Customize Elastic prebuilt rules

Prebuilt rules provide a starting point for threat detection, but you may need to adapt them to your environment. This page explains how to customize prebuilt rules based on your subscription level.

Your subscription determines how you can customize prebuilt rules:

For Serverless, Security Analytics Essentials corresponds to Basic–Platinum, and Security Analytics Complete corresponds to Enterprise.

With an Enterprise subscription on Elastic Stack or a Security Analytics Complete project on Serverless, you can edit most prebuilt rule settings directly (except Author and License).

1. Find Detection rules (SIEM) in the navigation menu or by using the global search field.
2. In the Rules table, find the prebuilt rule you want to edit.
3. Do one of the following:
   • Select the All actions menu on a rule, then select Edit rule settings.
   • Select a rule's name to open its details page, then select Edit rule settings.
4. Modify the rule's settings.
5. Select Save changes.

• Updates may cause conflicts: When Elastic releases an update that changes the same fields you modified, you need to resolve the conflict. Refer to Resolve update conflicts.
• Revert if needed: You can restore the original Elastic version at any time. Refer to Revert to Elastic version.

If you can't edit prebuilt rules directly, or if you want to preserve the original rule while creating a customized version, duplicate the rule first.

1. Find Detection rules (SIEM) in the navigation menu or by using the global search field.
2. In the Rules table, select the Elastic rules filter.
3. Do one of the following:
   • Duplicate a single rule: Select the All actions menu on the rule, then select Duplicate.
   • Duplicate multiple rules: Select one or more rules (or select Select all x rules), then select Bulk actions → Duplicate.
4. If the rule has exceptions, select how to handle them:
   • Duplicate the rule and its exceptions (active and expired)
   • Duplicate the rule and active exceptions only
   • Duplicate only the rule
5. Select Duplicate.

After duplicating, you can:

• Modify the duplicated rule's settings as needed.
• Turn off the original prebuilt rule if you don't want both rules running.
• Delete the original prebuilt rule if you no longer need it.

All subscriptions allow you to add exceptions to prebuilt rules without duplicating them. Exceptions prevent rules from generating alerts for specific conditions.

1. Open the prebuilt rule's details page.
2. Go to the Rule exceptions tab.
3. Select Add rule exception and configure the exception conditions.

For detailed guidance, refer to Add and manage exceptions.

All subscriptions allow you to configure rule actions (notifications) on prebuilt rules without duplicating them.

1. Find Detection rules (SIEM) in the navigation menu.
2. Select the All actions menu on a rule, then select Edit rule settings.
3. Go to the Actions tab and configure the desired actions.
4. Select Save changes.

For detailed guidance, refer to Rule actions.

With an Enterprise subscription (or Security Analytics Complete), you can edit prebuilt rules directly. If you've modified a prebuilt rule and want to restore the original Elastic version:

1. Open the rule's details page.
2. Select the All actions menu , then select Revert to Elastic version.
3. In the flyout, review the modified fields. Deleted characters are highlighted in red; added characters are highlighted in green.
4. Select Revert to restore the modified fields to their original versions.