elastic · YulNaumenko · Feb 23, 2021 · Feb 18, 2021 · Feb 18, 2021 · Feb 18, 2021
diff --git a/docs/management/alerting/alert-management.asciidoc b/docs/management/alerting/alert-management.asciidoc
@@ -3,7 +3,7 @@
 === Managing Alerts
 
 
-The *Alerts* tab provides a cross-app view of alerting. Different {kib} apps like <<metrics-app,Metrics>>, <<xpack-apm,APM>>, <<uptime-app,Uptime>>, and <<xpack-siem,SIEM>> can offer their own alerts, and the *Alerts* tab provides a central place to:
+The *Alerts* tab provides a cross-app view of alerting. Different {kib} apps like {observability-guide}/create-alerts.html[Observability], {security-guide}/prebuilt-rules.html[Security], <<geo-alerting, Maps>> and <<xpack-ml, ML>> can offer their own alerts, and the *Alerts* tab provides a central place to:
 
 * <<create-edit-alerts, Create and edit>> alerts
 * <<controlling-alerts, Control alerts>> including enabling/disabling, muting/unmuting, and deleting

diff --git a/docs/user/alerting/alert-types.asciidoc b/docs/user/alerting/alert-types.asciidoc
@@ -1,159 +1,28 @@
 [role="xpack"]
 [[alert-types]]
-== Standard stack alert types
+== Alert types
 
-{kib} supplies alert types in two ways: some are built into {kib} (these are known as stack alerts), while domain-specific alert types are registered by {kib} apps such as <<xpack-apm,*APM*>>, <<xpack-ml,*{ml-cap}*>>, <<metrics-app,*Metrics*>>, and <<uptime-app,*Uptime*>>.
+{kib} supplies alert types in two ways: some are built into {kib} (these are known as stack alerts), while domain-specific alert types are registered by {kib} apps.
 
-This section covers stack alerts. For domain-specific alert types, refer to the documentation for that app.
+[float]
+==== Standard stack alert types
+
+This section covers stack alerts.
 Users will need `all` access to the *Stack Alerts* feature to be able to create and edit any of the alerts listed below.
 See <<kibana-feature-privileges, feature privileges>> for more information on configuring roles that provide access to this feature. 
 
 Currently {kib} provides two stack alerts: <<alert-type-index-threshold>> and <<alert-type-es-query>>.
-Currently {kib} provides two stack alerts: <<alert-type-index-threshold>> and <<alert-type-es-query>>.
+{kib} provides two stack alerts: 
+
+* <<alert-type-index-threshold>>
+* <<alert-type-es-query>>
+
-Currently {kib} provides two stack alerts: <<alert-type-index-threshold>> and <<alert-type-es-query>>.
+{kib} provides two stack alerts: 
+
+* <<alert-type-index-threshold>>
+* <<alert-type-es-query>>
+
 
