Author rules
Create detection rules tailored to your environment and threat model. Whether you're writing rules from scratch or customizing prebuilt rules, the pages in this section guide you through selecting a rule type, writing rule logic, and configuring settings.
- Choose the right rule type
- Start here if you're not sure which rule type fits your use case. Compares all rule types side by side.
- Rule types
- Detailed guidance for each rule type, including when to use it and field configuration specific to that type.
- Using the rule builder
- Step-by-step workflow for creating rules in the Elastic Security UI.
- Using the API
- Create or manage rules programmatically, integrate with CI/CD pipelines, or bulk-import rules.
- Common rule settings
- Reference for all shared rule settings: severity, risk score, schedule, actions, and notification variables.
- Set rule data sources
- Override default index patterns, target specific indices, or exclude cold and frozen data tiers.
- Write investigation guides
- Add triage guidance to rules using Markdown, Timeline query buttons, and Osquery integration.
- Validate and test rules
- Test rule logic against historical data and assess alert volume before enabling in production.