Kibana alerting v2 rules

A rule is where Kibana alerting v2 starts. It points Kibana at the data you care about, describes what counts as a problem in ES|QL, and says how often to check. Alerts, action policies, and notifications all flow from what a rule detects.

On each run, a rule executes an ES|QL query against your data. If the query finds a match and the rule is in Detect mode, it writes a signal, a point-in-time record that the condition was met. In Alert mode, it also maintains an alert episode for each matched series, tracking state from first breach through recovery.

When creating a rule, choose Detect mode to record and query results without alerting anyone, or Alert mode when you want to track issues and route notifications.

Rules only define what to detect. They don't control notifications, who gets notified, or when. That's the job of action policies — global objects, scoped to your space, that match episodes from any rule. A rule has no say in which policies pick it up.

This separation means you can build and test a rule without anyone getting paged, update notification routing without touching the rule, and have multiple action policies respond to the same rule independently.

• Author rules: Write the ES|QL query, choose Detect or Alert mode, and structure your data sources and conditions.
• View and manage rules: Enable, disable, clone, delete, and bulk-manage rules from the rules list.