Prebuilt rules
Elastic maintains a library of prebuilt detection rules mapped to the MITRE ATT&CK framework. Enabling prebuilt rules is the fastest path to detection coverage and the recommended starting point before building custom rules. You can browse the full prebuilt rule catalog to see what's available.
- Prebuilt rule components
- Learn how prebuilt rules are organized with tags, what data sources they need, and how to use their investigation guides.
- Install prebuilt rules
- Start here to install and enable prebuilt rules. Includes a subscription capability matrix showing which features are available at each tier.
- Update prebuilt rules
- Apply Elastic's rule updates to keep your detection coverage current. Explains how to review updates, handle modified rules, and resolve conflicts (Enterprise only).
- Handle deprecated prebuilt rules
- Find deprecated prebuilt rules on the Rules page or a rule's details page, then delete them or duplicate and delete them so they are no longer tied to the prebuilt package.
- Prebuilt rules in air-gapped environments
- Install and update prebuilt rules in air-gapped environments without internet access.
- Customize prebuilt rules
- Adapt prebuilt rules to your environment. Edit rules directly or revert to the original Elastic version (Enterprise on Elastic Stack 9.1+, or Security Analytics Complete on Serverless), duplicate and modify copies, add exceptions, or configure actions.