Create a detection rule using the UI
Once the Detections feature is turned on, follow these steps to create a detection rule. At any step, you can preview the rule before saving it to see what kind of results you can expect.
- Define the rule type. The configuration for this step varies depending on the rule type. For field descriptions specific to each type, refer to the Rule types section.
- Configure basic rule settings.
- (Optional) Configure advanced rule settings.
- Set the rule's schedule.
- (Optional) Set up rule actions.
- (Optional) Set up response actions.
- Create and enable the rule, or create the rule without enabling it.
A skill is available to help AI agents with this topic.
If you prefer to create rules programmatically instead of using the UI, refer to Using the API.
Ensure that only users with the appropriate access edit rules. Refer to Detection rule concepts > Rule authorization for more details.
To create detection rules, you must have:
- At least
Readaccess to data views, which requires theData View ManagementKibana privilege in Elastic Stack or the appropriate user role in Serverless. - The required privileges to preview rules, manage rules, and manage alerts. Refer to Turn on detections for more details.
Additional configuration is required for detection rules using cross-cluster search. Refer to Cross-cluster search and detection rules.
Each rule type has its own configuration and query requirements. Refer to the appropriate guide for type-specific instructions:
To understand which type to use, refer to Select the right rule type.
After creating the rule, you can change its settings, enable or disable it, and more. Refer to Manage detection rules for more information.