Rules in the experimental alerting system

Rules are part of the experimental alerting system in Kibana. For rules in the existing Kibana alerting system, see Rules in Kibana alerting.

A rule is where the experimental alerting system starts. It points Kibana at the data you care about, describes what counts as a problem in ES|QL, and says how often to check. Alerts, action policies, and notifications all flow from what a rule detects.

What rules do

On each run, a rule executes an ES|QL query against your data. If the query finds a match and the rule is in Signal mode, it writes a signal, a point-in-time record that the condition was met. In Alert mode, it also maintains an alert episode for each matched series, tracking state from first breach through recovery.

When creating a rule, choose Signal mode to record and query results without alerting anyone, or Alert mode when you want to track issues and route notifications.

What rules don't do

Rules only define what to detect. They don't control notifications, who gets notified, or when. That's the job of action policies — global objects, scoped to your space, that match alert episodes from any rule. A rule has no say in which policies pick it up.

This separation means you can build and test a rule without anyone getting paged, update notification routing without touching the rule, and have multiple action policies respond to the same rule independently.

Create a rule

Rules in the experimental alerting system are created through a flyout that opens from the Create rule button in the rules list. Three options are available:

Create ES|QL rule: Write the detection query as ES|QL directly, with a live preview of results and a YAML editor also available. Use this when you want full control over the query. See Create rules.
Create with AI Agent: Describe what you want to detect in plain language. The AI agent generates a rule definition and walks you through reviewing and saving it. Use this when you know the problem but aren't sure how to write the ES|QL.
Start from a rule builder: Choose a structured rule type and fill in a guided form. The builder generates the ES|QL query automatically. The Threshold Alert type is available. Use this when you want to create a standard metric-threshold rule without writing ES|QL by hand.

If you already have an ES|QL query working in Discover, you can also create a rule directly from there to skip re-entering the query.

Next steps

Author rules: Write the ES|QL query, choose Signal or Alert mode, and structure your data sources and conditions.
Configure a rule: Set the schedule, grouping, activation thresholds, recovery conditions, and no-data behavior.
View and manage rules: Enable, disable, clone, delete, and bulk-manage rules from the rules list.
Rule Doctor: Analyze your rules for duplicates, stale conditions, threshold tuning opportunities, and coverage gaps. Rule Doctor surfaces findings with impact and confidence ratings and tracks each insight through an open → applied or dismissed lifecycle. Access it from the experimental alerting system navigation.