Add OOB alerts and alert rule template as asset type #3537
+51
−12
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
karenzone
changed the title
🔍 Preview links for changed docs |
|
cc:/ @nimarezainia @MichelLosier @nchaulet @kpollich Here's a draft. Please let me know what you think, and we can iterate. |
|
Thank you @karenzone I think we need to document the alert name, condition it is looking for and a blurb description for it (which could just be copy+past from the issue). Regarding the alerts as integration assets: if we have an example to show that would be great. I know that this content is very much dependent on what the package owner adds to their package. |
reference/fleet/alert-templates.md
Outdated
|
|
||
| ## {{agent}} out-of-the-box alert rules [ea-alert-rules] | ||
|
|
||
| When you install or upgrade {{agent}}, a new alert rule is created automatically. You can configure and customize out-of-the-box alerts to get them up and running quickly. |
There was a problem hiding this comment.
a new alert rule is created automatically
We'll be installing several alerting rules
nimarezainia
approved these changes
Oct 21, 2025
vishaangelova
approved these changes
Oct 22, 2025
There was a problem hiding this comment.
Thank you @karenzone! LGMT 🚀 Just left some small suggestions for your consideration.
| :::{tip} | ||
| Once you've started using integrations to ingest data, you can customize how that data is managed over time. Refer to [Index lifecycle management](/reference/fleet/data-streams.md#data-streams-ilm) to learn more. | ||
| ::: | ||
| After you've started using integrations to ingest data, you can customize how the data is managed over time. Refer to [Index lifecycle management](/reference/fleet/data-streams.md#data-streams-ilm) to learn more. |
There was a problem hiding this comment.
Suggested change
| After you've started using integrations to ingest data, you can customize how the data is managed over time. Refer to [Index lifecycle management](/reference/fleet/data-streams.md#data-streams-ilm) to learn more. | |
| After you've started using integrations to ingest data, you can customize how the data is managed over time. Refer to [{{ilm-cap}}](/reference/fleet/data-streams.md#data-streams-ilm) to learn more. |
Comment on lines
+2
to
+3
| mapped_pages: | ||
| - https://www.elastic.co/guide/en/fleet/current/data-streams.html |
There was a problem hiding this comment.
Suggested change
| mapped_pages: | |
| - https://www.elastic.co/guide/en/fleet/current/data-streams.html |
| ::::{note} | ||
| The built-in alerts feature for {{agent}} is available only for some subscription levels. The license (or a trial license) must be in place before you install or upgrade {{agent}} before this feature is available. | ||
|
|
||
| Refer [Elastic subscriptions](https://www.elastic.co/subscriptions) for more information. |
There was a problem hiding this comment.
Suggested change
| Refer [Elastic subscriptions](https://www.elastic.co/subscriptions) for more information. | |
| Refer to [Elastic subscriptions](https://www.elastic.co/subscriptions) for more information. |
| :::: | ||
|
|
||
| In {{kib}}, you can enable out-of-the-box rules pre-configured with reasonable defaults to provide immediate value for managing agents. | ||
| You can use [ES|QL](/explore-analyze/discover/try-esql.md) to author conditions for each rule. |
There was a problem hiding this comment.
Suggested change
| You can use [ES|QL](/explore-analyze/discover/try-esql.md) to author conditions for each rule. | |
| You can use [{{esql}}](/explore-analyze/discover/try-esql.md) to author conditions for each rule. |
| When you install or upgrade {{agent}}, new alert rules are created automatically. You can configure and customize out-of-the-box alerts to get them up and running quickly. | ||
|
|
||
| ::::{note} | ||
| The built-in alerts feature for {{agent}} is available only for some subscription levels. The license (or a trial license) must be in place before you install or upgrade {{agent}} before this feature is available. |
There was a problem hiding this comment.
To remove one of the “before”-s, maybe:
Suggested change
| The built-in alerts feature for {{agent}} is available only for some subscription levels. The license (or a trial license) must be in place before you install or upgrade {{agent}} before this feature is available. | |
| The built-in alerts feature for {{agent}} is available only for some subscription levels. To use this feature, the license (or a trial license) must be in place before you install or upgrade {{agent}}. |
| You can use [ES|QL](/explore-analyze/discover/try-esql.md) to author conditions for each rule. | ||
|
|
||
| Connectors are not added to rules automatically, but you can attach a connector to route alerts to your platform of choice -- Slack or email, for example. | ||
| In addition, you can add filters for policies, tags, or hostnames to scope alerts to specific sets of agents |
There was a problem hiding this comment.
Suggested change
| In addition, you can add filters for policies, tags, or hostnames to scope alerts to specific sets of agents | |
| In addition, you can add filters for policies, tags, or hostnames to scope alerts to specific sets of agents. |
| Connectors are not added to rules automatically, but you can attach a connector to route alerts to your platform of choice -- Slack or email, for example. | ||
| In addition, you can add filters for policies, tags, or hostnames to scope alerts to specific sets of agents | ||
|
|
||
| You can find these rules in **Stack Management** > **Alerts and Insights** > **Rules**. |
There was a problem hiding this comment.
According to the style guide, we need to use → here, but I’ve seen others use >, and I’d be happy with >, too. Maybe we should discuss this with the team, and if we can agree > is also a valid option (or is the preferred option), we could update the style guide.
| You can find these rules in **Stack Management** > **Alerts and Insights** > **Rules**. | ||
|
|
||
|
|
||
| ## Alert templates assets for integrations [alert-templates] |
There was a problem hiding this comment.
Maybe?
Suggested change
| ## Alert templates assets for integrations [alert-templates] | |
| ## Alert template assets for integrations [alert-templates] |
|
|
||
| ## Alert templates assets for integrations [alert-templates] | ||
|
|
||
| Some integration packages include alerting rule template assets that provide pre-made definitions of alerting rules. You can use the templates to create your own custom alerting rules that you can enable and fine tune. |
There was a problem hiding this comment.
Suggested change
| Some integration packages include alerting rule template assets that provide pre-made definitions of alerting rules. You can use the templates to create your own custom alerting rules that you can enable and fine tune. | |
| Some integration packages include alerting rule template assets that provide pre-made definitions of alerting rules. You can use the templates to create your own custom alerting rules that you can enable and fine-tune. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related:
#2760
This PR:
To Do: