Loading

Configure access to the experimental alerting system

To use the experimental alerting system, your role needs specific Kibana feature privileges and, if you're querying alerting data in Discover, Elasticsearch index privileges. Create or update a role and add the privileges that match the tasks your team performs.

This page is organized by user activity. Most privileges are set under the Alerting category in Kibana role management. Exceptions are noted in each section.

Note

This page covers access to the experimental alerting system features and data. Depending on how your rules and notifications are configured, your role might also need read index privileges on the indices their rules query and Actions and Connectors: All (under Management) to create or edit workflow connectors. Refer to Kibana role management for guidance on building roles that combine privileges across features.

The following table shows the minimum privileges required for each activity. Higher privilege levels include the access shown here. Refer to the following sections for the full breakdown.

To... Minimum required
Author and manage rules Rules: All (under Alerting)
Monitor rule execution Execution history: Read (under Alerting)
Triage alert episodes Alerts: All (under Alerting)
Configure notifications Action Policies: All (under Alerting) + Workflows: Read (under Analytics > Workflows)
Query .rule-events and .alert-actions in Discover Discover: Read (under Analytics > Discover) + Alerts: Read (Elasticsearch read access is bundled automatically)
Query .kibana-event-log-* in Discover Discover: Read (under Analytics > Discover) + custom role with read index privilege on .kibana-event-log-*

These privileges control who can create rules and review their execution history.

The Rules privilege controls who can create and manage rules.

Level What you can do
All Create, edit, delete, enable, and turn off rules
Read View rules and their configuration
Note

Rules: All also grants access to the Alerts menu in Discover, which routes rule creation to the experimental alerting system rule form when the system is enabled in your space.

The Execution history privilege controls who can view rule execution history. Execution history is read-only; both All and Read grant the same access. There is no write surface for execution history.

Level What you can do
All View rule execution history
Read View rule execution history

The Alerts privilege controls who can take triage actions on alert episodes.

Level What you can do
All Acknowledge, snooze, assign, tag, activate, and deactivate alert episodes
Read View alert episodes
Note

Granting Alerts: All or Alerts: Read also gives the role direct Elasticsearch read access to .rule-events and .alert-actions, scoped to that role's spaces. This is bundled into the privilege — no separate custom role or index privilege is needed to query these data streams in Discover.

These privileges control who can set up the action policies and workflows that route alert episode notifications.

The Action Policies privilege controls who can manage the policies that route alert episode notifications.

Level What you can do
All Create, update, delete, snooze, and unsnooze action policies
Read View action policies
Note

Having Action Policies: All does not include the ability to create or edit rules. Add Rules: All if rule management is also required.

Action policies route notifications through workflows. The Workflows privilege is set under Analytics > Workflows in Kibana role management. To create or manage action policies, your role also needs access to the workflows they reference.

Level What you can do
All Create and edit workflows; view and select existing workflows in action policies
Read View and select existing workflows in action policies

The experimental alerting system writes rule output and episode data to three queryable data sources. To query them in Discover using ES|QL, your role needs Kibana feature access and Elasticsearch index access.

Set Discover privileges under Analytics > Discover in Kibana role management.

Level What you can do
All Run ES|QL queries against rule events, alert actions, and execution history in Discover
Read Run ES|QL queries against rule events, alert actions, and execution history in Discover

Both levels grant the same query access. There is no write surface for any of these data sources in Discover.

For .rule-events and .alert-actions, Elasticsearch read access is bundled into the Alerts Kibana privilege. For .kibana-event-log-*, a custom role is still required.

Data source What it stores How to grant access
.rule-events A record for every rule evaluation; one document per result row per run Automatic with Alerts: All or Alerts: Read. If access is missing, grant read using a custom role as a fallback.
.alert-actions Episode action records: acknowledge, snooze, resolve, assign, and other triage operations Automatic with Alerts: All or Alerts: Read. If access is missing, grant read using a custom role as a fallback.
.kibana-event-log-* Action policy dispatch outcomes written by the dispatcher: dispatched, throttled, and unmatched Custom role with read index privilege. Not covered by the automatic grant.

With access configured, you're ready to start using the experimental alerting system:

  • Create your first rule: Follow the tutorial to create an ES|QL rule, load sample data, and watch the alert episode lifecycle from breach through automatic recovery.