How to create a detection rule
  • 01 Feb 2022
  • Dark
    Light

How to create a detection rule

  • Dark
    Light

Article summary

These steps outline defining a new detection rule for Elastic Security. 

Rules are:

  • based on a list of parameters
  • targeted at collected data
  • ran periodically based on a user-defined schedule
  •  can optionally take an automated action when triggered.


For additional details, please see Elastic's official documentation on this topic.


Process

  1. Login to Elastic Endpoint Security. Please refer to How to access Elastic Endpoint Security if you need assistance.
  2. Once logged in, you can begin the process of creating a new rule by navigating to Detect → Rules → Create new rule
  3. From here, you can select the type of rule you'd like to create and fill in the necessary details to describe the desired behavior. You can find specific information on each type of rule and required parameters in Elastic's detection rule documentation.
    1. The custom query option allows you to import a query from a previously saved timeline, helpful in situations where a security issue has been identified and you are interested in detecting similar behavior moving forward.
  4. Before clicking continue, make sure to perform a query preview with the Preview results button-- doing so will allow you to see the alert volume of the proposed rule. Suppose you find that the query you've defined is particularly noisy. In that case, you may want to consider adding additional conditions to narrow the results and cut down on alert volume.
  5. After defining the rule, you can adjust the rule's schedule and select a connector and action to be performed by Kibana when the alert triggers.

Was this article helpful?