Learn to create custom detection rules in Elastic Security. We cover best practices for using ES|QL and Elastic AI Assistant for threat detection to add vital context. Discover how to preview, test, and enhance rules to improve security operations.

When do you need custom detection rules?

Detection rule creation process

Prerequisite: Define the focus area

Step 1. Create and refine detection logic

Scenario 1: Hunt through noisy potential privilege escalation activity

Field statistics of over 8,000 documents in Discover

2290

2.png

Elastic AI Assistant ES|QL query creation

Screenshot 2025-08-21 at 11.09.39 AM.png

Updated query and results in Timeline view

4.png

Scenario 2: Detect CloudTrail evasion technique

KQL query and results for detection use case in Discover view

5.png

Step 2. Create a rule with relevant context

6.png

Add detection and response context

Additional detection rule context for analysts

7.png

Set up automated response actions

8.png

Step 3. Preview and test the rule

9.png

Alerts table showing three triggered alerts

10.png

11.png

Step 4. Deploy rule to production

12.png

Empowering security teams  

Try it yourself! Connect with us and contribute

Learn to create custom detection rules in Elastic Security following real detection use cases.

alim-5piO7pjdBrM-unsplash.jpg

Building effective threat hunting and detection rules in Elastic Security

Get a glimpse of the newest report from Elastic Security Labs: the 2025 State of Detection Engineering at Elastic! 

A dedication to detections

Behind the scenes

The discussion continues

The 2025 State of Detection Engineering at Elastic explores how we create, maintain, and assess our SIEM and EDR rulesets. 

SDE-blog.png

Elastic Security Labs provides an under-the-hood look at its detection engineering processes

Start free trial

Blog Footer CTA

Sign up for Elastic Cloud free trial

Isai-Anthony.jpg

Security Research Engineer I

Isai Anthony

Надсилаючи цю форму ви погоджуєтеся з <a href="/legal/terms-of-use">Умовами надання послуг Elastic</a>. Ваші особисті дані будуть опрацьовані відповідно з <a href="/legal/privacy-statement">Положеннями про конфіденційність Elastic</a>.

Newsletter GDPR Text - Ukrainian

By submitting you acknowledge that you've read and agree to our <a href="/legal/elastic-cloud-account-terms" target="_self">Terms of Service</a>, and you agree to receive the <a href="/legal/privacy-statement#how-we-use-the-information" target="_self">selected communications</a> at the contact details you provided above. See <a href="/legal/privacy-statement/" target="_self">Elastic’s Privacy Statement</a> for more details or to opt-out at any time.

Communication Preferences - ONLY for /communication-preferences

By submitting you agree to <a href="/agreements/global/cloud-services-monthly" rel="nofollow">Elastic Cloud Terms of Service</a>. Your personal data will be processed in accordance with <a href="/legal/privacy-statement">Elastic's Privacy Statement</a>.

Cloud Trial GDPR Text

Intentionally Blank

By submitting you acknowledge that you've read and agree to our <a href="/legal/serverless-preview-terms" target="_blank">Terms of Service</a>, and that Elastic may <a href="/legal/privacy-statement#how-we-use-the-information" target="_blank">contact you</a> about our related products and services, using the details you provide above. See <a href="/legal/privacy-statement/" target="_blank">Elastic’s Privacy Statement</a> for more details or to opt-out at any time.

Serverless GDPR Text

提交即表示您確認已詳閱並同意我們的<a href="/legal/elastic-cloud-account-terms" target="_blank">服務條款</a>，且同意 Elastic 使用您在上方提供的個人資料<a href="/legal/privacy-statement#how-we-use-the-information" target="_blank">與您聯絡</a>，為您提供相關產品和服務的資訊。如需詳細說明或隨時想停止收到產品和服務資訊，請參閱 <a href="/legal/privacy-statement/" target="_blank">Elastic 的隱私聲明</a>。

Newsletter GDPR Text - TW

By submitting you acknowledge that you've read and agree to our <a href="/legal/elastic-cloud-account-terms" target="_blank">Terms of Service</a>, and that Elastic may <a href="/legal/privacy-statement#how-we-use-the-information" target="_blank">contact you</a> about our related products and services, using the details you provide above. See <a href="/legal/privacy-statement/" target="_blank">Elastic’s Privacy Statement</a> for more details or to opt-out at any time.By submitting this form, I agree to Elastic sharing my contact information with Google Cloud. I also agree to Elastic giving my information to the vendor for the purpose of shipping my food package.

GDPR Text + Google Cloud

Inviando la registrazione (1) esprimi il consenso ai <a href="/legal/terms-of-use">termini e condizioni di Elastic</a> e <a href="/legal/privacy-statement">all’informativa sulla privacy</a>, nonché (2) a ricevere saltuarie e-mail.

Newsletter GDPR Text - Italian

By submitting you acknowledge that you've read and agree to our <a href="/legal/terms-of-use" target="_blank">Terms of Service</a>, and that Elastic may <a href="/legal/privacy-statement#how-we-use-the-information" target="_blank">contact you</a> about our related products and services, using the details you provide above. See <a href="/legal/privacy-statement/" target="_blank">Elastic’s Privacy Statement</a> for more details or to opt-out at any time.

Newsletter GDPR Text

Load more

Overview

Can't make it? Register and we'll send you the recording. You'll also receive an email with related content

Can't make it? Register and we'll send you the recording. You'll also receive an email with related content.

You'll also receive an email with related content.

You'll also receive an email with related content

Speakers

Close

See more insights

The content on this page is not available in the selected language. As Elastic grows globally, we continue to support content in multiple languages.

Author

Articles by Isai Anthony

Security Research Engineer I

Building effective threat hunting and detection rules in Elastic Security

Elastic Security Labs provides an under-the-hood look at its detection engineering processes

Follow us

About us

Join us

Partners

Trust & Security

Investor relations

Excellence Awards