Create, tune, and manage Elastic Security detection rules. Use for false positive tuning, adding exceptions, creating new detection coverage, finding noisy rules, enabling/disabling rules, or any detection engineering task. Also trigger for "detection rules", "noisy rules", "false positives", "add exception", "create rule", or "tune rule".
インストール
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
Create, tune, and manage Elastic Security detection rules. Use for false positive tuning, adding exceptions, creating new detection coverage, finding noisy rules, enabling/disabling rules, or any detection engineering task. Also trigger for "detection rules", "noisy rules", "false positives", "add exception", "create rule", or "tune rule".
Detection Rule Management
Manage detection rules using the elastic-security MCP connector. The manage-rules tool renders an interactive
rule management dashboard.
Tools (via elastic-security MCP connector)
Tool
Purpose
manage-rules
Browse/search rules with interactive dashboard. Params: filter (KQL)
threat-hunt
Test queries against live data before creating rules
The dashboard supports searching rules, viewing details, enabling/disabling, validating queries, and viewing noisy rules.
Rule Types
Type
Use case
Example
query (KQL)
Simple field matching
process.name: "mimikatz.exe"
eql
Behavioral sequences
Process A spawns B within 5 minutes
esql
Analytics/aggregations
Complex joins or transformations
threshold
Count/frequency
>10 failed logins in 5 minutes
threat_match
IOC correlation
Match against malicious IP indicators
new_terms
First-time activity
User logs into host for first time
Tuning Strategy (in order of preference)
Add exception — Known-good process/user/host. Does not modify the rule query.
Tighten the query — Exclude FP pattern from the rule query itself.
Adjust threshold/suppression — Increase threshold or enable alert suppression.
Reduce risk score/severity — Downgrade priority if rule has some value but is noisy.
Disable the rule — Last resort. Only if rule provides no value.
Creating New Rules
Define the threat (MITRE technique, data sources, malicious vs legitimate behavior)
Test the query with threat-hunt against live data
Create via the dashboard or ask Claude to help construct the rule JSON