Rule types

edit

A rule is a set of conditions, schedules, and actions that enable notifications. Kibana provides rules built into the Elastic Stack and rules registered by one of the Kibana apps. You can create most rules types in Stack Management > Rules. Security rules must be defined in the Security app. For more information, refer to the documentation about creating a detection rule.

Some rule types are subscription features, while others are free features. For a comparison of the Elastic subscription levels, see the subscription page.

Stack rules

edit

Stack rules are built into Kibana. To access the Stack Rules feature and create and edit rules, users require the all privilege. See feature privileges for more information.

Elasticsearch query

Run a user-configured Elasticsearch query, compare the number of matches to a configured threshold, and schedule actions to run when the threshold condition is met.

Index threshold

Aggregate field values from documents using Elasticsearch queries, compare them to threshold values, and schedule actions to run when the thresholds are met.

Transform rules

[beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. Run scheduled checks on a continuous transform to check its health. If a continuous transform meets the conditions, an alert is created and the associated action is triggered.

Tracking containment

Run an Elasticsearch query to determine if any documents are currently contained in any boundaries from a specified boundary index and generate alerts when a rule’s conditions are met.

Observability rules

edit

Observability rules detect complex conditions in your observability data and create alerts when a rule’s conditions are met. For example, you can create a rule that detects when the value of a metric exceeds a specified threshold or when an anomaly occurs on a system or service you are monitoring. For more information, refer to Alerting.

If you create a rule in the Observability app, its alerts are not visible in Stack Management > Rules. They are visible only in the Observability app.

Machine learning rules

edit

[beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. Machine learning rules run scheduled checks on an anomaly detection job to detect anomalies with certain conditions. If an anomaly meets the conditions, an alert is created and the associated action is triggered.

Security rules

edit

Security rules detect suspicious source events with pre-built or custom rules and create alerts when a rule’s conditions are met. For more information, refer to Security rules.

Alerts associated with security rules are visible only in the Elastic Security app; they are not visible in Stack Management > Rules.