Detections and alerts
Elastic Security's detection engine evaluates your data against detection rules and generates alerts when rule criteria are met. Rules can correlate events across all connected data sources to surface threats that no single data stream would reveal on its own. Elastic Security provides several rule types, from field-value matches to event correlation, machine learning anomaly detection, and more.
| Your goal | Start here |
|---|---|
| Set up detection for the first time | Requirements and privileges → Install prebuilt rules |
| Take over an existing deployment | MITRE ATT&CK coverage → Monitor rule executions |
| Build coverage for a specific threat | Choose the right rule type → Rule builder |
| Reduce noise from existing rules | Tune detection rules → Exceptions, Suppression, or Snooze |
The following stages represent the suggested path to a functioning detection program. Most deployments move through these stages roughly in order, though the boundaries are not strict: tuning and noise reduction are ongoing rather than a final stage.
- Confirm requirements. Verify infrastructure, privileges, and data availability.
- Assess coverage gaps. Use MITRE ATT&CK coverage to identify priority areas.
- Enable prebuilt rules. Activate Elastic's maintained rule library for priority tactics.
- Build custom rules. Fill remaining gaps with rules tailored to your environment.
- Validate before enabling. Test rule logic against historical data before going live.
- Monitor rule health. Confirm rules are executing correctly and generating alerts.
- Reduce noise. Tune, add exceptions, suppress, or snooze as needed.
A minimal viable detection program (prebuilt rules enabled for your highest-priority tactics, running correctly, with noise managed to an actionable level) is a meaningful outcome at any stage of this workflow. You do not need to complete every stage before your detection program delivers value.