Manage detection rules

edit

On the Detection rules page, you can:

Load and activate prebuilt Elastic rules

edit

To load the Elastic Security app’s prebuilt rules, click Load Elastic prebuilt rules on the Detection rules page (DetectionsManage detection rulesLoad Elastic prebuilt rules and timeline templates).

You can then activate whichever rules you want. If you delete any of the prebuilt rules, a button appears that enables you to reload all of the deleted ones.

Apart from the Elastic Endpoint rule, prebuilt rules are not activated by default. If you want to modify a prebuilt rule, you must first duplicate it and then make your changes to the duplicated rule. All Elastic prebuilt rules are tagged with the word Elastic.

To learn how to enable detection rules in Elastic Security, watch the tutorial at the end of this topic.

Select and duplicate all prebuilt rules

edit

In the All rules table:

  1. Select the Elastic rules tab.
  2. Scroll to the bottom of the page.
  3. Click the Rows per page menu, and then select 300 rows.
  4. When the page reloads, select all the rules.
  5. Click Bulk actionsDuplicate selected.
  6. Select the Custom rules tab.

You can then modify the duplicated rules and, if required, delete the prebuilt ones.

Download latest prebuilt Elastic rules

edit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

As of Elastic Stack >=7.13.0., you can download the latest version of Elastic prebuilt rules outside of a regular release cycle. This feature ensures you have the latest detection capabilties before upgrading to the latest Elastic Stack.

To download the latest version of prebuilt rules:

  1. In Kibana, go to Fleet > Integrations.
  2. Search for "Prebuilt Security Detection Rules."
  3. Select the integration, then select the Settings tab. The integration settings page is displayed.

    install prebuilt settings
  4. Click Install Prebuilt Security Detection Rules assets.
  5. Click Install Prebuilt Security Detection Rules to confirm the installation.

    install prebuilt rules

Modify existing rules

edit

You can clone, edit, activate, deactivate, and delete rules:

  1. Go to DetectionsManage detection rules.
  2. Do one of the following:

    • Click the actions icon (three dots) and then select the required action.
    • In the Rule column, select all the rules you want to modify, and then the required action from the Bulk actions menu.
  3. To activate or deactivate a rule, click the Activated toggle button.

For prebuilt rules, you can only activate, deactivate, delete, edit rule actions, and add exceptions.

Import and export rules

edit
  1. Go to DetectionsManage detection rules.
  2. To import rules:

    1. Click Import rule.
    2. Drag-and-drop files containing the detection rules.

      Imported rules must be in an ndjson file.

  3. To export rules:

    1. In the All rules table, select the rules you want to export.
    2. Select Bulk actionsExport selected.

      You cannot export prebuilt rules.

Tutorial: Enable detection rules

edit

To learn how to enable detection rules in Elastic Security, watch the following tutorial.