From 4b0825689d10cd2939f553b4559bba582068b4ef Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Fri, 13 Jun 2025 17:11:37 -0400 Subject: [PATCH] First draft --- .../security/fields-and-object-schemas/alert-schema.md | 6 ++++-- .../security/detect-and-alert/about-detection-rules.md | 5 +++++ solutions/security/detect-and-alert/query-alert-indices.md | 6 ++++++ 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/reference/security/fields-and-object-schemas/alert-schema.md b/reference/security/fields-and-object-schemas/alert-schema.md index d6af1ecad8..aaa752fa0b 100644 --- a/reference/security/fields-and-object-schemas/alert-schema.md +++ b/reference/security/fields-and-object-schemas/alert-schema.md @@ -15,8 +15,10 @@ products: {{elastic-sec}} stores alerts that have been generated by detection rules in hidden {{es}} indices. The index pattern is `.alerts-security.alerts-`. -::::{note} -Users are advised NOT to use the `_source` field in alert documents, but rather to use the `fields` option in the search API to programmatically obtain the list of fields used in these documents. Learn more about [retrieving selected fields from a search](elasticsearch://reference/elasticsearch/rest-apis/retrieve-selected-fields.md). +::::{important} + +* System indices, such as the alerts indices, contain important configuration and internal data; do not change their mappings. Changes can lead to rule execution and alert indexing failures. +* Users are advised NOT to use the `_source` field in alert documents, but rather to use the `fields` option in the search API to programmatically obtain the list of fields used in these documents. Learn more about [retrieving selected fields from a search](elasticsearch://reference/elasticsearch/rest-apis/retrieve-selected-fields.md). :::: diff --git a/solutions/security/detect-and-alert/about-detection-rules.md b/solutions/security/detect-and-alert/about-detection-rules.md index 9191736d14..9ab7079b28 100644 --- a/solutions/security/detect-and-alert/about-detection-rules.md +++ b/solutions/security/detect-and-alert/about-detection-rules.md @@ -61,6 +61,11 @@ When you create a rule, you must either specify the {{es}} index pattens for whi To access data views in {{stack}}, you must have the [required permissions](/explore-analyze/find-and-organize/data-views.md#data-views-read-only-access). To access them in {{serverless-short}}, you must have the appropriate [predefined Security user role](/deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles) or a [custom role](../../../deploy-manage/users-roles/cloud-organization/user-roles.md) with the right privileges. :::: +::::{important} + +System indices, such as the alerts indices, contain important configuration and internal data; do not change their mappings. Changes can lead to rule execution and alert indexing failures. + +:::: ## Notifications [about-notifications] diff --git a/solutions/security/detect-and-alert/query-alert-indices.md b/solutions/security/detect-and-alert/query-alert-indices.md index a55db17236..6efd0ea1bf 100644 --- a/solutions/security/detect-and-alert/query-alert-indices.md +++ b/solutions/security/detect-and-alert/query-alert-indices.md @@ -15,6 +15,12 @@ products: This page explains how you should query alert indices, for example, when building rule queries, custom dashboards, or visualizations. For more information about alert event field definitions, review the [Alert schema](/reference/security/fields-and-object-schemas/alert-schema.md). +::::{important} + +System indices, such as the alerts indices, contain important configuration and internal data; do not change their mappings. Changes can lead to rule execution and alert indexing failures. + +:::: + ## Alert index aliases [_alert_index_aliases]