Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,10 @@ products:

{{elastic-sec}} stores alerts that have been generated by detection rules in hidden {{es}} indices. The index pattern is `.alerts-security.alerts-<space-id->`.

::::{note}
Users are advised NOT to use the `_source` field in alert documents, but rather to use the `fields` option in the search API to programmatically obtain the list of fields used in these documents. Learn more about [retrieving selected fields from a search](elasticsearch://reference/elasticsearch/rest-apis/retrieve-selected-fields.md).
::::{important}

* System indices, such as the alerts indices, contain important configuration and internal data; do not change their mappings. Changes can lead to rule execution and alert indexing failures.
* Users are advised NOT to use the `_source` field in alert documents, but rather to use the `fields` option in the search API to programmatically obtain the list of fields used in these documents. Learn more about [retrieving selected fields from a search](elasticsearch://reference/elasticsearch/rest-apis/retrieve-selected-fields.md).
::::


Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,11 @@ When you create a rule, you must either specify the {{es}} index pattens for whi
To access data views in {{stack}}, you must have the [required permissions](/explore-analyze/find-and-organize/data-views.md#data-views-read-only-access). To access them in {{serverless-short}}, you must have the appropriate [predefined Security user role](/deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles) or a [custom role](../../../deploy-manage/users-roles/cloud-organization/user-roles.md) with the right privileges.
::::

::::{important}

System indices, such as the alerts indices, contain important configuration and internal data; do not change their mappings. Changes can lead to rule execution and alert indexing failures.

::::


## Notifications [about-notifications]
Expand Down
6 changes: 6 additions & 0 deletions solutions/security/detect-and-alert/query-alert-indices.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,12 @@ products:

This page explains how you should query alert indices, for example, when building rule queries, custom dashboards, or visualizations. For more information about alert event field definitions, review the [Alert schema](/reference/security/fields-and-object-schemas/alert-schema.md).

::::{important}

System indices, such as the alerts indices, contain important configuration and internal data; do not change their mappings. Changes can lead to rule execution and alert indexing failures.

::::


## Alert index aliases [_alert_index_aliases]

Expand Down
Loading