Cross-project search and detection rules

When cross-project search is enabled and you have linked projects, rules query data across linked projects based on the space-level cross-project search scope.

For how cross-project search applies when you create or edit rules (space-level scope, the read-only scope selector, and query-level overrides) refer to Cross-project search availability by app.

For prerequisites such as linking projects and configuring default scope, refer to Cross-project search and Configure cross-project search access and scope.

Note

Machine learning rules don't support cross-project search; they search data in the origin project only. Other features also have limited or no cross-project search support. For details, refer to Cross-project search availability by app.

If your data spans Elastic Stack clusters rather than linked Serverless projects, refer to Cross-cluster search and detection rules instead.

Cross-project search context in alerts and the event log

When a detection rule runs with cross-project search enabled, the scope in effect at execution time is recorded on generated alerts and in rule execution events. During investigations, use the scope and linked project fields on the alert or in the event log to confirm which linked projects were in scope when an alert was created.

When scope fields appear

Scope fields are written at rule execution time, not added to existing documents later. You need linked projects, a configured space-level cross-project search scope, and at least one enabled detection rule that has run successfully with cross-project search enabled.

On alert documents, kibana.cps_scope.expression and kibana.cps_scope.linked_projects are present only when that run generated an alert. Alerts from runs before cross-project search was enabled are not updated retroactively.

On event log entries, kibana.cps_scope_expression and kibana.cps_scope_linked_projects are recorded for every cross-project search-scoped execution, including runs that created no alerts.

Alert documents

When a detection rule runs with cross-project search enabled, each generated alert can include:

Field	Description
`kibana.cps_scope.expression`	The cross-project search scope that was in effect when the rule generated the alert.
`kibana.cps_scope.linked_projects`	The linked projects that were in scope. Each entry includes `id`, `alias`, `type`, and `organization`.

For the full list of alert fields, refer to the alert schema.

Event log

Rule execution events in the event log index record the same scope and linked project information:

Field	Description
`kibana.cps_scope_expression`	The cross-project search scope that was in effect during the rule execution.
`kibana.cps_scope_linked_projects`	The linked projects that were in scope. Each entry includes `id`, `alias`, `type`, and `organization`.

To find rule executions that ran with a particular scope, run a search against the event log in Dev Tools or your own API client. The following example returns recent detection rule execution events that include cross-project search scope fields:

		GET .kibana-event-log-*/_search
{
  "size": 5,
  "query": {
    "match": { "kibana.cps_scope_expression": "_alias:*" }
  },
  "_source": [
    "event.action",
    "message",
    "kibana.cps_scope_expression",
    "kibana.cps_scope_linked_projects",
    "kibana.space_ids"
  ]
}
		
	

This request searches the event log indices (.kibana-event-log-*) for documents that have a kibana.cps_scope_expression value. It limits the response to five events and returns only the fields listed in _source, including the cross-project search scope, linked projects, and space ID for each execution. The event log is a system index, so by default only users with a superuser role can run this search. For more example queries and details on required privileges, refer to the event log index.

Before you run the example

To run this request in Dev Tools or your own API client, update the example first:

In the match query, replace the value for kibana.cps_scope_expression. The example uses _alias:*; change this to the scope you want to find. To match the scope from a specific alert, copy the value from that alert's kibana.cps_scope.expression field.
Change size to return more or fewer events.
Edit the _source array to include the fields you need in the response.