IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Creating detection rules Monitoring and troubleshooting rule executions »
Elastic Docs Elastic Security Solution [7.10] Detections and Alerts

Managing detection rules

edit

Managing detection rules

edit

On the Detection rules page, you can:

Load and activate prebuilt Elastic rules

edit

To load the Elastic Security app’s prebuilt rules, click Load Elastic prebuilt rules on the Detection rules page (SecurityDetectionsManage detection rulesLoad Elastic prebuilt rules and timeline templates).

You can then activate whichever rules you want. If you delete any of the prebuilt rules, a button appears that enables reloading all the deleted ones.

Apart from the Elastic Endpoint rule, prebuilt rules are not activated by default. If you want to modify a prebuilt rule, you must first duplicate it and then make your changes to the duplicated rule.

All Elastic prebuilt rules are tagged with the word Elastic.

Select and duplicate all prebuilt rules

edit

In the All rules table:

  1. Select the Elastic rules tab.
  2. Scroll to the bottom of the page.
  3. Click the Rows per page menu, and then select 300 rows.
  4. When the page reloads, select all the rules.
  5. Click Bulk actionsDuplicate selected.
  6. Select the Custom rules tab.

You can then modify the duplicated rules and, if required, delete the prebuilt ones.

Modify existing rules

edit

You can clone, edit, activate, deactivate, and delete rules:

  1. Go to SecurityDetectionsManage detection rules.

  2. Do one of the following:

    • Click the actions icon (three dots) and then select the required action.
    • In the Rule column, select all the rules you want to modify, and then the required action from the Bulk actions menu.
  3. To activate or deactivate a rule, click the Activate toggle button.

For prebuilt rules, you can only activate, deactivate, delete, edit rule actions, and add exceptions.

Import and export rules

edit
  1. Go to SecurityDetectionsManage detection rules.

  2. To import rules:

    1. Click Import rule.

    2. Drag-and-drop files containing the detection rules.

      Imported rules must be in an ndjson file.

  3. To export rules:

    1. In the All rules table, select the rules you want to export.

    2. Select Bulk actionsExport selected.

      You cannot export prebuilt rules.

« Creating detection rules Monitoring and troubleshooting rule executions »