
5 tasks
[New Rule] Deprecated TLS Version or Weak Cipher Negotiated Externally
backport: auto
Domain: Network
Integration: Network Traffic
Rule: New
Proposal for new rule
#6353
opened Jun 29, 2026 by
eric-forte-elastic
Contributor
Loading…
5 tasks
[New Rule] Potential ICMP Tunneling Activity to the Internet
backport: auto
Domain: Network
Integration: Network Traffic
Rule: New
Proposal for new rule
#6352
opened Jun 29, 2026 by
eric-forte-elastic
Contributor
Loading…
5 tasks
[New Rule] ICMP Redirect Message from Internal Host
backport: auto
Domain: Network
Integration: Network Traffic
Rule: New
Proposal for new rule
#6351
opened Jun 29, 2026 by
eric-forte-elastic
Contributor
Loading…
5 tasks
[New Rule] Entra ID Multiple Device Registrations by a Single User
backport: auto
Domain: Cloud
Domain: Identity
Integration: Azure
azure related rules
Rule: New
Proposal for new rule
#6350
opened Jun 29, 2026 by
terrancedejesus
Contributor
Loading…
5 tasks
[New Rule] ICMP Timestamp or Information Request from the Internet
backport: auto
Domain: Network
Integration: Network Traffic
Rule: New
Proposal for new rule
#6349
opened Jun 29, 2026 by
eric-forte-elastic
Contributor
Loading…
5 tasks
[New Rule] AWS Bedrock Agent Credential Exfiltration Pattern in Invocation Content
backport: auto
community
#6336
opened Jun 28, 2026 by
eeee2345
Loading…
[Rule Tuning] Migrate Phase 1 vendor fields to ECS and trim non-ecs schema
patch
Rule: Tuning
tweaking or tuning an existing rule
schema
#6328
opened Jun 23, 2026 by
Mikaayenson
Contributor
•
Draft
3 of 5 tasks
[New Rule] Entra ID Potential Conditional Access MFA Bypass via First-Party Microsoft Graph Access
backport: auto
Domain: Cloud
Domain: Identity
Integration: Azure
azure related rules
Rule: New
Proposal for new rule
#6325
opened Jun 22, 2026 by
terrancedejesus
Contributor
Loading…
5 tasks
[New Rule] Command Interpreter Spawned by Obsidian
backport: auto
community
#6317
opened Jun 20, 2026 by
Aryu-RU
Loading…
5 of 6 tasks
[New Rule] AWS Backup Monitoring or Audit Controls Disabled
backport: auto
Domain: Cloud
Integration: AWS
AWS related rules
Rule: New
Proposal for new rule
Previous Next
ProTip!
Adding no:label will show everything without a label.