Customizing and updating prebuilt SIEM detection rules just got easier, improving precision, enabling broader coverage, and saving time.
Customizing and updating prebuilt detection rules is now easier than ever with Elastic Security. We’ve streamlined detection engineering workflows and enabled greater use case coverage with out-of-the-box SIEM detection rules.
Elastic Security Labs provides 1,300+ expert-written detection rules that map to tactics, techniques and procedures (TTPs) across the MITRE ATT&CK framework. Our research engineers actively maintain and hone these rules, delivering biweekly updates to help you stay ahead of evolving threats — without the burden of manual maintenance.
Security teams often tailor these prebuilt detections to meet specific needs, whether by modifying data sources, refining detection logic, optimizing alert suppression, or configuring automations. Starting with our 8.18 and 9.0 releases, detection engineers can apply Elastic-provided rule updates without losing custom modifications — eliminating the need to duplicate rules and copy over changes.
Value and challenges of detection engineering
Detection engineering is the foundation of security operations. It turns logs and data into alerts that signal the security operations center (SOC) to act. Detection engineers create focused and prioritized visibility into threats once they are observed in the data collected from the environment, and optimize the detection output for further investigation and response.
As technology, threats, and organizations change ever faster, detection engineers must adapt to produce and maintain relevant detections.
Security teams are tasked with a growing list of responsibilities, so efficiency is key. To maximize their impact, teams must strike a balance: leveraging prebuilt security content to detect common threats while creating custom detections for their specific use cases. Smart security teams harness the full range of SIEM detection capabilities, follow best practices, find opportunities for automation, and keep team skills current.
Detections adaptability is the key to success
For years Elastic Security has been providing prebuilt detection rules to our users, opening the detection logic, and sharing valuable resources for detection engineers.
Out-of-the-box content comes with broad coverage but may need to be tailored to the organization’s specific needs for optimal results. In fact, customizing prebuilt rules to suit your needs is a key best practice for an advanced detection program.
Now, with the release of Elastic Security 8.18 and 9.0, we streamline the experience of using prebuilt rules, allowing you to seamlessly modify them without duplicating the rule. Whatever you need to adjust — index pattern or data view name, tags, detection logic, alert suppression settings, or any other aspect of our prebuilt rules — you can do so by simply editing them.
You can edit prebuilt rules individually or change multiple rules at once with bulk actions.
We continually review, test (both internally and with our community!), and refresh our existing rules to ensure they deliver value. Our biweekly rule releases provide new and updated rules and timelines, available right in Elastic Security. In 2024 alone, we issued more than 2,420 updates to our rule library.
Rule updates reduce false positives and increase alert fidelity by honing detection logic based on threat research, telemetry insights, user feedback, and data source changes. Updates to investigation guides provide additional context and guidance for triaging and investigating alerts and taking action.
Next to the newly released prebuilt rule editing feature, we provide an improved rule update experience. It features the ability to compare incoming changes to the current version of the rule, highlights user modifications, suggests a final update with merged user and Elastic modifications, and enables editing of the update before applying it.
Looking at the Rule Updates table, detection engineers can see which rules require their attention, and they can filter by modified/non-modified rules and sort by severity and risk score to ensure they focus on updating the priority rules first.
As mentioned above, users can now change rule details like data source, detection logic, schedule, and more without choosing between losing their modifications or not applying the updates. Elastic Security facilitates the upgrade process for modified rules, combining user changes with Elastic updates, and allows modification of any other relevant fields.
The newly released improvements significantly reduce and simplify maintenance of detections, empowering your SOC to reap the benefits of prebuilt rules optimized for your environment and use cases.
This capability is generally available in Elastic Security 8.18 and 9.0 versions via the Elastic Security Enterprise subscription tier for self-managed and cloud deployments and the Security Analytics Complete tier on Elastic Cloud Serverless.
Try it out
To experience the full benefits of what Elastic has to offer for detection engineers, upgrade to 8.18 or start your Elastic Security free trial. Visit elastic.co/security to learn more and get started.
The release and timing of any features or functionality described in this post remain at Elastic’s sole discretion. Any features or functionality not currently available may not be delivered on time or at all.
Leave a Reply