Manage detection rules

edit

The Rules page allows you to view and manage all prebuilt and custom detection rules.

The Rules page

You can sort the rules by clicking the Rule, Last updated, or Enabled column header.

On the Rules page, you can:

Load and activate prebuilt Elastic rules

edit

To load the Elastic Security app’s prebuilt rules, go to Detect → Rules → Load Elastic prebuilt rules and Timeline templates).

You can then activate whichever rules you want. If you delete any prebuilt rules, a button appears that enables you to reload all of the deleted ones.

  • Apart from the Elastic Endpoint rule, prebuilt rules are not activated by default. If you want to modify a prebuilt rule, you must first duplicate it, then make your changes to the duplicated rule. All Elastic prebuilt rules are tagged with the word Elastic.
  • Automatic updates of Elastic prebuilt rules are supported for the current Elastic Security version and the latest three previous minor releases. For example, if you’re on Elastic Security 8.10, you’ll be able to use the Rules UI to update your prebuilt rules until Elastic Security 8.14 is released. After that point, you can still manually download and install updated prebuilt rules, but you must upgrade to the latest Elastic Security version to receive automatic updates.

Select and duplicate all prebuilt rules

edit
  1. Go to Detect → Rules.
  2. In the All rules table, click Select all (number) rules.
  3. Click Bulk actionsDuplicate selected.
  4. Select the Custom rules tab.

You can then modify the duplicated rules and, if required, delete the prebuilt ones.

Download latest prebuilt Elastic rules

edit

As of Elastic Stack >=7.13.0, you can download the latest version of Elastic prebuilt rules outside of a regular release cycle. This feature ensures you have the latest detection capabilities before upgrading to the latest Elastic Stack.

To download the latest version of prebuilt rules:

  1. In Kibana, go to ManagementIntegrations.
  2. Search for "Prebuilt Security Detection Rules."
  3. Select the integration, then select the Settings tab. The integration settings page is displayed.

    install prebuilt settings
  4. Click Install Prebuilt Security Detection Rules assets.
  5. Click Install Prebuilt Security Detection Rules to confirm the installation.

    install prebuilt rules

Modify existing rules

edit

You can clone, edit, activate, deactivate, and delete rules:

  1. Go to DetectRules.
  2. Do one of the following:

    • Click the All actions icon (…​) on the appropriate row, then select the required action.
    • In the Rule column, select all the rules you want to modify, then select the required action from the Bulk actions menu.
  3. To activate or deactivate a rule, click the Activated toggle button.

For prebuilt rules, you can only activate, deactivate, delete, edit rule actions, and add exceptions.

Export and import rules

edit

You can export detection rules to an .ndjson file, which you can then import into another Elastic Security environment.

Detection rule actions are included in the exported file, but the connectors used by the actions are not included.

Use the Saved Objects UI in Kibana (Stack ManagementKibanaSaved Objects) to export and import any connectors used by your detection rule actions before you export and import the detection rules.

To export and import detection rules:

  1. Go to DetectRules.
  2. To export rules:

    1. In the All rules table, select the rules you want to export.
    2. Select Bulk actionsExport selected, then save the exported file.

      You cannot export Elastic prebuilt rules.

  3. To import rules:

    You need at least Read privileges for the Action and Connectors feature to import rules with actions. If you’re importing rules without actions, Action and Connectors feature privileges are not required. Refer to Enable and access detections for more information.

    1. Click Import rules.
    2. Drag and drop the file that contains the detection rules.

      Imported rules must be in an .ndjson file.

    3. Select Overwrite existing detection rules with conflicting Rule ID to update existing rules if they match any rules in the import file. Configuration data included with the rules, such as actions, are also overwritten.
    4. Click Import rule.