From b3462ca5aec56d3b5c00cd504473b101921f8c86 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Mon, 22 Jun 2026 23:37:58 -0400
Subject: [PATCH 1/3] first draft

---
 .../alerts/query-alerts-and-signals-in-discover.md |  8 ++++++++
 .../alerts/view-and-manage-alerts.md               | 14 ++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/explore-analyze/alerting/kibana-alerting-experimental/alerts/query-alerts-and-signals-in-discover.md b/explore-analyze/alerting/kibana-alerting-experimental/alerts/query-alerts-and-signals-in-discover.md
index c6417aa971..72692a6f43 100644
--- a/explore-analyze/alerting/kibana-alerting-experimental/alerts/query-alerts-and-signals-in-discover.md
+++ b/explore-analyze/alerting/kibana-alerting-experimental/alerts/query-alerts-and-signals-in-discover.md
@@ -17,6 +17,14 @@ The Alerts UI shows current alert episode state. Discover lets you go further: a
 
 To use this page, open Discover, select {{esql}}, paste a query from the examples below, then adjust the time range and placeholders (`YOUR_RULE_ID`, `YOUR_GROUP_HASH`) to match your environment.
 
+## Create rules from Discover [create-rules-from-discover]
+
+The **Alerts** menu in the Discover top navigation is also an entry point for creating rules in the {{alerting-v2-system}}. Users with {{alerting-v2-system}} access — including users who do not hold Kibana alerting permissions — can open this menu to create ES|QL threshold rules. Access to the menu requires either Kibana alerting access or {{alerting-v2-system}} access; both are not required.
+
+When the {{alerting-v2-system}} is enabled, the Alerts menu in Discover routes rule creation to the {{alerting-v2-system}} rule form instead of the Kibana alerting rule form. When it is disabled, the Kibana alerting form is used.
+
+<!-- [CONTENT NEEDED: Add step-by-step instructions for creating a rule from Discover once a dedicated create-rule-from-discover page is written. Link from this section to that page. The Alerts menu UI was redesigned in 9.5.0 (see PR #272724) — confirm the new menu structure and update screenshots before publishing.] -->
+
 <!--[CONTENT NEEDED: The queries on this page use `.rule-events` and `.alert-actions` directly. Confirm whether these will remain the intended query surface, or whether users should query an ES|QL view or a stable user-facing data stream instead. Update all examples accordingly before publishing.]-->
 
 <!--[CONTENT NEEDED for M2: Review and expand the query examples below once M2 field renames (`group_hash` → `series.key`, new `series.tracked_by`, `episode.severity`, `episode.severity_max`) are finalized. Add examples that take advantage of the new first-class severity and series fields.]-->
diff --git a/explore-analyze/alerting/kibana-alerting-experimental/alerts/view-and-manage-alerts.md b/explore-analyze/alerting/kibana-alerting-experimental/alerts/view-and-manage-alerts.md
index b8f0361701..33cdd9d9cf 100644
--- a/explore-analyze/alerting/kibana-alerting-experimental/alerts/view-and-manage-alerts.md
+++ b/explore-analyze/alerting/kibana-alerting-experimental/alerts/view-and-manage-alerts.md
@@ -19,6 +19,20 @@ Alert episodes are part of the {{alerting-v2-system}} in {{kib}}. When a rule de
 
 Alert episodes in the {{alerting-v2-system}} are scoped to the current {{kib}} space. Alert episodes created in one space aren't visible when viewing a different space, including the Default space. 
 
