Loading

Create a detection rule using the UI

Once the Detections feature is turned on, follow these steps to create a detection rule:

  1. Define the rule type. The configuration for this step varies depending on the rule type.
  2. Configure basic rule settings.
  3. Configure advanced rule settings (optional).
  4. Set the rule's schedule.
  5. Set up rule actions (optional).
  6. Set up response actions (optional).
Tip
  • At any step, you can preview the rule before saving it to see what kind of results you can expect.
  • To ensure rules don't search cold and frozen data when executing, either configure the excludedDataTiersForRuleExecution advanced setting (which applies to all rules in a space), or add a Query DSL filter to individual rules. These options are only available if you're on the Elastic Stack.

To create detection rules, you must have:

  • At least Read access to data views, which requires the Data View {{manage-app}} Kibana privilege in Elastic Stack or the appropriate user role in Serverless.
  • The required privileges to preview rules, manage rules, and manage alerts. Refer to Turn on detections for more details.
Note

Additional configuration is required for detection rules using cross-cluster search. Refer to Cross-cluster search and detection rules.

Each rule type has its own configuration and query requirements. Refer to the appropriate guide for type-specific instructions:

To understand which type to use, refer to Select the right rule type.