Skip to content

Commit 51eda0d

Browse files
nastasha-solomonclaudevishaangelovacursoragent
authored
[Alerting V2][Serverless & 9.5][M2] Add get started pages for the experimental alerting system (#6522)
## Summary Adds the "Get started" section for the experimental alerting system, contributing to [docs-content-internal#919](elastic/docs-content-internal#919). Following the tech preview principle of accuracy over comprehensiveness, pages focus on stable behavior (e.g., how to enable the system, what privileges are needed, and how to create a first rule) rather than comprehensive feature documentation that is subject to change before GA. Some UI is doc'd in the tutorial, but that's needed for users to follow along. ## Navigation structure ``` Get started ← landing page to be added under top level page for Alerting v2 (#6521) ├── Set up └── Configure access └── Create your first rule ``` ## Review requests This PR needs a **technical** and **editorial** review. Instructions for each are below. ### 🔧 Technical reviewer Please focus your review on accuracy of facts, names, and structure. ### ✏️ Editorial reviewer Focus on writing quality, clarity, and how the content serves a reader enabling and using this feature for the first time. ## Previews — 📁 New v2 content ### Get started | Page name | Description | File | Ready for editorial review ✏️ | Ready for technical review 🔧 | | --------- | ----------- | ---- | ----------------------------- | ----------------------------- | | [Get started](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6522/explore-analyze/alerting/experimental-alerting-system/get-started) | Landing page with per-page summaries linking to setup, access, and the tutorial | explore-analyze/alerting/experimental-alerting-system/get-started.md | ✅ | ✅ | | [Set up the experimental alerting system](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6522/explore-analyze/alerting/experimental-alerting-system/get-started/setup) | Requirements (data, space, connectors, license); `applies-switch` for turning the system on (Serverless only for now) and off; confirmation steps; next steps | explore-analyze/alerting/experimental-alerting-system/get-started/setup.md | ✅ | ✅ | | [Configure access](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6522/explore-analyze/alerting/experimental-alerting-system/get-started/configure-access) | Kibana feature privileges organized by activity; Quick Reference table; bundled ES `read` access via Alerts privilege for `.rule-events`/`.alert-actions`; custom role still required for `.kibana-event-log-*`; Next steps | explore-analyze/alerting/experimental-alerting-system/get-started/configure-access.md | ✅ | ✅ | | [Create your first rule](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6522/explore-analyze/alerting/experimental-alerting-system/get-started/create-your-first-rule) | Tutorial: Prepare your environment (index + sample data) → Create the rule (5-step stepper) → Confirm the rule is evaluating → Observe the episode lifecycle; requirements table; ES\|QL query explanations for new users | explore-analyze/alerting/experimental-alerting-system/get-started/create-your-first-rule.md | ✅ | ✅ | ## Out of scope for this PR - Rules reference documentation (PR #6523) - Action policies and notifications documentation (PR #6525) - Alerts and Discover query documentation (PR #6527) - Stack/ECH-specific setup behavior (commented out with TODO notes pending 9.5 GA and engineering confirmation for ECH) Cross-references to content in those PRs are present throughout these pages but commented out with TODO notes. > **Note on toc.yml conflicts**: Merge PRs in order and resolve toc.yml conflicts at each step. ## Generative AI disclosure 1. Did you use a generative AI (GenAI) tool to assist in creating this contribution? - [x] Yes — Cursor + Claude - [ ] No --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com> Co-authored-by: Cursor <cursoragent@cursor.com>
1 parent f66b534 commit 51eda0d

6 files changed

Lines changed: 651 additions & 1 deletion

File tree

explore-analyze/alerting/alerts.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ description: "Overview of Kibana alerting: rules, alerts, actions, connectors, a
1717

1818
{{kib}} alerting is the built-in alerting system in {{kib}}. It lets you define rules that check your data on a schedule, create alerts when conditions are met, and trigger actions through connectors (email, Slack, webhooks, and more). It is available on all deployments.
1919