+## Monitor alert health and trends [monitor-alert-trends]
+
+Above the alert episodes table, two sets of panels give you an at-a-glance summary of your alert environment.
+
+**KPI panels** surface aggregate counts for the current filter state and time range. Use these counts to understand the scale of a situation before drilling into individual rows — for example, whether a single noisy rule is responsible for most activity, or whether many rules are firing at the same time. Counts update dynamically as you change filters or adjust the time range.
+
+<!-- [CONTENT NEEDED: The specific metrics shown in each KPI panel (total episodes, distinct firing rules, assigned to current user, unassigned, acknowledged, snoozed) are accurate as of 9.5.0 but the panel layout and labels may change before GA. Add a labeled breakdown of each panel once the UI stabilizes.] -->
+
+**Episode histogram** shows how episode counts have changed across the selected time range. Use it to identify when a wave of alert episodes began, whether the situation is improving, and whether a spike was an isolated event or part of a broader pattern. You can break down the chart by dimensions such as status, rule, or assignee. Selecting a range directly in the histogram narrows the global time filter and focuses the table on that interval.
+
+:::{note}
+The episode histogram queries up to 10,000 alert episodes per time range. If your environment exceeds this limit, a warning appears in the chart. Narrow the time range or add filters to stay within this cap.
+:::
+
 ## Filter and search
 
 - **Rule:** Limit rows to one or more rules.

From b7b2e6968104d0a37cf4da9e9bd1ebb4bb9a4849 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Tue, 23 Jun 2026 00:11:01 -0400
Subject: [PATCH 2/3] clarified page intent

---
 .../alerting/kibana-alerting-experimental/alerts.md           | 2 +-
 .../alerts/alert-states-and-fields-reference.md               | 2 +-
 .../alerts/query-alerts-and-signals-in-discover.md            | 4 +++-
 .../alerts/view-and-manage-alerts.md                          | 2 +-
 4 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/explore-analyze/alerting/kibana-alerting-experimental/alerts.md b/explore-analyze/alerting/kibana-alerting-experimental/alerts.md
index a0ccb10d3a..6631d756ee 100644
--- a/explore-analyze/alerting/kibana-alerting-experimental/alerts.md
+++ b/explore-analyze/alerting/kibana-alerting-experimental/alerts.md
@@ -10,7 +10,7 @@ description: "Alert episodes in Kibana's experimental alerting system track one
 
 # {{alerting-v2-system-cap}} alerts
 
-Alert episodes are part of the {{alerting-v2-system}} in {{kib}}. When a rule fires repeatedly on the same problem, a flat list of events doesn't tell you when the issue started, whether it's still happening, or how long it's been going on. Alert episodes fill that gap. Each alert episode is a persistent record of one issue on one series, from first breach through recovery, with every evaluation appended to the same history. Nothing is overwritten.
+Alert episodes are part of the {{alerting-v2-system}} in {{kib}}. When a rule fires repeatedly on the same problem, a flat list of events doesn't tell you when the issue started, whether it's still happening, or how long it's been going on. Alert episodes fill that gap. Each alert episode is a persistent record of one issue on one series, from first breach through recovery, with every evaluation appended to the same history. Nothing is overwritten. This page explains how alert episodes move through their lifecycle states, how series organize episodes over time, the difference between alert episodes and signals, and how alert data is stored and retained.
 
 <!--[CONTENT NEEDED for M2: UI. Once the navigation and page name have been confirmed, add instructions for opening the Alerts page.]
 -->
diff --git a/explore-analyze/alerting/kibana-alerting-experimental/alerts/alert-states-and-fields-reference.md b/explore-analyze/alerting/kibana-alerting-experimental/alerts/alert-states-and-fields-reference.md
index 68fabebd61..b5d71d76c7 100644
--- a/explore-analyze/alerting/kibana-alerting-experimental/alerts/alert-states-and-fields-reference.md
+++ b/explore-analyze/alerting/kibana-alerting-experimental/alerts/alert-states-and-fields-reference.md
@@ -11,7 +11,7 @@ description: "Status values and field definitions for alert episodes in Kibana's
 # Alert states and fields reference [alert-states-reference]
 
