Skip to content

Pull requests: elastic/detection-rules

New pull request New
75 Open 3,925 Closed
75 Open 3,925 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Reviews
Filter by reviews
No reviews Review required Approved review Changes requested
Assignee
Filter by who’s assigned
Assigned to nobody Loading
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
👍 👎 😄 🎉 😕 ❤️ 🚀 👀

Pull requests list

[Rule Tuning] Privilege Escalation via SUID/SGID backport: auto Domain: Endpoint OS: Linux Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#6017 opened Apr 30, 2026 by Aegrah Contributor Loading…
@Aegrah
2
[Rule Tunings] AWS ESQL keep fields missing backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
#6014 opened Apr 29, 2026 by imays11 Contributor Loading…
@imays11
3
[Rule Tuning] Windows High-Severity Rules Revamp - 7 backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#6013 opened Apr 29, 2026 by w0rk3r Contributor Loading…
@w0rk3r
2
[New] Multi-Cloud CLI Token and Credential Access Commands backport: auto Domain: Cloud Domain: Endpoint Rule: New Proposal for new rule
#6012 opened Apr 29, 2026 by Samirbous Contributor Loading…
@Samirbous
6
[FR] Add new unit test for process fields in non process events backport: auto enhancement New feature or request patch test-suite unit and other testing components
#6011 opened Apr 29, 2026 by Mikaayenson Contributor Loading…
3 tasks
@Mikaayenson
2
[Rule Tuning] Windows High-Severity Rules Revamp - 6 backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#6010 opened Apr 29, 2026 by w0rk3r Contributor Loading…
@w0rk3r
4
[New] Container Runtime CLI Execution with Suspicious Arguments backport: auto Domain: Containers Domain: Endpoint Integration: Auditd Manager OS: Linux Rule: New Proposal for new rule
#6009 opened Apr 29, 2026 by Samirbous Contributor Loading…
@Samirbous
5
[FR] Merged Renovate Dependency Updates backport: auto dependencies Pull requests that update a dependency file enhancement New feature or request patch python Internal python for the repository
#6008 opened Apr 29, 2026 by eric-forte-elastic Contributor Loading…
5 tasks
@eric-forte-elastic
1
[New] Kubernetes and Cloud Credential Path Access via Process Arguments backport: auto Domain: Endpoint Integration: Auditd Manager OS: Linux Rule: New Proposal for new rule
#6007 opened Apr 29, 2026 by Samirbous Contributor Loading…
@Samirbous
3
[Rule Tuning] Misc GenAI Tuning backport: auto Rule: Tuning tweaking or tuning an existing rule
#6006 opened Apr 29, 2026 by Mikaayenson Contributor Loading…
2 of 5 tasks
@Mikaayenson
5
[New] Unusual Process Connection to Docker or Containerd Socket backport: auto Domain: Containers Domain: Endpoint Integration: Auditd Manager OS: Linux Rule: New Proposal for new rule
#6005 opened Apr 29, 2026 by Samirbous Contributor Loading…
@Samirbous
2
[Rule Tuning] Windows High-Severity Rules Revamp - 5 backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#6004 opened Apr 29, 2026 by w0rk3r Contributor Loading…
@w0rk3r
2
[New Rule] Potential Remote Code Execution via Git Enterprise Server backport: auto OS: Linux OS: macOS OS: Windows windows related rules Rule: New Proposal for new rule Team: TRADE
#6003 opened Apr 29, 2026 by Aegrah Contributor Loading…
@Aegrah
7
[FR] Add sub-technique data to the summary-xlsx backport: auto bug Something isn't working enhancement New feature or request patch python Internal python for the repository
#6002 opened Apr 29, 2026 by eric-forte-elastic Contributor Loading…
5 tasks
1
@eric-forte-elastic
2
[Bug] KQL does not properly escape leading forward slash backport: auto bug Something isn't working kql related to the kql module patch
#6001 opened Apr 29, 2026 by eric-forte-elastic Contributor Loading…
5 tasks
1
@eric-forte-elastic
2
[Bug] TOML string outputs are not properly escaped backport: auto bug Something isn't working patch python Internal python for the repository
#6000 opened Apr 29, 2026 by eric-forte-elastic Contributor Loading…
5 tasks
1
@eric-forte-elastic
2
[Enhancement] Add test for constant_keyword fields on alerts-only rules backport: auto bug Something isn't working patch python Internal python for the repository test-suite unit and other testing components
#5997 opened Apr 28, 2026 by terrancedejesus Contributor Loading…
5 tasks
1
[New/Tuning] Direct Kubelet API Access rules backport: auto Domain: Containers Domain: Endpoint Integration: Auditd Manager OS: Linux Rule: New Proposal for new rule Rule: Tuning tweaking or tuning an existing rule
#5996 opened Apr 28, 2026 by Samirbous Contributor Loading…
@Samirbous
5
ci(docs): scope pull_request triggers to integration branches backport: auto
#5995 opened Apr 28, 2026 by Mpdreamz Member Loading…
Update dependency marshmallow-jsonschema to ~=0.16.0 backport: auto community
#5993 opened Apr 28, 2026 by elastic-renovate-prod Bot Loading…
1 task
[New/Tuning] Chroot Execution in Container Context on Linux backport: auto Domain: Containers Domain: Endpoint OS: Linux Rule: New Proposal for new rule Rule: Tuning tweaking or tuning an existing rule
#5992 opened Apr 27, 2026 by Samirbous Contributor Loading…
@Samirbous
2
[Rule Tuning] Misc Windows Tuning backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#5990 opened Apr 27, 2026 by w0rk3r Contributor Loading…
@w0rk3r
4
[Tuning] Namespace Manipulation Using Unshare backport: auto Domain: Containers Domain: Endpoint OS: Linux Rule: Tuning tweaking or tuning an existing rule
#5989 opened Apr 27, 2026 by Samirbous Contributor Loading…
@Samirbous
3
[New] Nsenter to PID 1 Namespace via Auditd/D4C backport: auto Domain: Endpoint Integration: Auditd Manager OS: Linux Rule: New Proposal for new rule
#5988 opened Apr 27, 2026 by Samirbous Contributor Loading…
@Samirbous
5
[New/Tuning] K8 RBAC Privs backport: auto Integration: Kubernetes Kubernetes Integration OS: Windows windows related rules Rule: New Proposal for new rule Rule: Tuning tweaking or tuning an existing rule
#5987 opened Apr 27, 2026 by Samirbous Contributor Loading…
@Samirbous
1
ProTip! Add no:assignee to see everything that’s not assigned.