20-
<!-- TODO: Uncomment when system-overview.md and compare-alerting-systems.md are published:
20+
<!-- TODO: Uncomment when the experimental alerting system docs are ready to go live on the docsite:
2121
:::{note}
2222
:applies_to: {"stack": "experimental 9.5+", "serverless": "experimental"}
2323
For the {{alerting-v2-system}} built on {{esql}}, refer to [{{alerting-v2-system-cap}}](system-overview.md).
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
---
2+
navigation_title: Get started
3+
applies_to:
4+
stack: experimental 9.5+
5+
serverless: experimental
6+
products:
7+
- id: kibana
8+
- id: cloud-serverless
9+
description: "Get started with the experimental alerting system in Kibana: review requirements, enable the system, configure role access, and follow a tutorial to create a rule and observe the alert lifecycle."
10+
---
11+
12+
# Get started with the {{alerting-v2-system}} [get-started]
13+
14+
Use these guides to get the {{alerting-v2-system}} running in your space, set up role access for your team, and create your first rule.
15+
16+
- [Set up the {{alerting-v2-system}}](get-started/setup.md): Review requirements, enable the `alerting:v2:enabled` advanced setting, and confirm the system is accessible in your space.
17+
- [Configure access](get-started/configure-access.md): Set up a role with the {{kib}} feature privileges needed to create rules, triage alerts, and query alert data.
18+
- [Create your first rule](get-started/create-your-first-rule.md): A hands-on tutorial that walks you through loading sample data, creating a rule, and observing the alert lifecycle from breach through automatic recovery.
Lines changed: 138 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,138 @@
1+
---
2+
navigation_title: Configure access
3+
applies_to:
4+
stack: experimental 9.5+
5+
serverless: experimental
6+
products:
7+
- id: kibana
8+
- id: cloud-serverless
9+
description: "Privilege requirements for Kibana experimental alerting features: which Kibana feature privileges and Elasticsearch index privileges each role needs to manage rules, action policies, alerts, and query rule events and alert actions."
10+
---
11+
12+
# Configure access to the {{alerting-v2-system}} [access]
13+
14+
To use the {{alerting-v2-system}}, your role needs specific {{kib}} feature privileges and, if you're querying alerting data in Discover, {{es}} index privileges. [Create or update a role](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) and add the privileges that match the tasks your team performs.
15+
16+
This page is organized by user activity. Most privileges are set under the **Alerting** category in {{kib}} role management. Exceptions are noted in each section.
17+
18+
:::{note}
19+
This page covers access to the {{alerting-v2-system}} features and data. Depending on how your rules and notifications are configured, your role might also need `read` index privileges on the indices their rules query and **Actions and Connectors: All** (under **Management**) to create or edit workflow connectors. Refer to [{{kib}} role management](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for guidance on building roles that combine privileges across features.
20+
:::
21+
22+
## Quick reference [alerting-quick-reference]
23+
24+
The following table shows the minimum privileges required for each activity. Higher privilege levels include the access shown here. Refer to the following sections for the full breakdown.
25+
26+
| To... | Minimum required |
27+
|---|---|
28+
| Author and manage rules | **Rules: All** (under **Alerting**) |
29+
| Monitor rule execution | **Execution history: Read** (under **Alerting**) |
30+
| Triage alert episodes | **Alerts: All** (under **Alerting**) |
31+
| Configure notifications | **Action Policies: All** (under **Alerting**) + **Workflows: Read** (under **Analytics > Workflows**) |
32+
| Query `.rule-events` and `.alert-actions` in Discover | **Discover: Read** (under **Analytics > Discover**) + **Alerts: Read** (Elasticsearch `read` access is bundled automatically) |
33+
| Query `.kibana-event-log-*` in Discover | **Discover: Read** (under **Analytics > Discover**) + custom role with `read` index privilege on `.kibana-event-log-*` |
34+
35+
## Author and monitor rules [alerting-authoring-monitoring-privileges]
36+
37+
These privileges control who can create rules and review their execution history.
38+
39+
### Rules [alerting-manage-rules-privileges]
40+
41+
The **Rules** privilege controls who can create and manage rules.
42+
43+
| Level | What you can do |
44+
|---|---|
45+
| **All** | Create, edit, delete, enable, and turn off rules |
46+
| **Read** | View rules and their configuration |
47+
48+
:::{note}
49+
**Rules: All** also grants access to the **Alerts** menu in Discover, which routes rule creation to the {{alerting-v2-system}} rule form when the system is enabled in your space.
50+
:::
51+
52+
### View rule execution history [alerting-execution-history-privileges]
53+
54+
The **Execution history** privilege controls who can view rule execution history. Execution history is read-only; both **All** and **Read** grant the same access. There is no write surface for execution history.