 
-Alert states and fields are part of the {{alerting-v2-system}} in {{kib}}. Use these tables when you read alert UI state, query `.rule-events` or `.alert-actions` in Discover, or align API payloads with what operators see. For triage controls (acknowledge, snooze, resolve, tags) and how they map to storage, refer to [Alert actions](view-and-manage-alerts.md#alert-actions).
+Alert states and fields are part of the {{alerting-v2-system}} in {{kib}}. This page is a reference for alert episode lifecycle status values, rule event evaluation status values, and the fields written to `.alert-actions` when users or the system act on an episode. Use it when reading alert UI state, writing queries against `.rule-events` or `.alert-actions` in Discover, or aligning API payloads with what the Alerts UI shows. For triage controls (acknowledge, snooze, resolve, tags) and how they map to storage, refer to [Alert actions](view-and-manage-alerts.md#alert-actions).
 <!-- TODO: Uncomment when PR #6523 (rules) is merged:
 For rule evaluation fields on `.rule-events`, refer to [Rule event and field reference](../rules/rule-event-field-reference.md#rule-reference).
 -->
diff --git a/explore-analyze/alerting/kibana-alerting-experimental/alerts/query-alerts-and-signals-in-discover.md b/explore-analyze/alerting/kibana-alerting-experimental/alerts/query-alerts-and-signals-in-discover.md
index 72692a6f43..ebb63b9fd6 100644
--- a/explore-analyze/alerting/kibana-alerting-experimental/alerts/query-alerts-and-signals-in-discover.md
+++ b/explore-analyze/alerting/kibana-alerting-experimental/alerts/query-alerts-and-signals-in-discover.md
@@ -11,7 +11,9 @@ description: "Query alert episodes and signals with ES|QL in Kibana's experiment
 # Query alerts and signals in Discover [explore-alerts-discover]
 
 
-Alert and signal queries in Discover are part of the {{alerting-v2-system}} in {{kib}}. Discover gives you direct {{esql}} access to everything the {{alerting-v2-system}} records, including rule evaluation history, alert episode progressions, triage actions, and operational metrics like mean time to acknowledge.
+Alert and signal queries in Discover are part of the {{alerting-v2-system}} in {{kib}}. Discover gives you direct {{esql}} access to everything the {{alerting-v2-system}} records, including rule evaluation history, alert episode progressions, triage actions, and operational metrics like mean time to acknowledge. 
+
+This page covers how to query `.rule-events` and `.alert-actions` for exploratory analysis and dashboards, and how to access the Discover Alerts menu to create rules in the {{alerting-v2-system}}.
 
 The Alerts UI shows current alert episode state. Discover lets you go further: ask arbitrary questions, spot trends over time, replay how a specific incident unfolded, or correlate alert history with other data in your environment.
 
diff --git a/explore-analyze/alerting/kibana-alerting-experimental/alerts/view-and-manage-alerts.md b/explore-analyze/alerting/kibana-alerting-experimental/alerts/view-and-manage-alerts.md
index 33cdd9d9cf..67cb6f8c82 100644
--- a/explore-analyze/alerting/kibana-alerting-experimental/alerts/view-and-manage-alerts.md
+++ b/explore-analyze/alerting/kibana-alerting-experimental/alerts/view-and-manage-alerts.md
@@ -10,7 +10,7 @@ description: "Examine, triage, and investigate alert episodes in Kibana's experi
 
 # View and manage alerts [manage-alerts]
 
-Alert episodes are part of the {{alerting-v2-system}} in {{kib}}. When a rule detects a problem, use the Alerts UI to understand what's happening and decide what to do about it. From here you can examine alert episodes, use filters to find what needs attention, triage them, and more.
+Alert episodes are part of the {{alerting-v2-system}} in {{kib}}. When a rule detects a problem, use the Alerts UI to understand what's happening and decide what to do about it. This page covers how to read health and trend summaries above the episodes table, filter and search alert episodes, take triage actions (acknowledge, snooze, resolve, activate, and tag), and use the episode detail page to investigate lifecycle history, related episodes, assignees, and raw metadata.
 
