Create rules in the experimental alerting system

The rule builder is part of the experimental alerting system in Kibana. For a full description of what each setting does, refer to Configure a rule.

Creation paths

All rules are created through a flyout that opens from the Create rule button in the rules list. Three options are available:

Create ES|QL rule: Write the detection query as ES|QL directly, with a live preview of results. A YAML editor is also available within this path. Use this when you want full control over the query. If you already have a query working in Discover, you can start from there instead to skip re-entering it.
Create with AI Agent: Describe what you want to detect in plain language. The AI agent generates a rule definition and walks you through reviewing and saving it. Use this when you know the problem but aren't sure how to write the ES|QL.
Start from a rule builder: Choose a structured rule type and fill in a guided form. The builder generates the ES|QL query automatically. Use this when you want to create a standard rule type without writing ES|QL by hand. Refer to Threshold Alert for the available type.

Threshold Alert is the rule type available under Start from a rule builder. Use it to monitor one or more metrics and alert when they cross a threshold, with multi-condition support and custom aggregations.

You define the rule by filling in structured fields for the data source, aggregation, filters, and alert conditions. The builder generates the ES|QL query automatically from those inputs. Rules created through the builder can be reopened and edited in builder mode as long as the underlying ES|QL hasn't been edited directly.

Use the Create ES|QL rule path when the detection logic requires more than a single metric threshold, such as multi-window burn rates or cross-series correlation.

Recovery conditions

When you define alert conditions in the Threshold Alert builder, the builder automatically derives corresponding recovery conditions by flipping the comparators. For example, a greater than alert condition produces a less than or equal to recovery condition. You can customize the derived conditions or leave the defaults as generated. Recovery conditions are preserved correctly when you reopen an existing rule in builder mode for editing.

ES|QL rule: form and YAML editing

The Create ES|QL rule path supports both a step-by-step form and a YAML editing mode. You can switch between them at any point. Edits in YAML mode are preserved when you return to the form view. To discard YAML edits and return to the prior form state, use the Cancel YAML option.

Use YAML mode when you want to fine-tune the raw rule definition, copy a configuration from an existing rule, or work faster than filling in individual form fields allows. The YAML editor isn't available within the Threshold Alert builder or other rule builder types.

For a list of supported YAML fields, refer to YAML rule schema reference.