View alerts

edit

When the conditions of a rule are met, it creates an alert. If the rule has actions, they run at the defined frequency. For example, the rule can send email notifications for each alert at a custom interval. For an introduction to the concepts of rules, alerts, and actions, refer to Alerting.

You can manage the alerts for each rule in Stack Management > Rules. Alternatively, manage all your alerts in Stack Management > Alerts. [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Alerts page with multiple alerts

You must have the appropriate Kibana alerting features and index privileges to view alerts. Refer to Alerting security requirements.

Filter alerts

edit

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

In Stack Management > Alerts, you can filter the list (for example, by alert status or rule type) and customize the filter controls. To search for specific alerts, use the KQL bar to create structured queries using Kibana Query Language.

By default, the list contains all the alerts that you have authority to view in the selected time period except those associated with Security rules. To view alerts for Security rules, click the query menu and select Security rule types:

The Alerts page with the query menu open

Alternatively, view those alerts in the Elastic Security app.

View alert details

edit

To get more information about a specific alert, open its action menu (…) and select View alert details in either Stack Management > Alerts or Rules. There you’ll see the current status of the alert, its duration, and when it was last updated. To help you determine what caused the alert, there is information such as the expected and actual threshold values and a summarized reason for the alert.

If an alert is affected by a maintenance window, the alert details include its identifier. For more information about their impact on alert notifications, refer to Maintenance windows.

Alert statuses

edit

There are three common alert statuses:

active
The conditions for the rule are met and actions should be generated according to the notification settings.
recovered
The conditions for the rule are no longer met and recovery actions should be generated.
untracked
Actions are no longer generated. For example, you can choose to move active alerts to this state when you disable or delete rules.

An alert can also be in a "flapping" state when it is switching repeatedly between active and recovered states. This state is possible only if you have enabled alert flapping detection in Stack Management > Rules > Settings. For each space, you can choose a look back window and threshold that are used to determine whether alerts are flapping. For example, you can specify that the alert must change status at least 6 times in the last 10 runs. If the rule has actions that run when the alert status changes, those actions are suppressed while the alert is flapping.

Mute alerts

edit

If an alert is active or flapping, you can mute it to temporarily suppress future actions. In both Stack Management > Alerts and Rules, you can open the action menu (…) for the appropriate alert and select Mute. To permanently suppress actions for an alert, open the actions menu and select Mark as untracked.

To affect the behavior of the rule rather than individual alerts, check out Snooze and disable rules.