---
title: Advanced data source configuration
description: Deployment-level data source settings that affect detection rule behavior across your environment.
url: https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/advanced-data-source-configuration
products:
  - Elastic Cloud Serverless
  - Elastic Security
applies_to:
  - Serverless Security projects: Generally available
  - Elastic Stack: Generally available
---

# Advanced data source configuration
These pages cover deployment-level data settings that affect detection rule behavior. Unlike [per-rule data source settings](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/set-rule-data-sources), which apply to individual rules, the configurations below affect how your entire environment interacts with the detection engine.
Most users don't need these pages during initial setup. Review them if any of the following apply to your environment:
<definitions>
  <definition term="Cross-cluster search and detection rules">
    Relevant if your data is spread across multiple Elasticsearch clusters and you need detection rules on one cluster to query indices on another. Covers establishing trust between clusters, remote cluster connections, and how to reference remote indices in rule index patterns. Elastic Stack only.
  </definition>
  <definition term="Using logsdb index mode with Elastic Security">
    Relevant if your indices use logsdb index mode (enabled by default in Serverless). Explains how synthetic `_source` reconstruction can affect field formatting in alerts and rule queries, and what to watch for when writing rules against logsdb-backed indices.
  </definition>
</definitions>