---
title: Rules in the experimental alerting system
description: Rules in Kibana's experimental alerting system define what to detect using ES|QL. Evaluation runs on a schedule; alerts, action policies, and notifications flow from rule detections.
url: https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6523/explore-analyze/alerting/kibana-alerting-experimental/rules
products:
  - Kibana
applies_to:
  - Elastic Cloud Serverless: Experimental
  - Elastic Stack: Planned
---

# Rules in the experimental alerting system
Rules are part of the experimental alerting system in Kibana. For rules in the existing Kibana alerting system, see [Rules in Kibana alerting](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6523/explore-analyze/alerting/alerts/create-manage-rules).
A rule is where the experimental alerting system starts. It points Kibana at the data you care about, describes what counts as a problem in ES|QL, and says how often to check. Alerts, action policies, and notifications all flow from what a rule detects.

## What rules do

On each run, a rule executes an ES|QL query against your data. If the query finds a match and the rule is in Signal mode, it writes a _signal_, a point-in-time record that the condition was met. In Alert mode, it also maintains an _alert episode_ for each matched series, tracking state from first breach through recovery.
When creating a rule, choose Signal mode to record and query results without alerting anyone, or Alert mode when you want to track issues and route notifications.

## What rules don't do

Rules only define *what* to detect. They don't control notifications, who gets notified, or when. That's the job of action policies — global objects, scoped to your space, that match alert episodes from any rule. A rule has no say in which policies pick it up.
This separation means you can build and test a rule without anyone getting paged, update notification routing without touching the rule, and have multiple action policies respond to the same rule independently.

## Create a rule

Rules in the experimental alerting system are created through a flyout that opens from the **Create rule** button in the rules list. Three options are available:
- **Create ES|QL rule**: Write the detection query as ES|QL directly, with a live preview of results and a YAML editor also available. Use this when you want full control over the query. See [Create rules](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6523/explore-analyze/alerting/kibana-alerting-experimental/rules/create-rule-from-rule-builder).
- **Create with AI Agent**: Describe what you want to detect in plain language. The AI agent generates a rule definition and walks you through reviewing and saving it. Use this when you know the problem but aren't sure how to write the ES|QL.
- **Start from a rule builder**: Choose a structured rule type and fill in a guided form. The builder generates the ES|QL query automatically. The [Threshold Alert](/elastic/docs-content/pull/6523/explore-analyze/alerting/kibana-alerting-experimental/rules/create-rule-from-rule-builder#threshold-alert) type is available. Use this when you want to create a standard metric-threshold rule without writing ES|QL by hand.

If you already have an ES|QL query working in Discover, you can also [create a rule directly from there](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6523/explore-analyze/alerting/kibana-alerting-experimental/rules/create-rule-from-discover) to skip re-entering the query.

## Next steps

- **[Author rules](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6523/explore-analyze/alerting/kibana-alerting-experimental/rules/author-rules):** Write the ES|QL query, choose Signal or Alert mode, and structure your data sources and conditions.
- **[Configure a rule](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6523/explore-analyze/alerting/kibana-alerting-experimental/rules/configure-a-rule):** Set the schedule, grouping, activation thresholds, recovery conditions, and no-data behavior.
- **[View and manage rules](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6523/explore-analyze/alerting/kibana-alerting-experimental/rules/view-manage-rules):** Enable, disable, clone, delete, and bulk-manage rules from the rules list.
- **Rule Doctor:** Analyze your rules for duplicates, stale conditions, threshold tuning opportunities, and coverage gaps. Rule Doctor surfaces findings with impact and confidence ratings and tracks each insight through an open → applied or dismissed lifecycle. Access it from the experimental alerting system navigation.