Create a detection rule using the UI
Once the Detections feature is turned on, follow these steps to create a detection rule:
At any step, you can preview the rule before saving it to see what kind of results you can expect.
- Define the rule type. The configuration for this step varies depending on the rule type.
- Configure basic rule settings.
- Configure advanced rule settings (optional).
- Set the rule's schedule.
- (Optional) Set up rule actions.
- (Optional) Set up response actions.
- Create and enable the rule, or create the rule without enabling it.
If you prefer to create rules programmatically instead of using the UI, refer to Using the API.
To create detection rules, you must have:
- At least
Readaccess to data views, which requires theData View {{manage-app}}Kibana privilege in Elastic Stack or the appropriate user role in Serverless. - The required privileges to preview rules, manage rules, and manage alerts. Refer to Turn on detections for more details.
Additional configuration is required for detection rules using cross-cluster search. Refer to Cross-cluster search and detection rules.
Each rule type has its own configuration and query requirements. Refer to the appropriate guide for type-specific instructions:
To understand which type to use, refer to Select the right rule type.
After creating the rule, you can change its settings, enable or disable it, and more. Refer to Manage detection rules for more information.