55+
56+
| Level | What you can do |
57+
|---|---|
58+
| **All** | View rule execution history |
59+
| **Read** | View rule execution history |
60+
61+
## Triage alerts [alerting-triage-privileges]
62+
63+
The **Alerts** privilege controls who can take triage actions on alert episodes.
64+
65+
| Level | What you can do |
66+
|---|---|
67+
| **All** | Acknowledge, snooze, assign, tag, activate, and deactivate alert episodes |
68+
| **Read** | View alert episodes |
69+
70+
:::{note}
71+
Granting **Alerts: All** or **Alerts: Read** also gives the role direct Elasticsearch `read` access to `.rule-events` and `.alert-actions`, scoped to that role's spaces. This is bundled into the privilege — no separate custom role or index privilege is needed to query these data streams in Discover.
72+
:::
73+
74+
## Configure notifications [alerting-notifications-privileges]
75+
76+
These privileges control who can set up the action policies and workflows that route alert episode notifications.
77+
78+
### Action policies [action-policy-management]
79+
80+
The **Action Policies** privilege controls who can manage the action policies that route alert episode notifications.
81+
82+
| Level | What you can do |
83+
|---|---|
84+
| **All** | Create, update, delete, snooze, and unsnooze action policies |
85+
| **Read** | View action policies |
86+
87+
:::{note}
88+
Having **Action Policies: All** does not include the ability to create or edit rules. Add **Rules: All** if rule management is also required.
89+
:::
90+
91+
### Workflows [alerting-workflows-access]
92+
93+
Action policies route notifications through workflows. The **Workflows** privilege is set under **Analytics > Workflows** in {{kib}} role management. To create or manage action policies, your role also needs access to the workflows they reference.
94+
95+
| Level | What you can do |
96+
|---|---|
97+
| **All** | Create and edit workflows; view and select existing workflows in action policies |
98+
| **Read** | View and select existing workflows in action policies |
99+
100+
## Query rule output and episode data [alerting-data-investigation-privileges]
101+
102+
The {{alerting-v2-system}} writes rule output and episode data to three queryable data sources. To query them in Discover using {{esql}}, your role needs {{kib}} feature access and {{es}} index access.
103+
104+
### {{kib}} feature access
105+
106+
Set Discover privileges under **Analytics > Discover** in {{kib}} role management.
107+
108+
| Level | What you can do |
109+
|---|---|
110+
| **All** | Run {{esql}} queries against rule events, alert actions, and execution history in Discover |
111+
| **Read** | Run {{esql}} queries against rule events, alert actions, and execution history in Discover |
112+
113+
Both levels grant the same query access. There is no write surface for any of these data sources in Discover.
114+
115+
### {{es}} index access
116+
117+
For `.rule-events` and `.alert-actions`, {{es}} `read` access is bundled into the **Alerts** {{kib}} privilege. For `.kibana-event-log-*`, a custom role is still required.
118+
119+
| Data source | What it stores | How to grant access |
120+
|---|---|---|
121+
| `.rule-events` | A record for every rule evaluation; one document per result row per run | Automatic with **Alerts: All** or **Alerts: Read**. If access is missing, grant `read` using a custom role as a fallback. |
122+
| `.alert-actions` | User-triggered triage records (acknowledge, snooze, resolve, assign) and system-written dispatcher records. | Automatic with **Alerts: All** or **Alerts: Read**. If access is missing, grant `read` using a custom role as a fallback. |
123+
| `.kibana-event-log-*` | Action policy dispatch outcomes written by the dispatcher: `dispatched`, `throttled`, and `unmatched` | Custom role with `read` index privilege. Not covered by the automatic grant. |
124+
125+
<!-- TODO: When PR #6527 merges, update the `.alert-actions` row above ("What it stores" column) to add a link to the field reference. Full updated cell:
126+
"User-triggered triage records (acknowledge, snooze, resolve, assign) and system-written dispatcher records. For all `action_type` values, refer to the [alert data stream field reference](../alerts/field-reference.md)." -->
127+
128+
## Next steps [alerting-access-next-steps]
129+
130+
With access configured, you're ready to [create your first rule](create-your-first-rule.md).
131+
132+
<!-- TODO: When PRs #6523 (rules) and #6525 (workflows/notifications) are merged, replace the sentence
133+
above with the bulleted list below (delete the prose line, uncomment the list).
134+
135+
- **[Create a rule](../rules/create-a-rule.md):** Write the {{esql}} query that defines what to detect, choose Signal or Alert mode, and configure grouping and thresholds. ← PR #6523
136+
- **[Set up workflows](../notifications-actions.md):** Configure the automation objects that deliver notifications — email, Slack, webhook, and so on. ← PR #6525
137+
- **[Create action policies](../action-policies/create-configure-action-policy.md):** Define who gets notified, how often, and under what conditions. ← PR #6525
138+
-->

0 commit comments

Comments
 (0)