--- title: Choose the right rule type description: Compare detection rule types and select the best fit for your threat detection use case. url: https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/detect-and-alert/choose-the-right-rule-type products: - Elastic Cloud Serverless - Elastic Security applies_to: - Serverless Security projects: Generally available - Elastic Stack: Generally available --- # Choose the right rule type Unsure which rule type to use? This guide helps you decide. Elastic Security offers several detection rule types, each designed for a different kind of threat signal. Selecting the right type is important because it determines what the rule can detect, how it performs, and how its alerts behave. ## Rule type comparison Use the following table to select the right rule type. The rows are ordered as a decision flow: start at the top and use the first rule type that fits your detection goal. | Ask yourself | Rule type | Description | |----------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Is the threat a behavioral deviation I can't define with an exact pattern? | [Machine learning](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/detect-and-alert/machine-learning) | Relies on machine learning anomaly detection jobs to model normal behavior and flag deviations. No query authoring required, but you must create or select anomaly jobs. | | Do I need to compare events against a threat intelligence feed? | [Indicator match](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/detect-and-alert/indicator-match) | Compares source event fields against threat intelligence indices. Alerts are enriched with indicator metadata. | | Am I looking for a field value appearing for the first time? | [New terms](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/detect-and-alert/new-terms) | Fires when a value (or combination of up to three values) has never appeared in a configurable history window. Surfaces novel activity. | | Does detection require an ordered sequence of events or a missing event? | [Event correlation (EQL)](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/detect-and-alert/eql) | Uses EQL to correlate events by shared fields across time. Detects multi-step attack chains and gaps in expected activity. | | Should an alert fire when event volume crosses a threshold? | [Threshold](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/detect-and-alert/threshold) | Fires when the number of matching events grouped by one or more fields meets or exceeds a threshold. Ideal for brute-force and volume-based patterns. | | Do I need aggregation, transformation, or computed fields? | [ES|QL](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/detect-and-alert/esql) | Uses pipe-based ES|QL queries to aggregate, transform, and filter data before alerting. Each result row becomes an alert. | | None of the above? | [Custom query](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/detect-and-alert/custom-query) | Matches events using KQL or Lucene. The most flexible and widely used type for known field values, patterns, or boolean conditions. |