Detections requirements

Requirements for setting up and configuring the detections feature.

To use the Detections feature, you first need to configure a few settings. You also need the appropriate role to send notifications when detection alerts are generated.

Additionally, there are some advanced settings used to configure value list upload limits.

Enable and access detections

To use the Detections feature, it must be enabled and you must have the appropriate role to access rules and alerts. If your role does not have the privileges needed to enable this feature, you can request someone who has these privileges to visit your Security project, which will turn it on for you.


For instructions about using Machine Learning jobs and rules, refer to Machine learning job and rule requirements.


Rules, including all background detection and the actions they generate, are authorized using an API key associated with the last user to edit the rule. Upon creating or modifying a rule, an API key is generated for that user, capturing a snapshot of their privileges. The API key is then used to run all background tasks associated with the rule including detection checks and executing actions.


If a rule requires certain privileges to run, such as index privileges, keep in mind that if a user without those privileges updates the rule, the rule will no longer function.

On this page