dhurley14 · hannahbrooks · Mar 11, 2026
diff --git a/.../detection_engine/rule_monitoring/logic/rule_execution_log/client_for_executors/client.ts b/.../detection_engine/rule_monitoring/logic/rule_execution_log/client_for_executors/client.ts
@@ -116,6 +116,7 @@ export const createRuleExecutionLogClientForExecutors = (
         const correlationIds = baseCorrelationIds.withStatus(args.newStatus);
         const logMeta = correlationIds.getLogMeta();
 
+        // Also tracked in execution outcome document as status
         agent.addLabels({ [SECURITY_RULE_STATUS]: args.newStatus });
 
         try {
@@ -212,6 +213,8 @@ export const createRuleExecutionLogClientForExecutors = (
         consecutive_no_alert_runs: s.consecutive_no_alert_runs,
       };
 
+      agent.setCustomContext({ execution_outcome: outcomeDocument });
+
       try {
         eventLog.logExecutionOutcome({
           ruleId,

diff --git a/...rity_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.ts b/...rity_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.ts
@@ -53,10 +53,8 @@ import type { RuleParams } from '../rule_schema';
 import {
   SECURITY_FROM,
   SECURITY_IMMUTABLE,
-  SECURITY_INPUT_INDEX,
   SECURITY_MAX_SIGNALS,
   SECURITY_MERGE_STRATEGY,
-  SECURITY_NUM_ALERTS_CREATED,
   SECURITY_NUM_IGNORE_FIELDS_REGEX,
   SECURITY_NUM_IGNORE_FIELDS_STANDARD,
   SECURITY_NUM_RANGE_TUPLES,
@@ -81,7 +79,7 @@ const addApmLabelsFromParams = (params: RuleParams) => {
       [SECURITY_FROM]: params.from,
       [SECURITY_IMMUTABLE]: params.immutable,
       [SECURITY_MAX_SIGNALS]: params.maxSignals,
-      [SECURITY_RULE_ID]: params.ruleId,
+      [SECURITY_RULE_ID]: params.ruleId, // Also tracked in execution outcome document as rule_uuid
       [SECURITY_TO]: params.to,
     },
     false
@@ -301,10 +299,6 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper =
             }
           }
 
-          // Make a copy of `inputIndex` or else the APM agent reports it as [Circular] for most rule types because it's the same object
-          // as `index`
-          agent.setCustomContext({ [SECURITY_INPUT_INDEX]: [...inputIndex] });
-
           ruleExecutionLogger.stats({
             input_index_patterns: [...inputIndex],
             timestamp_field_used: primaryTimestamp,
@@ -627,8 +621,6 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper =
 
             ruleExecutionLogger.info(`Alerts created: ${createdSignalsCount}`);
 
-            agent.setCustomContext({ [SECURITY_NUM_ALERTS_CREATED]: createdSignalsCount });
-
             const executionEndTime = Date.now();
             const totalSearchDurationMs = sum(result.searchAfterTimes.map(Number)) || 0;
             const totalIndexingDurationMs = sum(result.bulkCreateTimes.map(Number)) || 0;

diff --git a/.../security/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.ts b/.../security/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.ts
@@ -84,11 +84,7 @@ import type {
 import type { BuildReasonMessage } from './reason_formatters';
 import { getSuppressionTerms } from './suppression_utils';
 import { robustGet } from './source_fields_merging/utils/robust_field_access';
-import {
-  SECURITY_NUM_EXCEPTION_ITEMS,
-  SECURITY_NUM_INDICES_MATCHING_PATTERN,
-  SECURITY_QUERY_SPAN_S,
-} from './apm_field_names';
+import { SECURITY_NUM_INDICES_MATCHING_PATTERN, SECURITY_QUERY_SPAN_S } from './apm_field_names';
 import { buildTimeRangeFilter } from './build_events_query';
 export const MAX_RULE_GAP_RATIO = 4;
 
@@ -346,7 +342,6 @@ export const getExceptions = async ({
           sortOrder: undefined,
           sortField: undefined,
         });
-        agent.setCustomContext({ [SECURITY_NUM_EXCEPTION_ITEMS]: items.length });
         return items;
       } catch (e) {
         throw new Error(