Create a detection rule using the UI
Once the Detections feature is turned on, follow these steps to create a detection rule:
- Define the rule type. The configuration for this step varies depending on the rule type.
- Configure basic rule settings.
- Configure advanced rule settings (optional).
- Set the rule's schedule.
- Set up rule actions (optional).
- Set up response actions (optional).
Tip
- At any step, you can preview the rule before saving it to see what kind of results you can expect.
- To ensure rules don't search cold and frozen data when executing, either configure the
excludedDataTiersForRuleExecutionadvanced setting (which applies to all rules in a space), or add a Query DSL filter to individual rules. These options are only available if you're on the Elastic Stack.
To create detection rules, you must have:
- At least
Readaccess to data views, which requires theData View {{manage-app}}Kibana privilege in Elastic Stack or the appropriate user role in Serverless. - The required privileges to preview rules, manage rules, and manage alerts. Refer to Turn on detections for more details.
Note
Additional configuration is required for detection rules using cross-cluster search. Refer to Cross-cluster search and detection rules.
Each rule type has its own configuration and query requirements. Refer to the appropriate guide for type-specific instructions:
To understand which type to use, refer to Select the right rule type.
- Rule settings reference: All shared rule settings, including severity, risk score, schedule, actions, and notification variables.
- Using the API: Create and manage rules programmatically.
- Manage detection rules: Enable, export, duplicate, and bulk-edit rules.