Prebuilt rules
Elastic maintains a library of prebuilt detection rules mapped to the MITRE ATT&CK framework. Enabling prebuilt rules is the fastest path to detection coverage and the recommended starting point before building custom rules. You can browse the full prebuilt rule catalog to see what's available.
- Install and manage prebuilt rules
- Start here if you're setting up prebuilt rules for the first time, or if you need to install new rules, enable or turn off existing ones, or review what data sources each rule requires. Also covers rule tags, customization options, and how to export or duplicate prebuilt rules.
- Update prebuilt rules
- Relevant when Elastic releases rule updates and you need to decide how to apply them. Explains how the update process works for rules you haven't modified versus rules you've customized, and how to resolve conflicts between your changes and Elastic's updates. Requires an Enterprise subscription on Elastic Stack or a Security Analytics Complete project on Serverless.
- MITRE ATT&CK coverage
- Use this page to visualize which MITRE ATT&CK tactics and techniques your installed rules cover. Helpful for identifying gaps in your detection posture and deciding which additional prebuilt rules to enable or where to build custom rules.