Detections and alerts
Elastic Security's detection engine evaluates your data against detection rules and generates alerts when rule criteria are met. Rules can correlate events across all connected data sources to surface threats that no single data stream would reveal on its own. Elastic Security provides several rule types, from field-value matches to event correlation, machine learning anomaly detection, and more.
The detection engine also surfaces alerts from Elastic Defend's endpoint protection (malware, ransomware, memory threats, and malicious behavior) and external alerts from third-party tools like Suricata, giving you a unified view of threats across your security stack.
| Your goal | Start here |
|---|---|
| Set up detection for the first time | Setup → Install prebuilt rules |
| Take over an existing deployment | MITRE ATT&CK coverage → Monitor rule executions |
| Build coverage for a specific threat | Choose the right rule type → Build it using the UI |
| Reduce noise from existing rules | Tune detection rules → Exceptions, Suppression, or Snooze |
The following stages represent the suggested path to a functioning detection program. Most deployments move through these stages roughly in order, though the boundaries are not strict: tuning and noise reduction are ongoing rather than a final stage.
- Confirm requirements. Verify infrastructure, privileges, and data availability.
- Assess coverage gaps. Use MITRE ATT&CK coverage to identify priority areas.
- Enable prebuilt rules. Activate Elastic's maintained rule library for priority tactics.
- Build custom rules. Fill remaining gaps with rules tailored to your environment.
- Validate before enabling. Test rule logic against historical data before going live.
- Monitor rule health. Confirm rules are executing correctly and generating alerts.
- Reduce noise. Tune, add exceptions, suppress, or snooze as needed.
A minimal viable detection program (prebuilt rules enabled for your highest-priority tactics, running correctly, with noise managed to an actionable level) is a meaningful outcome at any stage of this workflow. You do not need to complete every stage before your detection program delivers value.