-
Notifications
You must be signed in to change notification settings - Fork 674
Pull requests: elastic/detection-rules
Author
Label
Projects
Milestones
Reviews
Assignee
Sort
Pull requests list
[New Rule] AWS Bedrock AgentCore Gateway Repeated Tool Invocation Failures
backport: auto
community
#6368
opened Jul 1, 2026 by
eeee2345
Loading…
WIP - Initial MITRE v19 Support
detections-as-code
enhancement
New feature or request
patch
python
Internal python for the repository
#6367
opened Jul 1, 2026 by
eric-forte-elastic
Contributor
•
Draft
5 tasks
[Tuning] Web Server Potential SQL Injection Request
backport: auto
bbr
Building Block Rules
Domain: Web
Rule: Tuning
tweaking or tuning an existing rule
#6365
opened Jul 1, 2026 by
Samirbous
Contributor
Loading…
[New] Potential SQL Injection Against Microsoft SQL Server
backport: auto
Domain: Endpoint
OS: Windows
windows related rules
Rule: New
Proposal for new rule
#6364
opened Jul 1, 2026 by
Samirbous
Contributor
Loading…
[Rule Tuning] Credential Acquisition via Registry Hive Dumping
backport: auto
Domain: Endpoint
OS: Windows
windows related rules
Rule: Tuning
tweaking or tuning an existing rule
#6362
opened Jun 30, 2026 by
w0rk3r
Contributor
Loading…
[New Rule] Microsoft Defender XDR Promotion Rules
Rule: New
Proposal for new rule
Rule: Tuning
tweaking or tuning an existing rule
#6360
opened Jun 30, 2026 by
terrancedejesus
Contributor
•
Draft
5 tasks
[New Rule] Entra ID AiTM Phishing-Kit Chain Detected
backport: auto
Domain: Cloud
Domain: Identity
Integration: Azure
azure related rules
Rule: New
Proposal for new rule
#6359
opened Jun 30, 2026 by
terrancedejesus
Contributor
Loading…
5 tasks
[Rule Tuning] Entra ID OAuth Device Code Phishing via AiTM
backport: auto
Domain: Cloud
Domain: Identity
Integration: Azure
azure related rules
Rule: Tuning
tweaking or tuning an existing rule
#6358
opened Jun 30, 2026 by
terrancedejesus
Contributor
Loading…
5 tasks
[New] GKE Kubernetes Rules
backport: auto
Domain: Cloud
Integration: GCP
GCP related rules
Rule: New
Proposal for new rule
#6357
opened Jun 30, 2026 by
Samirbous
Contributor
Loading…
[New Rule] Potential DHCP Starvation via High Client MAC Cardinality
backport: auto
Domain: Network
Integration: Network Traffic
Rule: New
Proposal for new rule
#6355
opened Jun 29, 2026 by
eric-forte-elastic
Contributor
Loading…
5 tasks
[New Rule] Entra ID Device Registration with Phishing Kit Default OS Build
backport: auto
Domain: Cloud
Domain: Identity
Integration: Azure
azure related rules
Rule: New
Proposal for new rule
#6354
opened Jun 29, 2026 by
terrancedejesus
Contributor
Loading…
5 tasks
[New Rule] Deprecated TLS Version or Weak Cipher Negotiated Externally
backport: auto
Domain: Network
Integration: Network Traffic
Rule: New
Proposal for new rule
#6353
opened Jun 29, 2026 by
eric-forte-elastic
Contributor
Loading…
5 tasks
[New Rule] Potential ICMP Tunneling Activity to the Internet
backport: auto
Domain: Network
Integration: Network Traffic
Rule: New
Proposal for new rule
#6352
opened Jun 29, 2026 by
eric-forte-elastic
Contributor
Loading…
5 tasks
[New Rule] ICMP Redirect Message from Internal Host
backport: auto
Domain: Network
Integration: Network Traffic
Rule: New
Proposal for new rule
#6351
opened Jun 29, 2026 by
eric-forte-elastic
Contributor
Loading…
5 tasks
[New Rule] Entra ID Multiple Device Registrations by a Single User
backport: auto
Domain: Cloud
Domain: Identity
Integration: Azure
azure related rules
Rule: New
Proposal for new rule
#6350
opened Jun 29, 2026 by
terrancedejesus
Contributor
Loading…
5 tasks
[New Rule] ICMP Timestamp or Information Request from the Internet
backport: auto
Domain: Network
Integration: Network Traffic
Rule: New
Proposal for new rule
#6349
opened Jun 29, 2026 by
eric-forte-elastic
Contributor
Loading…
5 tasks
[New Rule] AWS IAM User Console Login from Multiple Geolocations
backport: auto
Domain: Cloud
Integration: AWS
AWS related rules
Rule: New
Proposal for new rule
#6348
opened Jun 29, 2026 by
bryans3c
Contributor
Loading…
5 tasks
[New Rule] AWS SageMaker Notebook Lifecycle Configuration With Suspicious Script Content
backport: auto
Domain: Cloud
Integration: AWS
AWS related rules
Rule: New
Proposal for new rule
#6347
opened Jun 29, 2026 by
bryans3c
Contributor
Loading…
5 tasks
[New Rule] AWS ECR Repository or Registry Policy Granted Public Access
backport: auto
Domain: Cloud
Integration: AWS
AWS related rules
Rule: New
Proposal for new rule
#6342
opened Jun 29, 2026 by
bryans3c
Contributor
Loading…
5 tasks
[New Rule] AWS Bedrock Agent Credential Exfiltration Pattern in Invocation Content
backport: auto
community
#6336
opened Jun 28, 2026 by
eeee2345
Loading…
[Rule Tuning] Align Microsoft Graph Email Access /me Path Predicate
backport: auto
community
Domain: Cloud
Integration: Azure
azure related rules
#6335
opened Jun 27, 2026 by
raylee-hawkins
Loading…
[New] Protected Storage Service Access via SMB
backport: auto
Domain: Endpoint
Integration: Windows
OS: Windows
windows related rules
Rule: New
Proposal for new rule
#6333
opened Jun 26, 2026 by
Samirbous
Contributor
Loading…
[Rule Tuning] Persistence via Suspicious Launch Agent or Launch Daemon
backport: auto
Domain: Endpoint
OS: macOS
Rule: Tuning
tweaking or tuning an existing rule
#6332
opened Jun 25, 2026 by
Mikaayenson
Contributor
Loading…
[Rule Tuning] Migrate Phase 1 vendor fields to ECS and trim non-ecs schema
patch
Rule: Tuning
tweaking or tuning an existing rule
schema
#6328
opened Jun 23, 2026 by
Mikaayenson
Contributor
•
Draft
3 of 5 tasks
[Rule Tuning] First Time Seen Remote Monitoring and Management Tool
backport: auto
Domain: Endpoint
OS: Windows
windows related rules
Rule: Tuning
tweaking or tuning an existing rule
#6326
opened Jun 23, 2026 by
w0rk3r
Contributor
Loading…
Previous Next
ProTip!
What’s not been updated in a month: updated:<2026-06-01.