- Elastic Cloud Serverless
- Elasticsearch
- Elastic Observability
- Get started
- Observability overview
- Elastic Observability Serverless billing dimensions
- Create an Observability project
- Quickstart: Monitor hosts with Elastic Agent
- Quickstart: Monitor your Kubernetes cluster with Elastic Agent
- Quickstart: Monitor hosts with OpenTelemetry
- Quickstart: Unified Kubernetes Observability with Elastic Distributions of OpenTelemetry (EDOT)
- Quickstart: Collect data with AWS Firehose
- Get started with dashboards
- Applications and services
- Application performance monitoring (APM)
- Get started with traces and APM
- Learn about data types
- Collect application data
- View and analyze data
- Act on data
- Use APM securely
- Reduce storage
- Managed intake service event API
- Troubleshooting
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure a Synthetics project
- Multifactor Authentication for browser monitors
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Scale and architect a deployment
- Synthetics Encryption and Security
- Troubleshooting
- Application performance monitoring (APM)
- Infrastructure and hosts
- Logs
- Inventory
- Incident management
- Data set quality
- Observability AI Assistant
- Machine learning
- Reference
- Get started
- Elastic Security
- Elastic Security overview
- Security billing dimensions
- Create a Security project
- Elastic Security requirements
- Elastic Security UI
- AI for Security
- Ingest data
- Configure endpoint protection with Elastic Defend
- Manage Elastic Defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic Defend
- Event capture and Elastic Defend
- Endpoint protection rules
- Identify antivirus software on your hosts
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
- Endpoint response actions
- Cloud Security
- Explore your data
- Dashboards
- Detection engine overview
- Rules
- Alerts
- Advanced Entity Analytics
- Investigation tools
- Asset management
- Manage settings
- Troubleshooting
- Manage your project
- Changelog
Detections requirements
editDetections requirements
editTo use the Detections feature, you first need to configure a few settings. You also need the appropriate role to send notifications when detection alerts are generated.
Additionally, there are some advanced settings used to configure value list upload limits.
Enable and access detections
editTo use the Detections feature, it must be enabled and you must have either the appropriate predefined Security user role or a custom role with privileges to access rules and alerts. If your role doesn’t have the privileges needed to enable this feature, you can request someone who has these privileges to visit your Kibana space, which will turn it on for you.
For instructions about using machine learning jobs and rules, refer to Machine learning job and rule requirements.
Custom role privileges
editThe following table describes the required custom role privileges to access the Detections feature, including rules and alerts. For more information on Kibana privileges, refer to Custom roles.
| Action | Cluster Privilege | Index Privileges | Kibana Privileges |
|---|---|---|---|
Enable detections in your space |
|
|
|
|
Enable detections in all spaces NOTE: To turn on detections, visit the Rules and Alerts pages for each space. |
|
|
|
Preview rules |
N/A |
|
|
Manage rules |
N/A |
|
NOTE: You need additional
|
|
Manage alerts NOTE: Allows you to manage alerts, but not modify rules. |
N/A |
|
|
|
Create the NOTE: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space. |
|
|
|
Authorization
editRules, including all background detection and the actions they generate, are authorized using an API key associated with the last user to edit the rule. Upon creating or modifying a rule, an API key is generated for that user, capturing a snapshot of their privileges. The API key is then used to run all background tasks associated with the rule including detection checks and executing actions.
If a rule requires certain privileges to run, such as index privileges, keep in mind that if a user without those privileges updates the rule, the rule will no longer function.