---
title: Manage detection rules at scale
description: Use workflows to audit rule health, surface rule errors, and automate rule operations across large detection rule sets in Elastic Security.
url: https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5950/explore-analyze/workflows/use-cases/security/manage-detection-rules
products:
  - Elastic Cloud Enterprise
  - Elastic Cloud Hosted
  - Elastic Cloud Serverless
  - Elastic Cloud on Kubernetes
  - Elastic Stack
  - Kibana
applies_to:
  - Elastic Cloud Serverless: Preview
  - Elastic Stack: Preview since 9.3
---

# Manage detection rules at scale
Teams that run large sets of detection rules (prebuilt, custom, or both) have recurring operational work. Rules need to be audited for health, errors need to be surfaced quickly, coverage needs to be tracked against a framework, and status often needs to flow back to an external tracker.
Use workflows to automate these rule-operations tasks. Workflows can query detection engine APIs on a schedule, post summaries to a chat channel, index results for dashboarding, or open a ticket when something is wrong, all using existing workflow building blocks.

## What you can automate

The following patterns combine [scheduled triggers](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5950/explore-analyze/workflows/triggers/scheduled-triggers) with [Kibana request actions](/elastic/docs-content/pull/5950/explore-analyze/workflows/steps/kibana#generic-request-actions) to drive rule-operations work:
- **Audit rule health on a schedule.** A scheduled workflow queries the detection engine API for rule status, filters for rules in an error or disabled state, and publishes a daily summary.
- **Surface rule errors.** Use [`if` steps](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5950/explore-analyze/workflows/steps/if) to branch on rule status and send a targeted notification when the failing rule is business-critical.
- **Report on coverage.** Use [`foreach` steps](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5950/explore-analyze/workflows/steps/foreach) to iterate over rules, group by tag or framework mapping, and index the result to an Elasticsearch index for dashboard visualization.
- **Sync rule status to external systems.** Use [HTTP actions](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5950/explore-analyze/workflows/steps/external-systems-apps) to mirror rule status into an external tracker, or post to Slack or PagerDuty when a rule crosses a threshold.


## Example flow

A daily rule-health report workflow has the shape:
1. **Scheduled trigger** fires every morning.
2. **Kibana request step** calls the detection engine API to list rules and their status.
3. **Foreach step** iterates over the returned rules.
4. **If step** identifies rules in an error state.
5. **Elasticsearch step** indexes the summary to a rules-health index, or a **connector step** posts the summary to Slack.


## Learn more

- [Scheduled triggers](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5950/explore-analyze/workflows/triggers/scheduled-triggers): Run workflows on a cron-like schedule.
- [Kibana action steps](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5950/explore-analyze/workflows/steps/kibana): Reference for generic Kibana API requests.
- [Foreach step](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5950/explore-analyze/workflows/steps/foreach): Iterate over arrays returned by API calls.
- [Detection rule concepts](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5950/solutions/security/detect-and-alert/detection-rule-concepts): Background on how detection rules work.