Create a detection rule
Build custom detection rules tailored to your environment and threat model. The pages in this section walk you through selecting a rule type, writing rule logic, and configuring rule settings.
- Select the right rule type
- Start here if you're not sure which rule type fits your use case. Compares all rule types side by side and explains how building block rules fit into detection chains.
- Rule types
- Go here once you've selected a rule type. Each rule type page covers when to use it, how to write effective queries, real-world examples, and the field configuration specific to that type.
- Using the rule builder
- The step-by-step workflow for creating rules in the Kibana UI. Covers the creation steps and links to rule settings and rule type guides.
- Using the API
- Relevant if you need to create or manage rules programmatically, integrate rule management into CI/CD pipelines, or bulk-import rules.
- Set rule data sources
- Relevant if you need to override the default index patterns for a specific rule, target a narrower set of indices, or exclude cold and frozen data tiers.
- Write investigation guides
- Use this when you want to add triage guidance to a rule. Covers Markdown syntax, Timeline query buttons, and Osquery integration for investigation guides.
- Validate and test rules
- Relevant before enabling a new rule in production. Covers how to test rule logic against historical data and assess alert volume.