--- title: Turn on detections description: Learn how to configure and enable the Detections feature in Elastic Security for your deployment type. url: https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/turn-on-detections products: - Elastic Cloud Serverless - Elastic Security applies_to: - Serverless Security projects: Generally available - Elastic Stack: Generally available --- # Turn on detections Before you can create rules, manage alerts, or use other [detection capabilities](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert), you need to enable the detections feature. This page walks you through the required setup for your deployment type and shows you how to turn on detections. The detections feature is turned on by default in Serverless projects. Your access level depends on your assigned role. | Access level | Roles | |------------------------------------------------|------------------------------------------------------------------------| | Full access (manage rules, alerts, exceptions) | Editor, SOC Manager, Detections Eng, Tier 3 Analyst, Platform Engineer | | Read-only (only view rules and alerts) | Viewer, Tier 1 Analyst, Tier 2 Analyst | Refer to [Predefined roles](/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/detections-privileges#predefined-serverless-roles-detections) for a list of predefined roles with detection privileges. To activate the detection engine, open the **Rules** page. Find **Detection rules (SIEM)** in the navigation menu or use the [global search field](https://www.elastic.co/elastic/docs-builder/docs/3016/explore-analyze/find-and-organize/find-apps-and-objects). The engine initializes automatically when a user with [sufficient privileges](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/detections-privileges) opens the page. The **Rules** page was renamed to **Detection rules (SIEM)** in versions 9.3.1, 9.2.6, and 8.19.12. No additional configuration is required. Complete these steps to turn on the detections feature in your space. Configure HTTPS for communication between [Elasticsearch and Kibana](/elastic/docs-builder/docs/3016/deploy-manage/security/set-up-basic-security-plus-https#encrypt-kibana-http). In your [`kibana.yml`](https://www.elastic.co/elastic/docs-builder/docs/3016/deploy-manage/stack-settings) file, add an encryption key with at least 32 alphanumeric characters: ```yaml xpack.encryptedSavedObjects.encryptionKey: 'fhjskloppd678ehkdfdlliverpoolfcr' ``` After changing the encryption key and restarting Kibana, you must restart all detection rules. In your [`elasticsearch.yml`](https://www.elastic.co/elastic/docs-builder/docs/3016/deploy-manage/deploy/self-managed/configure-elasticsearch) file: 1. Set `xpack.security.enabled` to `true`. Refer to [General security settings](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/elasticsearch/configuration-reference/security-settings#general-security-settings) for more information. 2. Ensure `search.allow_expensive_queries` is `true` (the default). If it's set to `false`, remove that setting. 1. Go to the **Rules** page. Find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](https://www.elastic.co/elastic/docs-builder/docs/3016/explore-analyze/find-and-organize/find-apps-and-objects). 2. The detection engine initializes when a user with [sufficient privileges](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/detections-privileges) visits the page. To enable detections in multiple spaces, visit the **Rules** page in each space.