From ede1a45c9c78108a9441320c90b77efa70701b05 Mon Sep 17 00:00:00 2001 From: Arianna Laudazzi Date: Tue, 25 Nov 2025 11:08:03 +0100 Subject: [PATCH 01/15] Draft alerting rule template common page --- reference/fleet/alerting-rule-templates.md | 50 ++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 reference/fleet/alerting-rule-templates.md diff --git a/reference/fleet/alerting-rule-templates.md b/reference/fleet/alerting-rule-templates.md new file mode 100644 index 0000000000..2354419500 --- /dev/null +++ b/reference/fleet/alerting-rule-templates.md @@ -0,0 +1,50 @@ +--- +applies_to: + stack: ga 9.3 + serverless: ga +products: + - id: fleet + - id: elastic-agent +navigation_title: Alerting rule templates +--- + +# Alerting Rule Templates [alerting-rule-templates] + +Alerting rule templates are out-of-the-box, preconfigured rule definitions maintained by Elastic integration authors. They help you start monitoring in minutes—no queries to write, no thresholds to figure out—by providing curated {{esql}} queries, sensible defaults, and recommended thresholds tailored to each integration. Templates are available from an integration’s Assets and open a prefilled rule creation form you can adjust and enable. + +## Prerequisites + +- Install or upgrade to the latest version of the integration that includes alerting rule templates. +- Ensure the relevant data stream is enabled and ingesting data for the template you plan to use. +- {{stack}} 9.3 or later. +- Appropriate {{kib}} role privileges to create and manage rules in the current space. +- Optional: One or more connectors (for example, email, Slack, webhook) to route alert notifications. + +## How to use the Alerting Rule Templates + +Alerting rule templates come with recommended, pre-populated values. To use them: + +1. In {{kib}}, go to **{{manage-app}}** > **{{integrations}}**. +1. Find and open the integration. +1. On the integration page, open the **Assets** tab and expand **Alerting rule templates** to view all available templates for that integration. +1. Select a template to open a prefilled Create rule form. +1. Review and (optionally) customize the prefilled settings, then save and enable the rule. + +When you click a template, you get a prefilled rule creation form. You can use the template to create your own custom alerting rule by adjusting values, setting up connectors, and defining rule actions. + +The preconfigured defaults typically include: + +- **{{esql}} query** +: A curated, text-based query that evaluates your data and triggers when matches are found during the latest run. +- **Recommended threshold** +: A suggested threshold embedded in the {{esql}} `WHERE` clause. You can tune the threshold to fit your environment. +- **Time window (look-back)** +: The length of time the rule analyzes for data (for example, the last 5 minutes). +- **Rule schedule** +: How frequently the rule checks alert conditions (for example, every minute). +- **Alert delay (alert suppression)** +: The number of consecutive runs for which conditions must be met before an alert is created. + +For details about fields in the Create rule form and how the rule evaluates data, see the {{es}} query rule type (/explore-analyze/alerts-cases/alerts/rule-type-es-query.md). + + From aa3713b4ae89d67652a48fc37d6ef1830ea4eade Mon Sep 17 00:00:00 2001 From: Arianna Laudazzi Date: Tue, 25 Nov 2025 11:27:44 +0100 Subject: [PATCH 02/15] Add alerting-rule-templates to the nav tree --- reference/fleet/toc.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/reference/fleet/toc.yml b/reference/fleet/toc.yml index 1e7cb62606..fe02ce3623 100644 --- a/reference/fleet/toc.yml +++ b/reference/fleet/toc.yml @@ -150,6 +150,7 @@ toc: - file: data-streams-pipeline-tutorial.md - file: data-streams-advanced-features.md - file: alert-templates.md + - file: alerting-rule-templates.md - file: agent-command-reference.md - file: providers.md children: From a3be59b81c330eeeed67564856bb467a6b0d4c22 Mon Sep 17 00:00:00 2001 From: Arianna Laudazzi <46651782+alaudazzi@users.noreply.github.com> Date: Tue, 25 Nov 2025 11:28:11 +0100 Subject: [PATCH 03/15] Update reference/fleet/alerting-rule-templates.md Co-authored-by: muthu-mps <101238137+muthu-mps@users.noreply.github.com> --- reference/fleet/alerting-rule-templates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/fleet/alerting-rule-templates.md b/reference/fleet/alerting-rule-templates.md index 2354419500..0f07238d25 100644 --- a/reference/fleet/alerting-rule-templates.md +++ b/reference/fleet/alerting-rule-templates.md @@ -16,7 +16,7 @@ Alerting rule templates are out-of-the-box, preconfigured rule definitions maint - Install or upgrade to the latest version of the integration that includes alerting rule templates. - Ensure the relevant data stream is enabled and ingesting data for the template you plan to use. -- {{stack}} 9.3 or later. +- {{stack}} 9.2.1 or later. - Appropriate {{kib}} role privileges to create and manage rules in the current space. - Optional: One or more connectors (for example, email, Slack, webhook) to route alert notifications. From 7d70156d478247988284dbda446e31b52fa7a1e8 Mon Sep 17 00:00:00 2001 From: Arianna Laudazzi <46651782+alaudazzi@users.noreply.github.com> Date: Tue, 25 Nov 2025 11:28:20 +0100 Subject: [PATCH 04/15] Update reference/fleet/alerting-rule-templates.md Co-authored-by: muthu-mps <101238137+muthu-mps@users.noreply.github.com> --- reference/fleet/alerting-rule-templates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/fleet/alerting-rule-templates.md b/reference/fleet/alerting-rule-templates.md index 0f07238d25..8567f37143 100644 --- a/reference/fleet/alerting-rule-templates.md +++ b/reference/fleet/alerting-rule-templates.md @@ -30,7 +30,7 @@ Alerting rule templates come with recommended, pre-populated values. To use them 1. Select a template to open a prefilled Create rule form. 1. Review and (optionally) customize the prefilled settings, then save and enable the rule. -When you click a template, you get a prefilled rule creation form. You can use the template to create your own custom alerting rule by adjusting values, setting up connectors, and defining rule actions. +When you click a template, you get a prefilled **Create Rules** form. You can use the template to create your own custom alerting rule by adjusting values, setting up connectors, and defining rule actions. The preconfigured defaults typically include: From b9ca1a48b370cd8e0d5d439913521bc64c35cb1a Mon Sep 17 00:00:00 2001 From: Arianna Laudazzi Date: Tue, 25 Nov 2025 11:35:24 +0100 Subject: [PATCH 05/15] Fix broken link --- reference/fleet/alerting-rule-templates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/fleet/alerting-rule-templates.md b/reference/fleet/alerting-rule-templates.md index 2354419500..01a67aae27 100644 --- a/reference/fleet/alerting-rule-templates.md +++ b/reference/fleet/alerting-rule-templates.md @@ -45,6 +45,6 @@ The preconfigured defaults typically include: - **Alert delay (alert suppression)** : The number of consecutive runs for which conditions must be met before an alert is created. -For details about fields in the Create rule form and how the rule evaluates data, see the {{es}} query rule type (/explore-analyze/alerts-cases/alerts/rule-type-es-query.md). +For details about fields in the Create rule form and how the rule evaluates data, refer to the [{{es}} query rule type](/explore-analyze/alerts-cases/alerts/rule-type-es-query.md). From d36a84c84ed05bb4affad56de544df6a6630a379 Mon Sep 17 00:00:00 2001 From: Arianna Laudazzi <46651782+alaudazzi@users.noreply.github.com> Date: Tue, 25 Nov 2025 12:03:06 +0100 Subject: [PATCH 06/15] Update alerting-rule-templates.md Remove optional step about connectors, --- reference/fleet/alerting-rule-templates.md | 1 - 1 file changed, 1 deletion(-) diff --git a/reference/fleet/alerting-rule-templates.md b/reference/fleet/alerting-rule-templates.md index 636b16d6ef..864085d50b 100644 --- a/reference/fleet/alerting-rule-templates.md +++ b/reference/fleet/alerting-rule-templates.md @@ -28,7 +28,6 @@ Alerting rule templates come with recommended, pre-populated values. To use them 1. Find and open the integration. 1. On the integration page, open the **Assets** tab and expand **Alerting rule templates** to view all available templates for that integration. 1. Select a template to open a prefilled Create rule form. -1. Review and (optionally) customize the prefilled settings, then save and enable the rule. When you click a template, you get a prefilled **Create Rules** form. You can use the template to create your own custom alerting rule by adjusting values, setting up connectors, and defining rule actions. From a31c4f790e4cf884e20f1a59162b0cc09038641b Mon Sep 17 00:00:00 2001 From: Arianna Laudazzi Date: Tue, 25 Nov 2025 12:14:48 +0100 Subject: [PATCH 07/15] Remove optional step --- reference/fleet/alerting-rule-templates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/fleet/alerting-rule-templates.md b/reference/fleet/alerting-rule-templates.md