Watcher vs Detection Rule

Try to get a better understanding of the 2. Can someone explain to me the difference between a watcher and a detection rule?

Welcome to the community.

Watcher was build for Elasticsearch long time ago. Its a very powerful and flexible way to create scheduled checks on the data and executing an action. However has also some limits, needs to get configured via json and can feel a little complex for new users.

The detection engine is made for Security use cases. Its based on Kibana alerting and will be configured via the UI. It has different rule types to solve specific challenges like finding sequences of events or look up values in threat detection lists.

1 Like