Cross-project search and detection rules
When cross-project search is enabled and you have linked projects, detection rules query data across linked projects based on the space-level cross-project search scope. You cannot set a cross-project search scope on individual rules.
When you open a rule to create or edit it, the CPS scope selector in the header shows the current cross-project search scope but is read-only. To change which projects rules query, update the cross-project search scope configured for the space.
For ES|QL rules, you can use SET project_routing in the rule query to target specific linked projects, overriding the space-level scope. For non-ES|QL rules that use index patterns, you can use qualified index expressions to scope the rule to specific projects.
Machine learning rules don't support cross-project search. Machine learning rules search data in the origin project only.