index 864085d50b..f2312a5bf2 100644 --- a/reference/fleet/alerting-rule-templates.md +++ b/reference/fleet/alerting-rule-templates.md @@ -18,7 +18,6 @@ Alerting rule templates are out-of-the-box, preconfigured rule definitions maint - Ensure the relevant data stream is enabled and ingesting data for the template you plan to use. - {{stack}} 9.2.1 or later. - Appropriate {{kib}} role privileges to create and manage rules in the current space. -- Optional: One or more connectors (for example, email, Slack, webhook) to route alert notifications. ## How to use the Alerting Rule Templates @@ -28,6 +27,7 @@ Alerting rule templates come with recommended, pre-populated values. To use them 1. Find and open the integration. 1. On the integration page, open the **Assets** tab and expand **Alerting rule templates** to view all available templates for that integration. 1. Select a template to open a prefilled Create rule form. +1. Review and (optionally) customize the prefilled settings, then save and enable the rule. When you click a template, you get a prefilled **Create Rules** form. You can use the template to create your own custom alerting rule by adjusting values, setting up connectors, and defining rule actions. From 39cafa387f1318062676e0c6ebe3e618eceb32f8 Mon Sep 17 00:00:00 2001 From: Arianna Laudazzi Date: Wed, 26 Nov 2025 09:57:54 +0100 Subject: [PATCH 08/15] Address reviewer's feedback --- reference/fleet/alerting-rule-templates.md | 28 ++++++++++++++++------ 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/reference/fleet/alerting-rule-templates.md b/reference/fleet/alerting-rule-templates.md index f2312a5bf2..cc1a2a6dc3 100644 --- a/reference/fleet/alerting-rule-templates.md +++ b/reference/fleet/alerting-rule-templates.md @@ -1,6 +1,6 @@ --- applies_to: - stack: ga 9.3 + stack: ga 9.2.1 serverless: ga products: - id: fleet @@ -10,28 +10,42 @@ navigation_title: Alerting rule templates # Alerting Rule Templates [alerting-rule-templates] -Alerting rule templates are out-of-the-box, preconfigured rule definitions maintained by Elastic integration authors. They help you start monitoring in minutes—no queries to write, no thresholds to figure out—by providing curated {{esql}} queries, sensible defaults, and recommended thresholds tailored to each integration. Templates are available from an integration’s Assets and open a prefilled rule creation form you can adjust and enable. +Alerting rule templates are out-of-the-box alert definitions that come bundled with Elastic integrations, enabling users to quickly set up monitoring without writing queries from scratch. + +Templates help you start monitoring in minutes by providing curated {{esql}} queries and recommended thresholds tailored to each integration. + +Once the integration is installed, these templates are automatically available in Kibana's alerting interface with a prefilled rule creation form that you can tailor to your needs. ## Prerequisites - Install or upgrade to the latest version of the integration that includes alerting rule templates. - Ensure the relevant data stream is enabled and ingesting data for the template you plan to use. - {{stack}} 9.2.1 or later. -- Appropriate {{kib}} role privileges to create and manage rules in the current space. +- Appropriate {{kib}} role privileges to create and manage rules. -## How to use the Alerting Rule Templates +## How to use the Alerting rule templates Alerting rule templates come with recommended, pre-populated values. To use them: 1. In {{kib}}, go to **{{manage-app}}** > **{{integrations}}**. 1. Find and open the integration. 1. On the integration page, open the **Assets** tab and expand **Alerting rule templates** to view all available templates for that integration. -1. Select a template to open a prefilled Create rule form. + + :::{note} + You can find the Alerting rule template option only when the integration adds template support for alerting rules. + ::: + +1. Select a template to open a prefilled **Create rule** form. + + You can use the template to create your own custom alerting rule by adjusting values, setting up connectors, and defining rule actions. + 1. Review and (optionally) customize the prefilled settings, then save and enable the rule. -When you click a template, you get a prefilled **Create Rules** form. You can use the template to create your own custom alerting rule by adjusting values, setting up connectors, and defining rule actions. + The rule created from the template gets listed in