Downloadable rule updates
editDownloadable rule updates
editThis section lists all updates to prebuilt detection rules, made available with the Prebuilt Security Detection Rules integration in Fleet.
To update your installed rules to the latest versions, follow the instructions in Update Elastic prebuilt rules.
For previous rule updates, please navigate to the last version.
| Update version | Date | New rules | Updated rules | Notes |
|---|---|---|---|---|
18 Sep 2025 |
1 |
100 |
This release includes significant rule tuning for Windows, Linux, Okta and AWS rules for better rule efficacy and performance. |
|
02 Sep 2025 |
20 |
112 |
This release includes new rules for Windows, Linux, Microsoft 365 and Network Traffic. New rules for Windows include detection for impact, credential access, execution, command and control, discovery and defense evasion. New rules for Linux include detection for defense evasion. New rules for Microsoft 365 and Network Traffic include detection for initial access. Additionally, significant rule tuning for Windows, AWS, Microsoft 365, MacOS and Azure rules has been added for better rule efficacy and performance. |
|
19 Aug 2025 |
2 |
19 |
This release includes new rules for Windows, Linux and MacOS. New rules for Windows include detection for persistence and defense evasion. New rules for Linux and MacOS include detection for defense evasion. Additionally, significant rule tuning for Windows, Okta and Azure rules has been added for better rule efficacy and performance. |
|
06 Aug 2025 |
0 |
70 |
This release includes tuned and deprecated rules. Deprecated rule includes Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source. Additionally, ESQL-based rules were tuned for dynamic field standardization along with rule tuning for Elastic Security promotion rule. |
|
05 Aug 2025 |
8 |
3 |
This release includes new rules for Windows and SOC integrations New rules for Windows include detection for credential access. New rules for SOC integrations include promotion rules for Google SecOps, Elastic Security, Microsoft Sentinel, SentinelOne, CrowdStrike and Splunk. Additionally, significant rule tuning for Windows and Azure rules has been added for better rule efficacy and performance. |
|
23 Jul 2025 |
8 |
37 |
This release includes new rules for Linux, Azure and Kubernetes. The deprecated rules includes Deprecated - Azure Virtual Network Device Modified or Deleted and Deprecated - AWS EC2 Snapshot Activity New rules for Linux include detection for defense evasion. New rules for Azure include detection for persistence, credential access and discovery. New rules for Kubernetes include detection for execution. Additionally, significant rule tuning for Linux, AWS and Azure rules has been added for better rule efficacy and performance. |
|
08 Jul 2025 |
15 |
73 |
This release includes new rules for Linux, Azure, Kubernetes and Microsoft 365. The deprecated rule includes Suspicious File Creation in /etc for Persistence New rules for Linux include detection for persistence, defense evasion, discovery, command and control and execution. New rules for Azure include detection for persistence, initial access and defense evasion. New rules for Kubernetes include detection for defense evasion and execution. New rules for Microsoft 365 include detection for collection. Additionally, significant rule tuning for Windows, Linux, AWS, Azure and Microsoft 365 rules has been added for better rule efficacy and performance. |
|
18 Jun 2025 |
13 |
26 |
This release includes new rules for Windows, Linux, Azure and AWS. New rules for Windows include detection for initial access and credential access. New rules for Linux include detection for discovery, lateral movement and credential access. New rules for Azure include detection for initial access, credential access and discovery. New rules for AWS include detection for impact and defense evasion. Additionally, significant rule tuning for Windows, Linux, AWS, Azure and Kubernetes rules has been added for better rule efficacy and performance. |
|
03 Jun 2025 |
6 |
11 |
This release includes new rules for Windows, Azure and Microsoft 365. New rules for Windows include detection for privilege escalation and defense evasion. New rules for Azure include detection for initial access and privilege escalation. New rules for Microsoft 365 include detection for defense evasion. Additionally, significant rule tuning for Windows, AWS, Azure and Microsoft 365 rules has been added for better rule efficacy and performance. |
|
20 May 2025 |
3 |
9 |
This release includes new rules for Azure and Microsoft 365. New rules for Azure include detection for initial access and collection. New rules for Microsoft 365 include detection for credential access. Additionally, significant rule tuning for Windows, Azure and Microsoft 365 rules has been added for better rule efficacy and performance. |
|
07 May 2025 |
39 |
41 |
This release includes new rules for Windows, Linux, Azure, AWS and Microsoft 365. New rules for Windows include detection for defense evasion and credential access. New rules for Linux include detection for command and control, defense evasion, exfiltration, discovery, persistence, execution, privilege escalation and credential access. New rules for Azure include detection for initial access, credential access, collection, defense evasion and command and control. New rules for AWS include detection for impact. New rules for Microsoft 365 include defense evasion, initial access and credential access. Additionally, significant rule tuning for Windows, Linux and Azure rules has been added for better rule efficacy and performance. |
|
30 Apr 2025 |
0 |
55 |
Version parity to ensure future updates are more meaningful and informative |
|
28 Apr 2025 |
21 |
11 |
This release includes new rules for Windows, Linux, Azure and AWS. New rules for Windows include detection for defense evasion and execution New rules for Linux include detection for credential access, execution, privilege escalation, credential access, lateral movement and discovery. New rules for Azure include detection for initial access. New rules for AWS include detection for initial access and persistence. Additionally, significant rule tuning for MacOS, Windows, Microsoft 365, Linux and Azure rules has been added for better rule efficacy and performance. |
|
08 Apr 2025 |
5 |
75 |
This release includes new rules for MacOS, Microsoft 365, AWS and PAD. New rules for MacOS include detection for command and control. New rules for Microsoft 365 include detection for initial access. New rules for AWS include detection for exfiltration. New rules for PAD include detection for privilege escalation. Elastic Defend for Container rules are deprecated. Additionally, significant rule tuning for Linux, Windows, Microsoft 365 and Azure rules has been added for better rule efficacy and performance. |