Validate and test rules

Before enabling a new detection rule in production, validate that it detects what you intend, at a volume your team can handle, without generating excessive false positives. The steps below apply to any rule type.

Test rules externally with Detection-as-Code

If you manage rules outside of the Kibana UI, you can use Detection-as-Code (DaC) workflows to test rules before deploying them. The Elastic Security Labs team maintains the detection-rules repo, which provides tooling for developing, testing, and releasing detection rules programmatically.

DaC workflows let you:

Validate rule syntax and schema before deployment.
Run unit tests against rule logic in a CI/CD pipeline.
Track rule changes in version control for auditability.

To get started, refer to the DaC documentation. For managing rules through the API, refer to Using the API.