Downloadable rule updates
editDownloadable rule updates
editThis section lists all updates to prebuilt detection rules, made available with the Prebuilt Security Detection Rules integration in Fleet.
To update your installed rules to the latest versions, follow the instructions in Update Elastic prebuilt rules.
For previous rule updates, please navigate to the last version.
| Update version | Date | New rules | Updated rules | Notes |
|---|---|---|---|---|
18 Sep 2025 |
1 |
100 |
This release includes significant rule tuning for Windows, Linux, Okta and AWS rules for better rule efficacy and performance. |
|
02 Sep 2025 |
22 |
112 |
This release includes new rules for Windows, Linux, Microsoft 365 and Network Traffic. New rules for Windows include detection for impact, credential access, execution, command and control, discovery and defense evasion. New rules for Linux include detection for defense evasion. New rules for Microsoft 365 and Network Traffic include detection for initial access. Additionally, significant rule tuning for Windows, AWS, Microsoft 365, MacOS and Azure rules has been added for better rule efficacy and performance. |
|
19 Aug 2025 |
2 |
19 |
This release includes new rules for Windows, Linux and MacOS. New rules for Windows include detection for persistence and defense evasion. New rules for Linux and MacOS include detection for defense evasion. Additionally, significant rule tuning for Windows, Okta and Azure rules has been added for better rule efficacy and performance. |
|
06 Aug 2025 |
0 |
70 |
This release includes tuned and deprecated rules. Deprecated rule includes Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source. Additionally, ESQL-based rules were tuned for dynamic field standardization along with rule tuning for Elastic Security promotion rule. |
|
05 Aug 2025 |
8 |
3 |
This release includes new rules for Windows and SOC integrations New rules for Windows include detection for credential access. New rules for SOC integrations include promotion rules for Google SecOps, Elastic Security, Microsoft Sentinel, SentinelOne, CrowdStrike and Splunk. Additionally, significant rule tuning for Windows and Azure rules has been added for better rule efficacy and performance. |
|
23 Jul 2025 |
8 |
37 |
This release includes new rules for Linux, Azure and Kubernetes. The deprecated rules includes Deprecated - Azure Virtual Network Device Modified or Deleted and Deprecated - AWS EC2 Snapshot Activity New rules for Linux include detection for defense evasion. New rules for Azure include detection for persistence, credential access and discovery. New rules for Kubernetes include detection for execution. Additionally, significant rule tuning for Linux, AWS and Azure rules has been added for better rule efficacy and performance. |
|
08 Jul 2025 |
15 |
73 |
This release includes new rules for Linux, Azure, Kubernetes and Microsoft 365. The deprecated rule includes Suspicious File Creation in /etc for Persistence New rules for Linux include detection for persistence, defense evasion, discovery, command and control and execution. New rules for Azure include detection for persistence, initial access and defense evasion. New rules for Kubernetes include detection for defense evasion and execution. New rules for Microsoft 365 include detection for collection. Additionally, significant rule tuning for Windows, Linux, AWS, Azure and Microsoft 365 rules has been added for better rule efficacy and performance. |