 [float]
-[[alert-type-index-threshold]]
-=== Index threshold
-
-The index threshold alert type is designed to run an {es} query over indices, aggregating field values from documents, comparing them to threshold values, and scheduling actions to run when the thresholds are met.
-
-[float]
-==== Creating the alert
-
-An index threshold alert can be created from the *Create* button in the <<alert-management, alert management UI>>. Fill in the <<defining-alerts-general-details, general alert details>>, then select *Index Threshold*.
-
-[role="screenshot"]
-image::images/alert-types-index-threshold-select.png[Choosing an index threshold alert type]
-
-[float]
-==== Defining the conditions
-
-The index threshold has 5 clauses that define the condition to detect.
-
-[role="screenshot"]
-image::images/alert-types-index-threshold-conditions.png[Five clauses define the condition to detect]
-
-Index:: This clause requires an *index or index pattern* and a *time field* that will be used for the *time window*.
-When:: This clause specifies how the value to be compared to the threshold is calculated. The value is calculated by aggregating a numeric field a the *time window*. The aggregation options are: `count`, `average`, `sum`, `min`, and `max`. When using `count` the document count is used, and an aggregation field is not necessary. 
-Over/Grouped Over:: This clause lets you configure whether the aggregation is applied over all documents, or should be split into groups using a grouping field. If grouping is used, an  <<alerting-concepts-alert-instances, alert instance>> will be created for each group when it exceeds the threshold. To limit the number of instances on high cardinality fields, you must specify the number of groups to check against the threshold. Only the *top* groups are checked. 
-Threshold:: This clause defines a threshold value and a comparison operator  (one of `is above`, `is above or equals`, `is below`, `is below or equals`, or `is between`). The result of the aggregation is compared to this threshold. 
-Time window:: This clause determines how far back to search for documents, using the *time field* set in the *index* clause. Generally this value should be to a value higher than the *check every* value in the <<defining-alerts-general-details, general alert details>>, to avoid gaps in detection. 
-
-If data is available and all clauses have been defined, a preview chart will render the threshold value and display a line chart showing the value for the last 30 intervals. This can provide an indication of recent values and their proximity to the threshold, and help you tune the clauses. 
-
-[role="screenshot"]
-image::images/alert-types-index-threshold-preview.png[Five clauses define the condition to detect]
-
-[float]
-=== Example
-
-In this section, you will use the {kib} <<add-sample-data, weblog sample dataset>> to setup and tune the conditions on an index threshold alert. For this example, we want to detect when any of our top three sites have served more than 420,000 bytes over a 24 hour period.
-
-From the <<alert-management, alert management UI>>, create a new alert, and fill in the <<defining-alerts-general-details, general alert details>>. This alert will be checked every 4 hours, and will not execute actions more than once per day. Choose the index threshold alert type. 
-
-[role="screenshot"]
-image::images/alert-types-index-threshold-select.png[Choosing an index threshold alert type]
-
-Click on each clause to open a control that helps you set the value:
-
-[float]
-==== Index clause
-The index clause control will list and allow you to search for available indices. Choose *kibana_sample_data_logs*
-
-[role="screenshot"]
-image::images/alert-types-index-threshold-example-index.png[Choosing an index]
-
-Once an index is selected, the list of time fields for that index will be available to select. Choose *@timestamp*.
-
-[role="screenshot"]
-image::images/alert-types-index-threshold-example-timefield.png[Choosing a time field]
-
-[float]
-==== When clause
-
-We want to detect the number of bytes served during the time window, so we select `sum` as the aggregation, and `bytes` as the field to aggregate. 
-
-[role="screenshot"]
-image::images/alert-types-index-threshold-example-aggregation.png[Choosing the aggregation]
-
-[float]
-==== Over/Grouped over clause
-
-We want to alert on the three sites that have the most traffic, so we'll group the sum of bytes by the `host.keyword` field and take the top 3 values. 
-
-[role="screenshot"]
-image::images/alert-types-index-threshold-example-grouping.png[Choosing the groups]
-
-[float]
-==== Threshold clause
-
-We want to alert when any site exceeds 420,000 bytes over a 24 hour period, so we'll set the threshold to 420,000 and use the `is above` comparison. 
-
-[role="screenshot"]
-image::images/alert-types-index-threshold-example-threshold.png[Setting the threshold]
-
-[float]
-==== Time window clause
-
-Finally, set the time window to 24 hours to complete the alert configuration.
-
-[role="screenshot"]
-image::images/alert-types-index-threshold-example-window.png[Setting the time window]
-
-The preview chart will render showing the 24 hour sum of bytes at 4 hours intervals (the *check every* interval) for the past 120 hours (the last 30 intervals).
-
-[role="screenshot"]
-image::images/alert-types-index-threshold-example-preview.png[Setting the time window]
-
-[float]
-==== Comparing time windows
-
-You can interactively change the time window and observe the effect it has on the chart. Compare a 24 window to a 12 hour window. Notice the variability in the sum of bytes, due to different traffic levels during the day compared to at night. This variability would result in noisy alerts, so the 24 hour window is better. The preview chart can help you find the right values for your alert. 
-
-[role="screenshot"]
-image::images/alert-types-index-threshold-example-comparison.png[Comparing two time windows]
-
-[float]
-[[alert-type-es-query]]
-=== ES query
-
-The ES query alert type is designed to run a user-configured {es} query over indices, compare the number of matches to a configured threshold, and schedule
-actions to run when the threshold condition is met.
-
-[float]
-==== Creating the alert
-
-An ES query alert can be created from the *Create* button in the <<alert-management, alert management UI>>. Fill in the <<defining-alerts-general-details, general alert details>>, then select *ES query*.
-
-[role="screenshot"]
-image::images/alert-types-es-query-select.png[Choosing an ES query alert type]
-
-[float]
-==== Defining the conditions
-
-The ES query alert has 5 clauses that define the condition to detect.
-
-[role="screenshot"]
-image::images/alert-types-es-query-conditions.png[Four clauses define the condition to detect]
-
-Index:: This clause requires an *index or index pattern* and a *time field* that will be used for the *time window*.
-Size:: This clause specifies the number of documents to pass to the configured actions when the the threshold condition is met.
-ES query:: This clause specifies the ES DSL query to execute. The number of documents that match this query will be evaulated against the threshold
-condition. Aggregations are not supported at this time. 
-Threshold:: This clause defines a threshold value and a comparison operator  (`is above`, `is above or equals`, `is below`, `is below or equals`, or `is between`). The number of documents that match the specified query is compared to this threshold.
-Time window:: This clause determines how far back to search for documents, using the *time field* set in the *index* clause. Generally this value should be set to a value higher than the *check every* value in the <<defining-alerts-general-details, general alert details>>, to avoid gaps in detection. 
-
-[float]
-==== Testing your query
-
-Use the *Test query* feature to verify that your query DSL is valid.
-
-When your query is valid:: Valid queries will be executed against the configured *index* using the configured *time window*. The number of documents that
-match the query will be displayed.
+==== Domain-specific alert types
 
-[role="screenshot"]
-image::images/alert-types-es-query-valid.png[Test ES query returns number of matches when valid]
+For domain-specific alert types, refer to the documentation for that app.
+Currently we the next alerts grouped by the application:
 