the **Observability** → **Alerts** → **Manage Rules** page. + +To update the rule you have created from the template, go to **Observability** → **Alerts** → **Manage Rules**, select the rule and click **Actions**. -The preconfigured defaults typically include: +The preconfigured defaults include: - **{{esql}} query** : A curated, text-based query that evaluates your data and triggers when matches are found during the latest run. From 71ff713f10270c8f97c8d5d07fe6c5845a6a4fc0 Mon Sep 17 00:00:00 2001 From: Arianna Laudazzi Date: Wed, 26 Nov 2025 09:59:39 +0100 Subject: [PATCH 09/15] Remove content that now lives in the alerting rule template page --- reference/fleet/alert-templates.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/reference/fleet/alert-templates.md b/reference/fleet/alert-templates.md index d9dc6fad63..12e6bc3863 100644 --- a/reference/fleet/alert-templates.md +++ b/reference/fleet/alert-templates.md @@ -39,11 +39,3 @@ You can find these rules in **Stack Management** > **Alerts and Insights** > **R **Connectors** are not added to rules automatically, but you can attach a connector to route alerts to your Slack, email, or other notification platforms. In addition, you can add filters for policies, tags, or hostnames to scope alerts to specific sets of agents. - -## Alert template assets for integrations [alert-templates] - -Some integration packages include alerting rule template assets that provide pre-made definitions of alerting rules. You can use the templates to create your own custom alerting rules that you can enable and fine-tune. - -When you click a template, you get a pre-filled rule creation form. You can define and adjust values, set up connectors, and define rule actions to create your custom alerting rule. - -You can see available templates in the **integrations/detail//assets** view. From bf9447c47294491b2c21a7294338e344dd54671a Mon Sep 17 00:00:00 2001 From: Arianna Laudazzi Date: Fri, 28 Nov 2025 06:49:47 +0100 Subject: [PATCH 10/15] Add a note on excessive alerts --- reference/fleet/alerting-rule-templates.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/reference/fleet/alerting-rule-templates.md b/reference/fleet/alerting-rule-templates.md index cc1a2a6dc3..a7a5cf5091 100644 --- a/reference/fleet/alerting-rule-templates.md +++ b/reference/fleet/alerting-rule-templates.md @@ -16,6 +16,10 @@ Templates help you start monitoring in minutes by providing curated {{esql}} que Once the integration is installed, these templates are automatically available in Kibana's alerting interface with a prefilled rule creation form that you can tailor to your needs. +:::{important} +Although the alerts can be used as provided, threshold values should always be evaluated in the context of your specific environment. Applying the predefined thresholds without adjustment may result in an excessive number of alerts. +::: + ## Prerequisites - Install or upgrade to the latest version of the integration that includes alerting rule templates. From e3c54d2b6d074f2f2a5fac1677044fced42a5dc3 Mon Sep 17 00:00:00 2001 From: Arianna Laudazzi Date: Fri, 28 Nov 2025 10:28:46 +0100 Subject: [PATCH 11/15] Add link on Integrations --- reference/fleet/alerting-rule-templates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/fleet/alerting-rule-templates.md b/reference/fleet/alerting-rule-templates.md index a7a5cf5091..6e7fc325ee 100644 --- a/reference/fleet/alerting-rule-templates.md +++ b/reference/fleet/alerting-rule-templates.md @@ -10,7 +10,7 @@ navigation_title: Alerting rule templates # Alerting Rule Templates [alerting-rule-templates] -Alerting rule templates are out-of-the-box alert definitions that come bundled with Elastic integrations, enabling users to quickly set up monitoring without writing queries from scratch. +Alerting rule templates are out-of-the-box alert definitions that come bundled with [Elastic integrations](integration-docs://reference/index.md)), enabling users to quickly set up monitoring without writing queries from scratch. Templates help you start monitoring in minutes by providing curated {{esql}} queries and recommended thresholds tailored to each integration. From 21cd69f019bf186a3cd79006e17564dc29690f84 Mon Sep 17 00:00:00 2001 From: Arianna Laudazzi Date: Fri, 28 Nov 2025 10:35:53 +0100 Subject: [PATCH 12/15] Add note about templates ownership --- reference/fleet/alerting-rule-templates.