Turn on detections
Before you can create rules, manage alerts, or use other detection capabilities, you need to enable the Detections feature. This page walks you through the required setup for your deployment type and shows you how to turn on detections.
The detections feature is turned on by default in Serverless projects. Your access level depends on your assigned role.
| Access level | Roles |
|---|---|
| Full access (manage rules, alerts, exceptions) | Editor, SOC Manager, Detections Eng, Tier 3 Analyst, Platform Engineer |
| Read-only (only view rules and alerts) | Viewer, Tier 1 Analyst, Tier 2 Analyst |
Refer to Predefined roles for a list of predefined roles with detection privileges.
The detection engine initializes automatically when a user with sufficient privileges visits the Rules page. To open the page, find Detection rules (SIEM) in the navigation menu or by using the global search field.
No additional configuration is required.
Complete these steps to turn on the detections feature in your space.
-
Enable HTTPS
Configure HTTPS for communication between Elasticsearch and Kibana.
-
Configure Kibana
In your
kibana.ymlfile, add an encryption key with at least 32 alphanumeric characters:xpack.encryptedSavedObjects.encryptionKey: 'fhjskloppd678ehkdfdlliverpoolfcr'ImportantAfter changing the encryption key and restarting Kibana, you must restart all detection rules.
-
Configure Elasticsearch
In your
elasticsearch.ymlfile:Set
xpack.security.enabledtotrue. Refer to General security settings for more information.Ensure
search.allow_expensive_queriesistrue(the default). If it's set tofalse, remove that setting.
-
Enable detections
- Go to the Rules page. Find Detection rules (SIEM) in the navigation menu or by using the global search field.
- The detection engine initializes when a user with sufficient privileges visits the page.
NoteTo enable detections in multiple spaces, visit the Rules page in each space.
With detections enabled, you're ready to create rules and start responding to threats. Do the following:
Add detection rules
- Install Elastic prebuilt rules: Get started quickly with hundreds of rules that detect common threats
- Create custom rules: Write rules tailored to your environment
- Configure anomaly detection rules: Use machine learning to detect unusual behavior
Respond to and manage alerts
- Manage detection alerts: Triage, investigate, and resolve alerts
- Set up alert notifications: Send alerts to external systems like Slack, email, or ticketing tools
- Tune rules to reduce noise: Add exceptions and adjust rules to minimize false positives
For a complete walkthrough, check out Quickstart: Detect and respond to threats with SIEM.