Advanced data source configuration
These pages cover deployment-level data settings that affect detection rule behavior. Unlike per-rule data source settings, which apply to individual rules, the configurations below affect how your entire environment interacts with the detection engine.
Most users don't need these pages during initial setup. Review them if any of the following apply to your environment:
- Cross-cluster search and detection rules
- Relevant if your data is spread across multiple Elasticsearch clusters and you need detection rules on one cluster to query indices on another. Covers trust setup, remote cluster connections, and how to reference remote indices in rule index patterns. Elastic Stack only.
- Using logsdb index mode with Elastic Security
- Relevant if your indices use logsdb index mode (enabled by default in Serverless). Explains how synthetic
_sourcereconstruction can affect field formatting in alerts and rule queries, and what to watch for when writing rules against logsdb-backed indices.