- Elastic Cloud Serverless
- Elasticsearch
- Elastic Observability
- Get started
- Observability overview
- Elastic Observability Serverless billing dimensions
- Create an Observability project
- Quickstart: Monitor hosts with Elastic Agent
- Quickstart: Monitor your Kubernetes cluster with Elastic Agent
- Quickstart: Monitor hosts with OpenTelemetry
- Quickstart: Unified Kubernetes Observability with Elastic Distributions of OpenTelemetry (EDOT)
- Quickstart: Collect data with AWS Firehose
- Get started with dashboards
- Applications and services
- Application performance monitoring (APM)
- Get started with traces and APM
- Learn about data types
- Collect application data
- View and analyze data
- Act on data
- Use APM securely
- Reduce storage
- Managed intake service event API
- Troubleshooting
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure a Synthetics project
- Multifactor Authentication for browser monitors
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Scale and architect a deployment
- Synthetics Encryption and Security
- Troubleshooting
- Application performance monitoring (APM)
- Infrastructure and hosts
- Logs
- Inventory
- Incident management
- Data set quality
- Observability AI Assistant
- Machine learning
- Reference
- Get started
- Elastic Security
- Elastic Security overview
- Security billing dimensions
- Create a Security project
- Elastic Security requirements
- Elastic Security UI
- AI for Security
- Ingest data
- Configure endpoint protection with Elastic Defend
- Manage Elastic Defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic Defend
- Event capture and Elastic Defend
- Endpoint protection rules
- Identify antivirus software on your hosts
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
- Endpoint response actions
- Cloud Security
- Explore your data
- Dashboards
- Detection engine overview
- Rules
- Alerts
- Advanced Entity Analytics
- Investigation tools
- Asset management
- Manage settings
- Troubleshooting
- Manage your project
- Changelog
Detection rule monitoring dashboard
editDetection rule monitoring dashboard
editThe Detection rule monitoring dashboard provides visualizations to help you monitor the overall health and performance of Elastic Security’s detection rules. Consult this dashboard for a high-level view of whether your rules are running successfully and how long they’re taking to run, search data, and create alerts.
Requirements
To access this dashboard and its data, you must have the appropriate user role.
Visualization data and types
editThe dashboard presents a variety of information about your detection rules. Visualizations display and calculate data within the time range and filters selected at the top of the dashboard.
The following visualizations are included:
- Rule KPIs (key performance indicators): The total number of rules enabled, how many times they collectively ran, and their response statuses.
- Executions by rule type: Rule executions over time, broken down by rule type.
- Executions by status: Rule executions over time, broken down by status.
- Total rule execution duration: How long rules take to run, from start to finish.
- Rule schedule delay: The delay between a rule’s scheduled start time and when it actually starts running.
- Search/query duration: How long rules take to query source indices or data views.
-
Indexing duration: How long rules take to generate alerts and write them to the
.alerts-security.alerts-*index. - Top 10 rules: Lists of the overall slowest rules, most delayed rules, and rules with the most Failed and Warning response statuses.
Visualization panel actions
editOpen a panel’s options menu (
) customize the panel or use its data for further analysis and investigation:
- Edit panel settings: Customize the panel’s display settings. Options vary by visualization type.
- Inspect: Examine the panel’s underlying data and queries.
- Explore data in Discover: Open Discover with preloaded filters to display the panel’s data.
- Maximize panel: Expand the panel.
- Download as CSV: Download the panel’s data in a CSV file.
- Copy to dashboard: Copy the panel to an existing or new dashboard.
- Add to existing case: Add the panel to an existing case.
- Add to new case: Create a new case and add the panel to it.
- Create anomaly detection job: Create a machine learning anomaly detection job using the panel’s data.
Clone and edit the dashboard
editTo make persistent changes to the dashboard, you can clone the dashboard and edit the cloned copy, but your copy will not get updates from Elastic.
- Click Edit, then Save as.
- On the Save dashboard dialog, enter a new Title for your cloned copy.
- Make sure Save as new dashboard is selected, then click Save. You can now make additional changes and save them to your copy.
Was this helpful?
Thank you for your feedback.