Author rules
Create custom detection rules tailored to your environment and threat model. The pages in this section guide you through selecting a rule type, writing rule logic, and configuring settings.
- Choose the right rule type
- Start here if you're not sure which rule type fits your use case. Compares all rule types side by side.
- Rule types
- Detailed guidance for each rule type, including when to use it and field configuration specific to that type.
- Using the UI
- Step-by-step workflow for creating rules in the Elastic Security UI.
- Using the API
- Create or manage rules programmatically, integrate with CI/CD pipelines, or bulk-import rules.
- Common rule settings
- Reference for all shared rule settings: severity, risk score, schedule, actions, and notification variables.
- Set rule data sources
- Override default index patterns, target specific indices, or exclude cold and frozen data tiers.
- Write investigation guides
- Add triage guidance to rules using Markdown, Timeline query buttons, and Osquery integration.
- Validate and test rules
- Test rule logic against historical data and assess alert volume before enabling in production.