issues
search
elastic
/
detection-rules
https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.92k
stars
492
forks
source link
issues
Newest
Newest
Most commented
Recently updated
Oldest
Least commented
Least recently updated
[Meta] WMI Rules using Elastic Defend WMI Events
#4143
Samirbous
opened
4 hours ago
0
Endpoint Security - Decrease max events to Kibana allowance of 1k
#4142
nicpenning
closed
1 day ago
2
[New Rule] `Successful Application SSO from Rare Unknown Client Device`
#4141
terrancedejesus
closed
1 day ago
1
Latest ECS & Beats schemas, Integration manifests & schemas
#4140
shashank-elastic
opened
1 day ago
1
[Rule Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation
#4139
joseph-coulter
opened
5 days ago
0
[New Rule][BBR] A user logged into Slack from a new country
#4138
brokensound77
opened
5 days ago
0
[New Rule] A user has downloaded an excessive amount of files in Slack over a short period
#4137
brokensound77
opened
5 days ago
0
[New Rule] A user previewed multiple Slack rooms without joining in a short period
#4136
brokensound77
opened
5 days ago
0
[New Rule][BBR] A user previewed a Slack channel without joining
#4135
brokensound77
opened
5 days ago
0
[New Rule] Excessive apps installed in Slack over short duration
#4134
brokensound77
opened
5 days ago
0
[New Rule] An anomaly was detected with a Slack user
#4133
brokensound77
opened
5 days ago
0
[New Rule] Multiple self adds to Google Workspace user groups in short succession
#4132
brokensound77
closed
6 days ago
1
[New Rule] Multiple self adds to Google Workspace user groups in short succession
#4131
brokensound77
opened
6 days ago
0
[New Rule] Google Workspace User Group Access Modified to Allow External Access
#4130
brokensound77
opened
6 days ago
0
[New Rule] Multiple successive Google Workspace groups joined or requested to join in short succession
#4129
brokensound77
opened
6 days ago
0
[Rule Tuning] External User Added to Google Workspace Group
#4128
brokensound77
opened
6 days ago
0
[New Rule] Searches for sensitive files via Google Workspace Cloud Search
#4127
brokensound77
opened
6 days ago
1
[Rule Tuning] Add `METADATA` checks for non-aggregate ES|QL queries and fix existing
#4126
terrancedejesus
opened
6 days ago
1
[New hunt] A sensitive canary file was accessed in Google Workspace
#4125
brokensound77
opened
6 days ago
0
[New hunt] All file activity by user and action in Google Workspace
#4124
brokensound77
opened
6 days ago
0
[New hunt] Sensitive file access by user in Google Workspace
#4123
brokensound77
closed
6 days ago
1
[New hunt] Sensitive file access by user in Google Workspace
#4122
brokensound77
opened
6 days ago
0
[New hunt] All files accessed by user in Google Workspace
#4121
brokensound77
opened
6 days ago
0
[Rule Tuning] Google Workspace Drive Encryption Key(s) Accessed from Anonymous User
#4120
brokensound77
opened
6 days ago
0
[Rule Tuning] Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy
#4119
brokensound77
opened
6 days ago
0
[Rule Tuning] Fixing Incorrect ES|QL Operator Use - AWS Service Quotas Multi-Region `GetServiceQuota` Request
#4118
terrancedejesus
closed
6 days ago
1
[Rule Tuning] Active Directory Forced Authentication from Linux Host - SMB Named Pipes
#4117
w0rk3r
opened
1 week ago
1
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15
#4116
github-actions[bot]
closed
1 week ago
0
Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md
#4115
github-actions[bot]
closed
1 week ago
1
[Tuning] Updated references
#4114
Aegrah
closed
1 week ago
1
react_sync_rta_updates_4098
#4113
protectionsmachine
closed
1 week ago
1
[Tuning] Suspicious .NET Reflection via PowerShell
#4112
Samirbous
closed
1 week ago
1
Fix GenAI Request Model ID Filed
#4111
shashank-elastic
closed
1 week ago
1
react_sync_rta_updates_4099
#4110
protectionsmachine
closed
1 week ago
1
react_sync_rta_updates_4102
#4109
protectionsmachine
closed
1 week ago
1
react_sync_rta_updates_4105
#4108
protectionsmachine
closed
1 week ago
1
react_sync_rta_updates_4096
#4107
protectionsmachine
closed
1 week ago
1
[New Rules] CVE-2024-x.x.x.x.x (CUPS/Foomatic-RIP RCE)
#4106
Aegrah
closed
1 week ago
1
[Rule Tuning] Ignore "Not Available" in `o365.audit.UserId` for Microsoft 365 Rules
#4105
terrancedejesus
closed
1 week ago
1
[Tuning] Attempt to Establish VScode Remote Tunnel
#4104
Samirbous
closed
1 week ago
1
[Rule Tuning] Microsoft 365 Impossible travel activity
#4103
willemri
opened
1 week ago
0
[New Hunt] Detect authentication to a new Okta app over the last 30 days
#4102
brokensound77
opened
2 weeks ago
1
[New Rule][BBR] Detect authentication to a new Okta app over the last 30 days
#4101
brokensound77
opened
2 weeks ago
0
[New Hunt] Detect users authenticating with Okta to more than 10 unique apps within a 5 minute period (with app details)
#4100
brokensound77
opened
2 weeks ago
0
[New Rule] Detect users authenticating with Okta to more than 10 unique apps within a 5 minute period
#4099
brokensound77
opened
2 weeks ago
0
Expand `elasticsearch` Version Dependency to `<=8.16.0,>=8.12.1`
#4098
terrancedejesus
opened
2 weeks ago
0
[Docs | Rule Tuning] Add blog references to rules
#4097
Mikaayenson
closed
1 week ago
1
Add testcase to check for related_integrations based on index
#4096
shashank-elastic
opened
2 weeks ago
2
[Meta] Evaluate moving PowerShell Rules to ES|QL
#4095
w0rk3r
opened
2 weeks ago
0
[Rule Tuning] AWS STS GetCallerIdentity API Called for the First Time
#4094
imays11
closed
2 weeks ago
1
Next