---
title: Rule type guides
description: Learn when to use each detection rule type and access detailed guides for custom query, EQL, threshold, and more.
url: https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/rule-types
products:
  - Elastic Cloud Serverless
  - Elastic Security
applies_to:
  - Serverless Security projects: Generally available
  - Elastic Stack: Generally available
---

# Rule type guides
Elastic Security provides several rule types for building detections. Each rule type page covers when to use it, how to write effective queries, real-world examples, and field configuration specific to that type.

| What you want to detect                            | Rule type                                                                                                                      |
|----------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|
| Aggregated, transformed, or computed conditions    | [ES|QL](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/esql)                        |
| A known field value, pattern, or boolean condition | [Custom query](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/custom-query)         |
| An ordered sequence of events or a missing event   | [Event correlation (EQL)](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/eql)       |
| Events matching a known threat indicator           | [Indicator match](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/indicator-match)   |
| A field value count exceeding a boundary           | [Threshold](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/threshold)               |
| Behavioral anomalies without a fixed pattern       | [Machine learning](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/machine-learning) |
| A field value appearing for the first time         | [New terms](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/new-terms)               |

<tip>
  Still unsure which rule type fits your use case? Refer to [Choose the right rule type](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/choose-the-right-rule-type) for a decision guide comparing all rule types.
</tip>