Kibana alerting v2 alert actions

Alert actions are operations you perform on Kibana alerting v2 alerts to manage their lifecycle, suppress notifications, and organize your triage workflow. Each action is recorded in the .alerts-actions index for auditability and suppression tracking.

Available actions

Acknowledge and unacknowledge

Scope: per episode

Acknowledging an alert suppresses notifications for that specific episode. The alert continues through its lifecycle (the rule still evaluates and writes events), but the dispatcher records suppress with reason ack instead of dispatching to workflows.

Unacknowledge resumes notifications for the episode. If the alert is still active, notifications fire on the next dispatcher run.

Snooze and unsnooze

Scope: per series

Snoozing suppresses notifications for a specific series (rule + group key combination) for a configured duration. Unlike acknowledge, snooze is time-bound and applies to all episodes in the series, including future ones that start during the snooze window.

When the snooze expires, notifications resume automatically.

Deactivate and activate

Scope: per episode

Deactivating an episode stops lifecycle processing and notifications for that episode entirely. The rule continues running and can detect new episodes for the same series, but the deactivated episode is no longer tracked.

This is roughly analogous to "mark as untracked" in Kibana alerting v1.

Activate reverses a deactivation.

Action type — ack, unack, snooze, unsnooze, deactivate, activate, fire, suppress, notified.
Scope identifiers — rule_id, group_hash, episode_id.
Timestamp — when the action was taken.
User — who performed the action (for manual actions).

The dispatcher uses these records to determine suppression state during the notification pipeline.

Kibana alerting v2 alert actions

Available actions

Acknowledge and unacknowledge

Snooze and unsnooze

Deactivate and activate

Resolve

Assign

Edit tags

Set severity

Add to Cases

Action recording