-When your query is invalid:: An error message is shown if the query is invalid.
+* {observability-guide}/create-alerts.html[Observability alerts]
+* {security-guide}/prebuilt-rules.html[Security alerts]
+* <<geo-alerting, Maps alerts>>
+* <<xpack-ml, ML alerts>>
 
-[role="screenshot"]
-image::images/alert-types-es-query-invalid.png[Test ES query shows error when invalid]
+include::stack-alerts/index-threshold.asciidoc[]
+include::stack-alerts/es-query.asciidoc[]
diff --git a/docs/user/alerting/alerting-getting-started.asciidoc b/docs/user/alerting/alerting-getting-started.asciidoc
@@ -5,7 +5,7 @@
 
 --
 
-Alerting allows you to detect complex conditions within different {kib} apps and trigger actions when those conditions are met. Alerting is integrated with <<xpack-apm,*APM*>>, <<metrics-app,*Metrics*>>, <<xpack-siem,*Security*>>, <<uptime-app,*Uptime*>>, can be centrally managed from the <<management,*Management*>> UI, and provides a set of built-in <<action-types, actions>> and <<alert-types, alerts>> (known as stack alerts) for you to use.
+Alerting allows you to detect complex conditions within different {kib} apps and trigger actions when those conditions are met. Alerting is integrated with {observability-guide}/create-alerts.html[Observability], {security-guide}/prebuilt-rules.html[Security], <<geo-alerting, Maps>> and <<xpack-ml, ML>>, can be centrally managed from the <<management,*Management*>> UI, and provides a set of built-in <<action-types, actions>> and <<alert-types, alerts>> (known as stack alerts) for you to use.
 
 image::images/alerting-overview.png[Alerts and actions UI]
 

diff --git a/docs/user/alerting/stack-alerts/es-query.asciidoc b/docs/user/alerting/stack-alerts/es-query.asciidoc
@@ -0,0 +1,45 @@
+[role="xpack"]
+[[alert-type-es-query]]
+== ES query
+
+The ES query alert type is designed to run a user-configured {es} query over indices, compare the number of matches to a configured threshold, and schedule
+actions to run when the threshold condition is met.
+
+[float]
+=== Creating the alert
+
+An ES query alert can be created from the *Create* button in the <<alert-management, alert management UI>>. Fill in the <<defining-alerts-general-details, general alert details>>, then select *ES query*.
+
+[role="screenshot"]
+image::user/alerting/images/alert-types-es-query-select.png[Choosing an ES query alert type]
+
+[float]
+=== Defining the conditions
+
+The ES query alert has 5 clauses that define the condition to detect.
+
+[role="screenshot"]
+image::user/alerting/images/alert-types-es-query-conditions.png[Four clauses define the condition to detect]
+
+Index:: This clause requires an *index or index pattern* and a *time field* that will be used for the *time window*.
+Size:: This clause specifies the number of documents to pass to the configured actions when the the threshold condition is met.
+ES query:: This clause specifies the ES DSL query to execute. The number of documents that match this query will be evaulated against the threshold
+condition. Aggregations are not supported at this time. 
+Threshold:: This clause defines a threshold value and a comparison operator  (`is above`, `is above or equals`, `is below`, `is below or equals`, or `is between`). The number of documents that match the specified query is compared to this threshold.
+Time window:: This clause determines how far back to search for documents, using the *time field* set in the *index* clause. Generally this value should be set to a value higher than the *check every* value in the <<defining-alerts-general-details, general alert details>>, to avoid gaps in detection. 
+
+[float]
+=== Testing your query
+
+Use the *Test query* feature to verify that your query DSL is valid.
+
+When your query is valid:: Valid queries will be executed against the configured *index* using the configured *time window*. The number of documents that
+match the query will be displayed.
+
+[role="screenshot"]
+image::user/alerting/images/alert-types-es-query-valid.png[Test ES query returns number of matches when valid]
+
+When your query is invalid:: An error message is shown if the query is invalid.
+
+[role="screenshot"]
+image::user/alerting/images/alert-types-es-query-invalid.png[Test ES query shows error when invalid]
-Original file line number
+Diff line change
@@ Expand Up / @@ -5,7 +5,7 @@ @@
     --
-    Alerting allows you to detect complex conditions within different {kib} apps and trigger actions when those conditions are met. Alerting is integrated with <<xpack-apm,*APM*>>, <<metrics-app,*Metrics*>>, <<xpack-siem,*Security*>>, <<uptime-app,*Uptime*>>, can be centrally managed from the <<management,*Management*>> UI, and provides a set of built-in <<action-types, actions>> and <<alert-types, alerts>> (known as stack alerts) for you to use.
+    Alerting allows you to detect complex conditions within different {kib} apps and trigger actions when those conditions are met. Alerting is integrated with {observability-guide}/create-alerts.html[Observability], {security-guide}/prebuilt-rules.html[Security], <<geo-alerting, Maps>> and <<xpack-ml, ML>>, can be centrally managed from the <<management,*Management*>> UI, and provides a set of built-in <<action-types, actions>> and <<alert-types, alerts>> (known as stack alerts) for you to use.
     image::images/alerting-overview.png[Alerts and actions UI]
@@ Expand Down @@