Choose the right rule type
Elastic Security offers several detection rule types, each designed for a different kind of threat signal. Selecting the right type is the single most important decision when creating a rule, because it determines what the rule can detect, how it performs, and how its alerts behave.
Use the following table to select the right rule type. The rows are ordered as a decision flow: start at the top and use the first rule type that fits your detection goal.
| Ask yourself | Rule type | Description |
|---|---|---|
| Is the threat a behavioral deviation I can't define with an exact pattern? | Machine learning | Relies on machine learning anomaly detection jobs to model normal behavior and flag deviations. No query authoring required. |
| Do I need to compare events against a threat intelligence feed? | Indicator match | Compares source event fields against threat intelligence indices. Alerts are enriched with indicator metadata. |
| Am I looking for a field value appearing for the first time? | New terms | Fires when a value (or combination of up to three values) has never appeared in a configurable history window. Surfaces novel activity. |
| Does detection require an ordered sequence of events or a missing event? | Event correlation (EQL) | Uses EQL to correlate events by shared fields across time. Detects multi-step attack chains and gaps in expected activity. |
| Should an alert fire when event volume crosses a threshold? | Threshold | Fires when the number of matching events grouped by one or more fields meets or exceeds a threshold. Ideal for brute-force and volume-based patterns. |
| Do I need aggregation, transformation, or computed fields? | ES|QL | Uses pipe-based ES|QL queries to aggregate, transform, and filter data before alerting. Each result row becomes an alert. |
| None of the above? | Custom query | Matches events using KQL or Lucene. The most flexible and widely used type for known field values, patterns, or boolean conditions. |