Configure access to the experimental alerting system
To use the experimental alerting system, your role needs specific Kibana feature privileges and, if you're querying alerting data in Discover, Elasticsearch index privileges. Create or update a role and add the privileges that match the tasks your team performs.
This page is organized by user activity. Most privileges are set under the Alerting category in Kibana role management. Exceptions are noted in each section.
This page covers access to the experimental alerting system features and data. Depending on how your rules and notifications are configured, your role might also need read index privileges on the indices their rules query and Actions and Connectors: All (under Management) to create or edit workflow connectors. Refer to Kibana role management for guidance on building roles that combine privileges across features.
The following table shows the minimum privileges required for each activity. Higher privilege levels include the access shown here. Refer to the following sections for the full breakdown.
| To... | Minimum required |
|---|---|
| Author and manage rules | Rules: All (under Alerting) |
| Monitor rule execution | Execution history: Read (under Alerting) |
| Triage alert episodes | Alerts: All (under Alerting) |
| Configure notifications | Action Policies: All (under Alerting) + Workflows: Read (under Analytics > Workflows) |
Query .rule-events and .alert-actions in Discover |
Discover: Read (under Analytics > Discover) + Alerts: Read (Elasticsearch read access is bundled automatically) |
Query .kibana-event-log-* in Discover |
Discover: Read (under Analytics > Discover) + custom role with read index privilege on .kibana-event-log-* |
These privileges control who can create rules and review their execution history.
The Rules privilege controls who can create and manage rules.
| Level | What you can do |
|---|---|
| All | Create, edit, delete, enable, and turn off rules |
| Read | View rules and their configuration |
Rules: All also grants access to the Alerts menu in Discover, which routes rule creation to the experimental alerting system rule form when the system is enabled in your space.
The Execution history privilege controls who can view rule execution history. Execution history is read-only; both All and Read grant the same access. There is no write surface for execution history.
| Level | What you can do |
|---|---|
| All | View rule execution history |
| Read | View rule execution history |
The Alerts privilege controls who can take triage actions on alert episodes.
| Level | What you can do |
|---|---|
| All | Acknowledge, snooze, assign, tag, activate, and deactivate alert episodes |
| Read | View alert episodes |
Granting Alerts: All or Alerts: Read also gives the role direct Elasticsearch read access to .rule-events and .alert-actions, scoped to that role's spaces. This is bundled into the privilege — no separate custom role or index privilege is needed to query these data streams in Discover.
These privileges control who can set up the action policies and workflows that route alert episode notifications.
The Action Policies privilege controls who can manage the policies that route alert episode notifications.
| Level | What you can do |
|---|---|
| All | Create, update, delete, snooze, and unsnooze action policies |
| Read | View action policies |
Having Action Policies: All does not include the ability to create or edit rules. Add Rules: All if rule management is also required.
Action policies route notifications through workflows. The Workflows privilege is set under Analytics > Workflows in Kibana role management. To create or manage action policies, your role also needs access to the workflows they reference.
| Level | What you can do |
|---|---|
| All | Create and edit workflows; view and select existing workflows in action policies |
| Read | View and select existing workflows in action policies |
The experimental alerting system writes rule output and episode data to three queryable data sources. To query them in Discover using ES|QL, your role needs Kibana feature access and Elasticsearch index access.
Set Discover privileges under Analytics > Discover in Kibana role management.
| Level | What you can do |
|---|---|
| All | Run ES|QL queries against rule events, alert actions, and execution history in Discover |
| Read | Run ES|QL queries against rule events, alert actions, and execution history in Discover |
Both levels grant the same query access. There is no write surface for any of these data sources in Discover.
For .rule-events and .alert-actions, Elasticsearch read access is bundled into the Alerts Kibana privilege. For .kibana-event-log-*, a custom role is still required.
| Data source | What it stores | How to grant access |
|---|---|---|
.rule-events |
A record for every rule evaluation; one document per result row per run | Automatic with Alerts: All or Alerts: Read. If access is missing, grant read using a custom role as a fallback. |
.alert-actions |
Episode action records: acknowledge, snooze, resolve, assign, and other triage operations | Automatic with Alerts: All or Alerts: Read. If access is missing, grant read using a custom role as a fallback. |
.kibana-event-log-* |
Action policy dispatch outcomes written by the dispatcher: dispatched, throttled, and unmatched |
Custom role with read index privilege. Not covered by the automatic grant. |
With access configured, you're ready to start using the experimental alerting system:
- Create your first rule: Follow the tutorial to create an ES|QL rule, load sample data, and watch the alert episode lifecycle from breach through automatic recovery.