Rule type guides
Elastic Security provides several rule types for building detections. Each rule type page covers when to use it, how to write effective queries, real-world examples, and field configuration specific to that type.
| What you want to detect | Rule type |
|---|---|
| A known field value, pattern, or boolean condition | Custom query |
| An ordered sequence of events or a missing event | Event correlation (EQL) |
| A field value count exceeding a boundary | Threshold |
| Events matching a known threat indicator | Indicator match |
| A field value appearing for the first time | New terms |
| Aggregated, transformed, or computed conditions | ES|QL |
| Behavioral anomalies without a fixed pattern | Machine learning |
Tip
Still unsure which rule type fits your use case? Refer to Select the right rule type for a decision guide comparing all rule types.