Rule type guides
Elastic Security provides several rule types for building detections. Each rule type page covers when to use it, how to write effective queries, real-world examples, and field configuration specific to that type.
Not sure which rule type fits your use case? Refer to Select the right rule type for a decision guide comparing all rule types.
| If you want to detect... | Rule type |
|---|---|
| A known field value, pattern, or boolean condition | Custom query |
| An ordered sequence of events or a missing event | Event correlation (EQL) |
| A field value count exceeding a boundary | Threshold |
| Events matching a known threat indicator | Indicator match |
| A field value appearing for the first time | New terms |
| Aggregated, transformed, or computed conditions | ES|QL |
| Behavioral anomalies without a fixed pattern | Machine learning |