Pull requests: elastic/detection-rules
Pull requests list
[Rule Tuning] Multiple Remote Management Tool Vendors on Same Host
backport: auto
Domain: Endpoint
OS: Windows
windows related rules
Rule: Tuning
tweaking or tuning an existing rule
#6331
opened Jun 24, 2026 by
w0rk3r
Contributor
Loading…
[New Rule] Potential SSH Reverse Port Forwarding
backport: auto
Domain: Endpoint
OS: Windows
windows related rules
Rule: New
Proposal for new rule
#6330
opened Jun 24, 2026 by
w0rk3r
Contributor
Loading…
[Rule Tuning] Migrate Phase 1 vendor fields to ECS and trim non-ecs schema
patch
Rule: Tuning
tweaking or tuning an existing rule
schema
#6328
opened Jun 23, 2026 by
Mikaayenson
Contributor
•
Draft
3 of 5 tasks
[Rule Tuning] First Time Seen Remote Monitoring and Management Tool
backport: auto
Domain: Endpoint
OS: Windows
windows related rules
Rule: Tuning
tweaking or tuning an existing rule
#6326
opened Jun 23, 2026 by
w0rk3r
Contributor
Loading…
[New Rule] Entra ID Potential Conditional Access MFA Bypass via First-Party Microsoft Graph Access
backport: auto
Domain: Cloud
Domain: Identity
Integration: Azure
azure related rules
Rule: New
Proposal for new rule
#6325
opened Jun 22, 2026 by
terrancedejesus
Contributor
Loading…
5 tasks
[New Rule] AWS Backup Monitoring or Audit Controls Disabled
backport: auto
Domain: Cloud
Integration: AWS
AWS related rules
Rule: New
Proposal for new rule
#6315
opened Jun 19, 2026 by
bryans3c
Contributor
Loading…
5 tasks
[New Rule] AWS Backup Recovery Point Lifecycle Modified
backport: auto
Domain: Cloud
Integration: AWS
AWS related rules
Rule: New
Proposal for new rule
#6314
opened Jun 19, 2026 by
bryans3c
Contributor
Loading…
5 tasks
[New Rule] AWS Backup Vault Access Policy Modified or Deleted
backport: auto
Domain: Cloud
Integration: AWS
AWS related rules
Rule: New
Proposal for new rule
#6313
opened Jun 19, 2026 by
bryans3c
Contributor
Loading…
5 tasks
[New Rule] AWS Backup Plan or Selection Deleted
backport: auto
Domain: Cloud
Integration: AWS
AWS related rules
Rule: New
Proposal for new rule
#6312
opened Jun 19, 2026 by
bryans3c
Contributor
Loading…
5 tasks
[New Rule] AWS Backup Vault Deleted or Vault Lock Removed
backport: auto
Domain: Cloud
Integration: AWS
AWS related rules
Rule: New
Proposal for new rule
#6311
opened Jun 19, 2026 by
bryans3c
Contributor
Loading…
5 tasks
[New Rule] AWS Backup Recovery Point Deleted
backport: auto
Domain: Cloud
Integration: AWS
AWS related rules
Rule: New
Proposal for new rule
#6310
opened Jun 19, 2026 by
bryans3c
Contributor
Loading…
5 tasks
[DaC] [Bug] Raw rule loading fails when deprecated and active rules share a name
backport: auto
bug
Something isn't working
detections-as-code
patch
python
Internal python for the repository
#6309
opened Jun 18, 2026 by
eric-forte-elastic
Contributor
Loading…
1 of 5 tasks
[Rule Tuning] Refine scope of SMTP and IPSEC NAT Rules
backport: auto
Domain: Network
integration: Zeek
Rule: Tuning
tweaking or tuning an existing rule
#6307
opened Jun 18, 2026 by
eric-forte-elastic
Contributor
Loading…
5 tasks
[New Rule] Azure AD Graph Access with Unusual User and ASN
backport: auto
Domain: Cloud
Integration: Azure
azure related rules
Rule: New
Proposal for new rule
#6305
opened Jun 18, 2026 by
terrancedejesus
Contributor
Loading…
5 tasks
[New Rule] AWS KMS Imported Key Material Deleted
backport: auto
Domain: Cloud
Integration: AWS
AWS related rules
Rule: New
Proposal for new rule
#6304
opened Jun 18, 2026 by
bryans3c
Contributor
Loading…
5 tasks
[New Rule] AWS IAM Login Profile Created or Modified for an IAM User
backport: auto
Domain: Cloud
Integration: AWS
AWS related rules
Rule: New
Proposal for new rule
#6303
opened Jun 18, 2026 by
bryans3c
Contributor
Loading…
5 tasks
[New Rule] AWS IAM Account Password Policy Deleted
backport: auto
Domain: Cloud
Integration: AWS
AWS related rules
Rule: New
Proposal for new rule
#6302
opened Jun 18, 2026 by
bryans3c
Contributor
Loading…
5 tasks
[New Rule] AWS IAM Inline Policy Added to a Group
backport: auto
Domain: Cloud
Integration: AWS
AWS related rules
Rule: New
Proposal for new rule
#6301
opened Jun 18, 2026 by
bryans3c
Contributor
Loading…
5 tasks
[New Rule] AWS IAM Permissions Boundary Modified or Removed
backport: auto
Domain: Cloud
Integration: AWS
AWS related rules
Rule: New
Proposal for new rule
#6300
opened Jun 18, 2026 by
bryans3c
Contributor
Loading…
5 tasks
[New Rule] AWS Lambda Function Invoked Cross-Account
backport: auto
Domain: Cloud
Integration: AWS
AWS related rules
Rule: New
Proposal for new rule
#6299
opened Jun 18, 2026 by
bryans3c
Contributor
Loading…
5 tasks
[New Rule] AWS Lambda Function High-Frequency Invocation by a Single Principal
backport: auto
Domain: Cloud
Integration: AWS
AWS related rules
Rule: New
Proposal for new rule
#6298
opened Jun 18, 2026 by
bryans3c
Contributor
Loading…
5 tasks
[New Rule] AWS Lambda Execution Role Credentials Used Outside Lambda
backport: auto
Domain: Cloud
Integration: AWS
AWS related rules
Rule: New
Proposal for new rule
#6292
opened Jun 18, 2026 by
bryans3c
Contributor
Loading…
5 tasks
[New Rule] Splunk Enterprise PostgreSQL Sidecar Pre-Auth RCE (CVE-2026-20253)
backport: auto
Domain: Network
Integration: Endpoint
Elastic Endpoint Security
Integration: Network Traffic
integration: Zeek
Rule: New
Proposal for new rule
#6279
opened Jun 15, 2026 by
eric-forte-elastic
Contributor
Loading…
5 tasks
ProTip!
What’s not been updated in a month: updated:<2026-05-25.