 <!--[CONTENT NEEDED for M2: UI. "V2 Alerting Preview" is a development-phase navigation label. Once the navigation and page name have been confirmed, add instructions for opening the Alerts page.]
 -->

From 44d8bb42823098f9531465f9dbacbfe20efd4b4e Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Tue, 23 Jun 2026 00:12:35 -0400
Subject: [PATCH 3/3] more pages intent

---
 .../alerting/kibana-alerting-experimental/alerts.md           | 4 +++-
 .../alerts/view-and-manage-alerts.md                          | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/explore-analyze/alerting/kibana-alerting-experimental/alerts.md b/explore-analyze/alerting/kibana-alerting-experimental/alerts.md
index 6631d756ee..6b001ac531 100644
--- a/explore-analyze/alerting/kibana-alerting-experimental/alerts.md
+++ b/explore-analyze/alerting/kibana-alerting-experimental/alerts.md
@@ -10,7 +10,9 @@ description: "Alert episodes in Kibana's experimental alerting system track one
 
 # {{alerting-v2-system-cap}} alerts
 
-Alert episodes are part of the {{alerting-v2-system}} in {{kib}}. When a rule fires repeatedly on the same problem, a flat list of events doesn't tell you when the issue started, whether it's still happening, or how long it's been going on. Alert episodes fill that gap. Each alert episode is a persistent record of one issue on one series, from first breach through recovery, with every evaluation appended to the same history. Nothing is overwritten. This page explains how alert episodes move through their lifecycle states, how series organize episodes over time, the difference between alert episodes and signals, and how alert data is stored and retained.
+Alert episodes are part of the {{alerting-v2-system}} in {{kib}}. When a rule fires repeatedly on the same problem, a flat list of events doesn't tell you when the issue started, whether it's still happening, or how long it's been going on. Alert episodes fill that gap. Each alert episode is a persistent record of one issue on one series, from first breach through recovery, with every evaluation appended to the same history. Nothing is overwritten. 
+
+This page explains how alert episodes move through their lifecycle states, how series organize episodes over time, the difference between alert episodes and signals, and how alert data is stored and retained.
 
 <!--[CONTENT NEEDED for M2: UI. Once the navigation and page name have been confirmed, add instructions for opening the Alerts page.]
 -->
diff --git a/explore-analyze/alerting/kibana-alerting-experimental/alerts/view-and-manage-alerts.md b/explore-analyze/alerting/kibana-alerting-experimental/alerts/view-and-manage-alerts.md
index 67cb6f8c82..2ff2baf843 100644
--- a/explore-analyze/alerting/kibana-alerting-experimental/alerts/view-and-manage-alerts.md
+++ b/explore-analyze/alerting/kibana-alerting-experimental/alerts/view-and-manage-alerts.md
@@ -10,7 +10,9 @@ description: "Examine, triage, and investigate alert episodes in Kibana's experi
 
 # View and manage alerts [manage-alerts]
 
-Alert episodes are part of the {{alerting-v2-system}} in {{kib}}. When a rule detects a problem, use the Alerts UI to understand what's happening and decide what to do about it. This page covers how to read health and trend summaries above the episodes table, filter and search alert episodes, take triage actions (acknowledge, snooze, resolve, activate, and tag), and use the episode detail page to investigate lifecycle history, related episodes, assignees, and raw metadata.
+Alert episodes are part of the {{alerting-v2-system}} in {{kib}}. When a rule detects a problem, use the Alerts UI to understand what's happening and decide what to do about it. 
+
+This page covers how to read health and trend summaries above the episodes table, filter and search alert episodes, take triage actions (acknowledge, snooze, resolve, activate, and tag), and use the episode detail page to investigate lifecycle history, related episodes, assignees, and raw metadata.
 
 <!--[CONTENT NEEDED for M2: UI. "V2 Alerting Preview" is a development-phase navigation label. Once the navigation and page name have been confirmed, add instructions for opening the Alerts page.]
 -->