Skip to content

Pull requests: elastic/detection-rules

New pull request New
36 Open 2,966 Closed
36 Open 2,966 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Reviews
Filter by reviews
No reviews Review required Approved review Changes requested
Assignee
Filter by who’s assigned
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
👍 👎 😄 🎉 😕 ❤️ 🚀 👀

Pull requests list

[New Rule] Potential Malicious PowerShell Based on Alert Correlation backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4635 opened Apr 16, 2025 by w0rk3r Loading…
@w0rk3r
5
[New Rule] Dynamic IEX Reconstruction via Method String Access backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#4634 opened Apr 16, 2025 by w0rk3r Loading…
@w0rk3r
3
[New Rule] Potential Dynamic IEX Reconstruction via Environment Variables backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#4633 opened Apr 16, 2025 by w0rk3r Loading…
@w0rk3r
2
[New Rule] Potential PowerShell Obfuscation via Special Character Overuse backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4632 opened Apr 16, 2025 by w0rk3r Loading…
@w0rk3r
3
[New Rule] Potential PowerShell Obfuscation via High Numeric Character Proportion backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4631 opened Apr 16, 2025 by w0rk3r Loading…
@w0rk3r
2
[New Rule] Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4630 opened Apr 16, 2025 by w0rk3r Loading…
@w0rk3r
2
[New Rule][BBR] Potential PowerShell Obfuscation via High Special Character Proportion backport: auto bbr Building Block Rules Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4629 opened Apr 16, 2025 by w0rk3r Loading…
@w0rk3r
3
[New Rule] Adding Coverage for AWS IAM or STS API Calls via Temporary Session Tokens backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: New Proposal for new rule
#4628 opened Apr 16, 2025 by terrancedejesus Loading…
5 tasks
@terrancedejesus
1
[Rule Tuning] Potential DLL Side-Loading via Trusted Microsoft Programs backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#4627 opened Apr 16, 2025 by w0rk3r Loading…
1
@w0rk3r
3
[New Rule] Adding Coverage for AWS IAM Virtual MFA Device Registration backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: New Proposal for new rule
#4626 opened Apr 16, 2025 by terrancedejesus Loading…
5 tasks
@terrancedejesus
1
[New Rule] Adding Coverage for AWS CLI with Kali Linux Fingerprint Identified backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: New Proposal for new rule
#4625 opened Apr 16, 2025 by terrancedejesus Loading…
5 tasks
@terrancedejesus
1
fix: Cleaning up the hashable content for the rule
#4621 opened Apr 16, 2025 by traut Draft
5 tasks
3
[New Rule] Adding Coverage for AWS S3 Static Site JavaScript File Uploaded backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: New Proposal for new rule
#4617 opened Apr 15, 2025 by terrancedejesus Loading…
5 tasks
@terrancedejesus
3
[New Rule] Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4615 opened Apr 15, 2025 by w0rk3r Loading…
@w0rk3r
2
[New Rule] Potential PowerShell Obfuscation via Invalid Escape Sequences backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#4614 opened Apr 15, 2025 by w0rk3r Loading…
@w0rk3r
6
Hunting - add generate-json command backport: auto enhancement New feature or request Hunting patch
#4613 opened Apr 15, 2025 by hop-dev Loading…
2 tasks done
6
[New Rule] PowerShell Obfuscation via Negative Index String Reversal backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4610 opened Apr 14, 2025 by w0rk3r Loading…
@w0rk3r
6
[New Rule] Potential PowerShell Obfuscation via Reverse Keywords backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4609 opened Apr 14, 2025 by w0rk3r Loading…
@w0rk3r
6
[New Rule] Potential PowerShell Obfuscation via Character Array Reconstruction backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
#4608 opened Apr 14, 2025 by w0rk3r Loading…
@w0rk3r
7
[New Rule] Potential PowerShell Obfuscation via String Concatenation backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4607 opened Apr 14, 2025 by w0rk3r Loading…
@w0rk3r
6
[New] Windows Sandbox with Sensitive Configuration backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4606 opened Apr 14, 2025 by Samirbous Loading…
@Samirbous
2
[New] RemoteMonologue Attack rules backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4604 opened Apr 14, 2025 by Samirbous Loading…
@Samirbous
7
[New Rule] Threat Intel Email Indicator Match backport: auto patch python Internal python for the repository Rule: New Proposal for new rule schema
#4598 opened Apr 4, 2025 by w0rk3r Loading…
1
@w0rk3r
10
[New Rule] Potential PowerShell Obfuscation via String Reordering backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
#4595 opened Apr 3, 2025 by w0rk3r Loading…
@w0rk3r
13
[enhancement] In esql validation, allow any order of metadata backport: auto community patch python Internal python for the repository
#4579 opened Mar 28, 2025 by frederikb96 Loading…
5 tasks done
@frederikb96
2
ProTip! Follow long discussions with comments:>50.