---
title: Detections and alerts
description: Elastic Security's detection engine evaluates your data against detection rules and generates alerts when rule criteria are met. Rules can correlate events...
url: https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/detect-and-alert
products:
  - Elastic Cloud Serverless
  - Elastic Security
applies_to:
  - Serverless Security projects: Generally available
  - Elastic Stack: Generally available
---

# Detections and alerts
Elastic Security's detection engine evaluates your data against detection rules and generates alerts when rule criteria are met. Rules can correlate events across all connected data sources to surface threats that no single data stream would reveal on its own. Elastic Security provides several [rule types](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/detect-and-alert/choose-the-right-rule-type), from field-value matches to event correlation, machine learning anomaly detection, and more.
The detection engine also surfaces alerts from [Elastic Defend's endpoint protection](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/manage-elastic-defend/endpoint-protection-rules) (malware, ransomware, memory threats, and malicious behavior) and [external alerts](https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/promotions/external_alerts) from third-party tools like Suricata, giving you a unified view of threats across your security stack.

## Where to start


| Your goal                                  | Start here                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
|--------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Set up detection for the first time        | [Setup](/elastic/docs-builder/docs/3028/solutions/security/detect-and-alert/before-you-begin#one-time-setup) → [Install prebuilt rules](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/detect-and-alert/install-prebuilt-rules)                                                                                                                                                                                                                                                                 |
| Take over or manage an existing deployment | [MITRE ATT&CK coverage](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/detect-and-alert/mitre-attack-coverage) → [Monitor rule executions](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/detect-and-alert/monitor-rule-executions)                                                                                                                                                                                                                                   |
| Build coverage for a specific threat       | [Choose the right rule type](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/detect-and-alert/choose-the-right-rule-type) → [Build it using the UI](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/detect-and-alert/using-the-rule-ui)                                                                                                                                                                                                                                 |
| Reduce noise from existing rules           | [Tune detection rules](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/detect-and-alert/tune-detection-rules) → [Exceptions](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/detect-and-alert/rule-exceptions), [Suppression](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/detect-and-alert/alert-suppression), or [Snooze](/elastic/docs-builder/docs/3028/solutions/security/detect-and-alert/manage-detection-rules#snooze-rule-actions) |


## Detection program lifecycle

The following stages represent the suggested path to a functioning detection program. Most deployments move through these stages roughly in order, though the boundaries are not strict: tuning and noise reduction are ongoing rather than a final stage.
1. **Confirm requirements.** Verify infrastructure, privileges, and data availability.
2. **Assess coverage gaps.** Identify which threats matter most to your environment, then use MITRE ATT&CK coverage to find gaps in your detection rules.
3. **Enable prebuilt rules.** Activate Elastic's maintained rule library for priority tactics.
4. **Build custom rules.** Fill remaining gaps with rules tailored to your environment.
5. **Validate before enabling.** Test rule logic against historical data before going live.
6. **Monitor rule health.** Confirm rules are executing correctly and generating alerts.
7. **Reduce noise.** Tune, add exceptions, suppress, or snooze as needed.

A minimal viable detection program (prebuilt rules enabled for your highest-priority tactics and techniques, running correctly, with noise managed to an actionable level) is a meaningful outcome at any stage of this workflow. You do not need to complete every stage before your detection program delivers value.