---
title: Author rules
description: Create and configure detection rules tailored to your environment and threat model.
url: https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/detect-and-alert/author-rules
products:
  - Elastic Cloud Serverless
  - Elastic Security
applies_to:
  - Serverless Security projects: Generally available
  - Elastic Stack: Generally available
---

# Author rules
Create custom detection rules tailored to your environment and threat model. The pages in this section guide you through selecting a rule type, writing rule logic, and configuring settings.
<definitions>
  <definition term="Choose the right rule type">
    Start here if you're not sure which rule type fits your use case. Compares all rule types side by side.
  </definition>
  <definition term="Rule types">
    Detailed guidance for each rule type, including when to use it and field configuration specific to that type.
  </definition>
  <definition term="Using the UI">
    Step-by-step workflow for creating rules in the Elastic Security UI.
  </definition>
  <definition term="Using the API">
    Create or manage rules programmatically, integrate with CI/CD pipelines, or bulk-import rules.
  </definition>
  <definition term="Common rule settings">
    Reference for all shared rule settings: severity, risk score, schedule, actions, and notification variables.
  </definition>
  <definition term="Set rule data sources">
    Override default index patterns, target specific indices, or exclude cold and frozen data tiers.
  </definition>
  <definition term="Write investigation guides">
    Add triage guidance to rules using Markdown, Timeline query buttons, and Osquery integration.
  </definition>
  <definition term="Validate and test rules">
    Test rule logic against historical data and assess alert volume before enabling in production.
  </definition>
</definitions>