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/reference/fleet/alerting-rule-templates.md b/reference/fleet/alerting-rule-templates.md index 6e7fc325ee..028bbc1cc5 100644 --- a/reference/fleet/alerting-rule-templates.md +++ b/reference/fleet/alerting-rule-templates.md @@ -16,6 +16,8 @@ Templates help you start monitoring in minutes by providing curated {{esql}} que Once the integration is installed, these templates are automatically available in Kibana's alerting interface with a prefilled rule creation form that you can tailor to your needs. +Although these templates are managed by Elastic, any alert created from them is owned by the customer and will not be modified by Elastic, even if the templates change. + :::{important} Although the alerts can be used as provided, threshold values should always be evaluated in the context of your specific environment. Applying the predefined thresholds without adjustment may result in an excessive number of alerts. ::: From 15cb57e9829637be719738d66cf72998271e5f18 Mon Sep 17 00:00:00 2001 From: Arianna Laudazzi Date: Fri, 28 Nov 2025 10:47:20 +0100 Subject: [PATCH 13/15] Fix the title --- reference/fleet/alert-templates.md | 2 +- reference/fleet/alerting-rule-templates.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/reference/fleet/alert-templates.md b/reference/fleet/alert-templates.md index 12e6bc3863..e17f831d95 100644 --- a/reference/fleet/alert-templates.md +++ b/reference/fleet/alert-templates.md @@ -8,7 +8,7 @@ products: navigation_title: Built-in alerts and templates --- -# Built-in alerts and templates [built-in-alerts] +# Elastic Agent built-in alerts [built-in-alerts] ## {{agent}} out-of-the-box alert rules [ea-alert-rules] diff --git a/reference/fleet/alerting-rule-templates.md b/reference/fleet/alerting-rule-templates.md index 028bbc1cc5..f6a48fced8 100644 --- a/reference/fleet/alerting-rule-templates.md +++ b/reference/fleet/alerting-rule-templates.md @@ -8,7 +8,7 @@ products: navigation_title: Alerting rule templates --- -# Alerting Rule Templates [alerting-rule-templates] +# Alerting rule templates [alerting-rule-templates] Alerting rule templates are out-of-the-box alert definitions that come bundled with [Elastic integrations](integration-docs://reference/index.md)), enabling users to quickly set up monitoring without writing queries from scratch. From 6de274bbfdd9cfa2f0ecc3bcf26cf54eb3078b4d Mon Sep 17 00:00:00 2001 From: Arianna Laudazzi Date: Sat, 29 Nov 2025 09:03:59 +0100 Subject: [PATCH 14/15] Integrate Muthu's feedback --- reference/fleet/alerting-rule-templates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/fleet/alerting-rule-templates.md b/reference/fleet/alerting-rule-templates.md index f6a48fced8..29cad4092e 100644 --- a/reference/fleet/alerting-rule-templates.md +++ b/reference/fleet/alerting-rule-templates.md @@ -25,7 +25,7 @@ Although the alerts can be used as provided, threshold values should always be e ## Prerequisites - Install or upgrade to the latest version of the integration that includes alerting rule templates. -- Ensure the relevant data stream is enabled and ingesting data for the template you plan to use. +- Ensure the data collection is enabled for the metrics or events that you plan to use. - {{stack}} 9.2.1 or later. - Appropriate {{kib}} role privileges to create and manage rules. From 3fc81f8c2db78d3ad383fbb8c2f7936056e31cf4 Mon Sep 17 00:00:00 2001 From: Arianna Laudazzi Date: Sat, 29 Nov 2025 09:06:21 +0100 Subject: [PATCH 15/15] Integrate reviewers feedback --- reference/fleet/alerting-rule-templates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/fleet/alerting-rule-templates.md b/reference/fleet/alerting-rule-templates.md index 29cad4092e..46baad3b30 100644 --- a/reference/fleet/alerting-rule-templates.md +++ b/reference/fleet/alerting-rule-templates.md @@ -19,7 +19,7 @@ Once the integration is installed, these templates are automatically available i Although these templates are managed by Elastic, any alert created from them is owned by the customer and will not be modified by Elastic, even if the templates change. :::{important} -Although the alerts can be used as provided, threshold values should always be evaluated in the context of your specific environment. Applying the predefined thresholds without adjustment may result in an excessive number of alerts. +Although the alerts can be used as provided, threshold values should always be evaluated in the context of your specific environment. Depending on how you adjust the thresholds, you may either generate too many alerts or fail to trigger alerts when expected. ::: ## Prerequisites