IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Query alert indices
editQuery alert indices
editThis page explains how you should query alert indices, for example, when building rule queries, custom dashboards, or visualizations. For more information about alert event field definitions, review the Alert schema.
Alert index aliases
editWe recommend querying the following index aliases:
-
If you’re using version 8.0.0 or later:
.alerts-security.alerts-<space-id>
This alias includes the legacy (before 8.0.0) and the new alert indices. -
If you’re using a version before 8.0.0:
.siem-signals-<space-id>
Queries on this alias will function regardless of your Elastic Stack version but will not follow the newer.alerts
naming convention and may be deprecated in future releases.
Regardless of which alias you query, you should not include a dash or wildcard after the space ID. To query all spaces, use the following syntax: .alerts-security.alerts-*
or .siem-signals-*
.
Alert indices
editFor additional context, alert events are stored in hidden Elasticsearch indices. We do not recommend querying them directly. The naming conventions for these indices and their aliases differ depending on which version of Elastic Stack you’re running:
-
8.0.0 or later:
.internal.alerts-security.alerts-<space-id>-NNNNNN
, whereNNNNNN
is a number that increases over time, starting from 000001. -
Before 8.0.0:
.siem-signals-<space-id>-NNNNNN
, whereNNNNNN
is a number that increases over time, starting from 000001.