Skip to content

Navigation Menu

Appearance settings

Explore
By company size
By use case
By industry
View all solutions
Topics
- AI
- DevOps
- Security
- Software Development
- View all
Explore
- GitHub Sponsors
  Fund open source developers
- The ReadME Project
  GitHub community articles
Repositories
- Enterprise platform
  AI-powered developer platform
Available add-ons
Pricing

Search code, repositories, users, issues, pull requests...

Search

Clear

Search syntax tips

Provide feedback

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Saved searches

Use saved searches to filter your results more quickly

Name

Query

To see all available qualifiers, see our documentation.

Appearance settings

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

elastic / detection-rules Public

Notifications You must be signed in to change notification settings
Fork 589
Star 2.4k

Code
Issues 140
Pull requests 17
Actions
Security
Insights

Additional navigation options

Code
Issues
Pull requests
Actions
Security
Insights

Pull requests: elastic/detection-rules

Labels 132 Milestones 1

Labels 132 Milestones 1

New pull request New

17 Open 3,213 Closed

17 Open 3,213 Closed

Author

Filter by author

Loading

Uh oh!

There was an error while loading. Please reload this page.

Label

Filter by label

Loading

Uh oh!

There was an error while loading. Please reload this page.

Use alt + click/return to exclude labels

or ⇧ + click/return for logical OR

Projects

Filter by project

Loading

Uh oh!

There was an error while loading. Please reload this page.

Milestones

Filter by milestone

Loading

Uh oh!

There was an error while loading. Please reload this page.

Reviews

Filter by reviews

No reviews Review required Approved review Changes requested

Assignee

Filter by who’s assigned

Assigned to nobody

Loading

Uh oh!

There was an error while loading. Please reload this page.

Sort

Sort by

Newest Oldest Most commented Least commented Recently updated Least recently updated Best match

Most reactions

Pull requests list

[Rule Tuning] Suspicious Windows Powershell Arguments backport: auto Domain: Endpoint OS: Windows

windows related rules

tweaking or tuning an existing rule

#4961 opened Aug 4, 2025 by w0rk3r

Loading…

2

feat: ESQL query validation against Elastic cluster

#4955 opened Aug 1, 2025 by traut • Draft

5 tasks

5

[Rule Tuning] Microsoft Entra ID Suspicious Session Reuse to Graph Access backport: auto Domain: Cloud Domain: Identity Integration: Azure

azure related rules

tweaking or tuning an existing rule

#4954 opened Aug 1, 2025 by terrancedejesus

Loading…

5 tasks

1

[New Rule] Potential Web Shell ASPX File Creation backport: auto Domain: Endpoint OS: Windows

windows related rules

Proposal for new rule

#4939 opened Jul 29, 2025 by w0rk3r

Loading…

3

[New Rule] Multi-Base64 Decoding Attempt from Suspicious Location backport: auto Domain: Endpoint OS: Linux Team: TRADE

#4931 opened Jul 24, 2025 by Aegrah

Loading…

1

[New Rule] Toolshell Exploit Chain Detections backport: auto bbr

Building Block Rules

Domain: Network Integration: Network Traffic Rule: New

Proposal for new rule

#4928 opened Jul 23, 2025 by terrancedejesus

Loading…

5 tasks

[New Rule/Tuning] Linux User or Group Deletion/Creation backport: auto Domain: Endpoint OS: Linux Rule: New

Proposal for new rule

Team: TRADE

#4861 opened Jun 30, 2025 by Aegrah • Draft

8

[New] Command Line Obfuscation via Whitespace Padding backport: auto Domain: Endpoint OS: Windows

windows related rules

Proposal for new rule

#4860 opened Jun 30, 2025 by Samirbous

Loading…

[New Rule] Kubectl Secret Access container OS: Linux Rule: New

Proposal for new rule

Team: TRADE

#4834 opened Jun 19, 2025 by Aegrah • Draft

3

[New Rules] Potential Relay Attack against a Computer Account backport: auto blocked Domain: Endpoint OS: Windows

windows related rules

Proposal for new rule

tweaking or tuning an existing rule

#4826 opened Jun 18, 2025 by w0rk3r

Loading…

3

[Rule: New] Potential Web Server Fuzzing Attempts Detected backlog backport: auto community

#4720 opened May 12, 2025 by MakoWish

Loading…

1 of 5 tasks

1

[New] Microsoft Entra ID Protection Alert and Device Registration backport: auto Domain: Cloud Workloads Domain: Cloud Integration: Azure

azure related rules

Integration: Microsoft 365 patch Rule: New

Proposal for new rule

#4688 opened Apr 30, 2025 by Samirbous

Loading…

6

[New] Potential SAP NetWeaver Exploitation rules backlog backport: auto OS: Linux OS: Windows

windows related rules

Proposal for new rule

#4666 opened Apr 26, 2025 by Samirbous

Loading…

[Security Content] Windows Audit Policies Config Guides - Repo Edition backlog backport: auto Domain: Endpoint OS: Windows

windows related rules

Security Content

#4501 opened Feb 26, 2025 by w0rk3r

Loading…

3

[Security Content] Basic EDR Setup Guides - Phase 1 backlog backport: auto Domain: Endpoint OS: Windows

windows related rules

Security Content

#4492 opened Feb 24, 2025 by w0rk3r • Draft

6

[New Rule] Active Directory Forced Authentication from Linux Host backlog backport: auto Domain: Endpoint OS: Windows

windows related rules

Proposal for new rule

#3912 opened Jul 22, 2024 by w0rk3r • Draft

[Rule Tuning] Update rules using NPC integration and non-ECS fields backlog backport: auto blocked Domain: Network Rule: Tuning

tweaking or tuning an existing rule

#3194 opened Oct 16, 2023 by brokensound77

Loading…

ProTip! Find all pull requests that aren't related to any open issues with -linked:issue.

Footer

© 2025 GitHub, Inc.

Footer navigation

Terms
Privacy
Security
Status
Docs
Contact

You can’t perform that action at this time.