---
title: Create a detection rule using the UI
description: Step-by-step guide to create detection rules using the Kibana rule builder UI.
url: https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/using-the-rule-ui
products:
  - Elastic Cloud Serverless
  - Elastic Security
applies_to:
  - Serverless Security projects: Generally available
  - Elastic Stack: Generally available
---

# Create a detection rule using the UI
Once the Detections feature is [turned on](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/turn-on-detections), follow these steps to create a detection rule. At any step, you can preview the rule before saving it to see what kind of results you can expect.
1. Define the [rule type](/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/choose-the-right-rule-type#rule-types). The configuration for this step varies depending on the rule type. For field descriptions specific to each type, refer to the [Rule types](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/rule-types) section.
2. Configure [basic rule settings](/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/common-rule-settings#rule-ui-basic-params).
3. (Optional) Configure [advanced rule settings](/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/common-rule-settings#rule-ui-advanced-params).
4. Set the [rule's schedule](/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/common-rule-settings#rule-schedule).
5. (Optional) Set up [rule actions](/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/common-rule-settings#rule-notifications).
6. (Optional) Set up [response actions](/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/common-rule-settings#rule-response-action).
7. Create and enable the rule, or create the rule without enabling it.

<agent-skill url="https://github.com/elastic/agent-skills/tree/main/skills/security/detection-rule-management">
  A skill is available to help AI agents with this topic.
</agent-skill>

<admonition title="Create rules programmatically">
  If you prefer to create rules programmatically instead of using the UI, refer to [Using the API](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/using-the-api).
</admonition>

<important>
  Rules run in the background using the privileges of the user who last edited them. When you create or modify a rule, Elastic Security generates an [API key](https://www.elastic.co/elastic/docs-builder/docs/3016/deploy-manage/api-keys/elasticsearch-api-keys) that captures a snapshot of your current privileges. If a user without the required privileges (such as index read access) updates a rule, the rule can stop functioning correctly and no longer generate alerts. To fix this, a user with the right privileges to either modify the rule or update the API key. To learn more, refer to [Detection rule concepts > Rule authorization](/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/detection-rule-concepts#rule-authorization-concept).
</important>


## Detection rule requirements

To create detection rules, you must have:
- At least `Read` access to data views, which requires the `Data View Management` [Kibana privilege](https://www.elastic.co/elastic/docs-builder/docs/3016/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles) in Elastic Stack or the appropriate [user role](https://www.elastic.co/elastic/docs-builder/docs/3016/deploy-manage/users-roles/cloud-organization/user-roles) in Serverless.
- The required privileges to preview rules, manage rules, and manage alerts. Refer to [Turn on detections](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/turn-on-detections) for more details.

<note>
  Additional configuration is required for detection rules using cross-cluster search. Refer to [Cross-cluster search and detection rules](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/cross-cluster-search-detection-rules).
</note>


## Rule type guides

Each rule type has its own configuration and query requirements. Refer to the appropriate guide for type-specific instructions:
- [Custom query](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/custom-query)
- [Event correlation (EQL)](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/eql)
- [Threshold](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/threshold)
- [Indicator match](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/indicator-match)
- [New terms](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/new-terms)
- [ES|QL](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/esql)
- [Machine learning](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/machine-learning)

To understand which type to use, refer to [Select the right rule type](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/choose-the-right-rule-type).

## Next steps

After creating the rule, you can change its settings, enable or disable it, and more. Refer to [Manage detection rules](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/manage-detection-rules) for more information.