ELASTIC Security Labs explain how to define and deploy Elastic Security detection rules and exceptions as code using the Elastic Stack Terraform Provider, alongside the detection-rules repository as a complementary path. The article notes that with V0.12.0 and V0.13.0 of the Elastic Stack Terraform provider, users can manage their Detection rules and rule exceptions via Terraform, enabling detection-as-code deployment for Windows logon scenarios such as interactive logons by service accounts.
It walks through an example using ES|QL to detect interactive logons from Windows service accounts, with a matching rule and an exception item to permit legacy interactive logons in certain cases, all defined in Terraform resources like elasticstack_kibana_security_detection_rule and elasticstack_kibana_security_exception_item.
The piece also highlights the Elastic AI Agent’s role in generating Terraform configurations and compares the Elastic Stack Terraform Provider with the detection-rules approach, outlining best-fit users and workflows. Published on 13 March 2026, the post emphasises that you can manage detections across multi-space deployments with Terraform workspaces and drift detection through plan-based application.