Skip to content

Pull requests: elastic/detection-rules

New pull request New
Clear current search query, filters, and sorts
17 Open 716 Closed
17 Open 716 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Reviews
Filter by reviews
No reviews Review required Approved review Changes requested
Assignee
Filter by who’s assigned
Assigned to nobody Loading
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
👍 👎 😄 🎉 😕 ❤️ 🚀 👀

Pull requests list

[Rule Tuning] Fixes for Unsupported Fields backport: auto Domain: Endpoint OS: Linux Rule: Tuning tweaking or tuning an existing rule
#6025 opened May 1, 2026 by Aegrah Contributor Loading…
@Aegrah
5
[New] Container Runtime CLI Execution with Suspicious Arguments backport: auto Domain: Containers Domain: Endpoint Integration: Auditd Manager OS: Linux Rule: New Proposal for new rule
#6009 opened Apr 29, 2026 by Samirbous Contributor Loading…
@Samirbous
21
[New] Kubernetes and Cloud Credential Path Access via Process Arguments backport: auto Domain: Endpoint Integration: Auditd Manager OS: Linux Rule: New Proposal for new rule
#6007 opened Apr 29, 2026 by Samirbous Contributor Loading…
@Samirbous
5
[New] Unusual Process Connection to Docker or Containerd Socket backport: auto Domain: Containers Domain: Endpoint Integration: Auditd Manager OS: Linux Rule: New Proposal for new rule
#6005 opened Apr 29, 2026 by Samirbous Contributor Loading…
@Samirbous
7
[New Rule] Potential Remote Code Execution via Git Enterprise Server backport: auto OS: Linux OS: macOS OS: Windows windows related rules Rule: New Proposal for new rule Team: TRADE
#6003 opened Apr 29, 2026 by Aegrah Contributor Loading…
@Aegrah
9
[New/Tuning] Direct Kubelet API Access rules backport: auto Domain: Containers Domain: Endpoint Integration: Auditd Manager OS: Linux Rule: New Proposal for new rule Rule: Tuning tweaking or tuning an existing rule
#5996 opened Apr 28, 2026 by Samirbous Contributor Loading…
@Samirbous
11
[New/Tuning] Chroot Execution in Container Context on Linux backport: auto Domain: Containers Domain: Endpoint OS: Linux Rule: New Proposal for new rule Rule: Tuning tweaking or tuning an existing rule
#5992 opened Apr 27, 2026 by Samirbous Contributor Loading…
@Samirbous
8
[New] Nsenter to PID 1 Namespace via Auditd/D4C backport: auto Domain: Endpoint Integration: Auditd Manager OS: Linux Rule: New Proposal for new rule
#5988 opened Apr 27, 2026 by Samirbous Contributor Loading…
@Samirbous
12
[New] Sensitive Identity File Open by Suspicious Process via Auditd backport: auto Domain: Endpoint Integration: Auditd Manager OS: Linux Rule: New Proposal for new rule
#5982 opened Apr 24, 2026 by Samirbous Contributor Loading…
@Samirbous
9
[New] Curl or Wget Execution from Container Context backport: auto Domain: Containers Domain: Endpoint Integration: Auditd Manager OS: Linux Rule: New Proposal for new rule
#5975 opened Apr 22, 2026 by Samirbous Contributor Loading…
@Samirbous
7
[New] Potential Privilege Escalation in Container via Runc Init backport: auto Domain: Containers Domain: Endpoint OS: Linux Rule: New Proposal for new rule
#5964 opened Apr 22, 2026 by Samirbous Contributor Loading…
@Samirbous
11
[Rule Tuning] Credential access collection sensitive files backport: auto community Domain: Endpoint OS: Linux
#5952 opened Apr 17, 2026 by litemars Loading…
1
[New Rule] DNS to Commonly Abused Web Services backport: auto Domain: Endpoint OS: Linux Rule: New Proposal for new rule Team: TRADE
#5938 opened Apr 9, 2026 by Aegrah Contributor Loading…
@Aegrah
10
[New Rule] Kubernetes Pod Creation Using Common Debug or Base Images backport: auto container Integration: Kubernetes Kubernetes Integration OS: Linux Rule: New Proposal for new rule Team: TRADE
#5890 opened Mar 27, 2026 by Aegrah Contributor Loading…
@Aegrah
7
[New Rule] Potential Service Masquerading backport: auto Domain: Endpoint OS: Linux Rule: New Proposal for new rule Team: TRADE
#5650 opened Jan 29, 2026 by Aegrah Contributor Draft
@Aegrah
7
[New Rule] File Creation with Curly Braces or Command Substitution backport: auto Domain: Endpoint OS: Linux Rule: New Proposal for new rule Team: TRADE
#5219 opened Oct 14, 2025 by Aegrah Contributor Draft
@Aegrah
5
[New Rule/Tuning] Linux User or Group Deletion/Creation backport: auto Domain: Endpoint OS: Linux Rule: New Proposal for new rule Team: TRADE
#4861 opened Jun 30, 2025 by Aegrah Contributor Draft
@Aegrah
9
ProTip! Find all pull requests that aren't related to any open issues with -linked:issue.