elastic · nastasha-solomon · Jun 23, 2026 · Jun 23, 2026 · Jun 23, 2026
@@ -10,7 +10,9 @@ description: "Alert episodes in Kibana's experimental alerting system track one
 
 # {{alerting-v2-system-cap}} alerts
 
-Alert episodes are part of the {{alerting-v2-system}} in {{kib}}. When a rule fires repeatedly on the same problem, a flat list of events doesn't tell you when the issue started, whether it's still happening, or how long it's been going on. Alert episodes fill that gap. Each alert episode is a persistent record of one issue on one series, from first breach through recovery, with every evaluation appended to the same history. Nothing is overwritten.
+Alert episodes are part of the {{alerting-v2-system}} in {{kib}}. When a rule fires repeatedly on the same problem, a flat list of events doesn't tell you when the issue started, whether it's still happening, or how long it's been going on. Alert episodes fill that gap. Each alert episode is a persistent record of one issue on one series, from first breach through recovery, with every evaluation appended to the same history. Nothing is overwritten. 
+
+This page explains how alert episodes move through their lifecycle states, how series organize episodes over time, the difference between alert episodes and signals, and how alert data is stored and retained.
 
 <!--[CONTENT NEEDED for M2: UI. Once the navigation and page name have been confirmed, add instructions for opening the Alerts page.]
 -->

@@ -11,7 +11,7 @@ description: "Status values and field definitions for alert episodes in Kibana's
 # Alert states and fields reference [alert-states-reference]
 
 
-Alert states and fields are part of the {{alerting-v2-system}} in {{kib}}. Use these tables when you read alert UI state, query `.rule-events` or `.alert-actions` in Discover, or align API payloads with what operators see. For triage controls (acknowledge, snooze, resolve, tags) and how they map to storage, refer to [Alert actions](view-and-manage-alerts.md#alert-actions).
+Alert states and fields are part of the {{alerting-v2-system}} in {{kib}}. This page is a reference for alert episode lifecycle status values, rule event evaluation status values, and the fields written to `.alert-actions` when users or the system act on an episode. Use it when reading alert UI state, writing queries against `.rule-events` or `.alert-actions` in Discover, or aligning API payloads with what the Alerts UI shows. For triage controls (acknowledge, snooze, resolve, tags) and how they map to storage, refer to [Alert actions](view-and-manage-alerts.md#alert-actions).
 <!-- TODO: Uncomment when PR #6523 (rules) is merged:
 For rule evaluation fields on `.rule-events`, refer to [Rule event and field reference](../rules/rule-event-field-reference.md#rule-reference).
 -->

@@ -11,12 +11,22 @@ description: "Query alert episodes and signals with ES|QL in Kibana's experiment
 # Query alerts and signals in Discover [explore-alerts-discover]
 
 
-Alert and signal queries in Discover are part of the {{alerting-v2-system}} in {{kib}}. Discover gives you direct {{esql}} access to everything the {{alerting-v2-system}} records, including rule evaluation history, alert episode progressions, triage actions, and operational metrics like mean time to acknowledge.
+Alert and signal queries in Discover are part of the {{alerting-v2-system}} in {{kib}}. Discover gives you direct {{esql}} access to everything the {{alerting-v2-system}} records, including rule evaluation history, alert episode progressions, triage actions, and operational metrics like mean time to acknowledge. 
+
+This page covers how to query `.rule-events` and `.alert-actions` for exploratory analysis and dashboards, and how to access the Discover Alerts menu to create rules in the {{alerting-v2-system}}.
 
 The Alerts UI shows current alert episode state. Discover lets you go further: ask arbitrary questions, spot trends over time, replay how a specific incident unfolded, or correlate alert history with other data in your environment.
 
 To use this page, open Discover, select {{esql}}, paste a query from the examples below, then adjust the time range and placeholders (`YOUR_RULE_ID`, `YOUR_GROUP_HASH`) to match your environment.
 
+## Create rules from Discover [create-rules-from-discover]
+
+The **Alerts** menu in the Discover top navigation is also an entry point for creating rules in the {{alerting-v2-system}}. Users with {{alerting-v2-system}} access — including users who do not hold Kibana alerting permissions — can open this menu to create ES|QL threshold rules. Access to the menu requires either Kibana alerting access or {{alerting-v2-system}} access; both are not required.
+
+When the {{alerting-v2-system}} is enabled, the Alerts menu in Discover routes rule creation to the {{alerting-v2-system}} rule form instead of the Kibana alerting rule form. When it is disabled, the Kibana alerting form is used.
+
+<!-- [CONTENT NEEDED: Add step-by-step instructions for creating a rule from Discover once a dedicated create-rule-from-discover page is written. Link from this section to that page. The Alerts menu UI was redesigned in 9.5.0 (see PR #272724) — confirm the new menu structure and update screenshots before publishing.] -->
+
 <!--[CONTENT NEEDED: The queries on this page use `.rule-events` and `.alert-actions` directly. Confirm whether these will remain the intended query surface, or whether users should query an ES|QL view or a stable user-facing data stream instead. Update all examples accordingly before publishing.]-->
 
 <!--[CONTENT NEEDED for M2: Review and expand the query examples below once M2 field renames (`group_hash` → `series.key`, new `series.tracked_by`, `episode.severity`, `episode.severity_max`) are finalized. Add examples that take advantage of the new first-class severity and series fields.]-->

@@ -10,7 +10,9 @@ description: "Examine, triage, and investigate alert episodes in Kibana's experi
 
 # View and manage alerts [manage-alerts]
 
-Alert episodes are part of the {{alerting-v2-system}} in {{kib}}. When a rule detects a problem, use the Alerts UI to understand what's happening and decide what to do about it. From here you can examine alert episodes, use filters to find what needs attention, triage them, and more.
+Alert episodes are part of the {{alerting-v2-system}} in {{kib}}. When a rule detects a problem, use the Alerts UI to understand what's happening and decide what to do about it. 
+
+This page covers how to read health and trend summaries above the episodes table, filter and search alert episodes, take triage actions (acknowledge, snooze, resolve, activate, and tag), and use the episode detail page to investigate lifecycle history, related episodes, assignees, and raw metadata.
 
 <!--[CONTENT NEEDED for M2: UI. "V2 Alerting Preview" is a development-phase navigation label. Once the navigation and page name have been confirmed, add instructions for opening the Alerts page.]
 -->
@@ -19,6 +21,20 @@ Alert episodes are part of the {{alerting-v2-system}} in {{kib}}. When a rule de
 
 Alert episodes in the {{alerting-v2-system}} are scoped to the current {{kib}} space. Alert episodes created in one space aren't visible when viewing a different space, including the Default space. 
 
+## Monitor alert health and trends [monitor-alert-trends]
+
+Above the alert episodes table, two sets of panels give you an at-a-glance summary of your alert environment.
+
+**KPI panels** surface aggregate counts for the current filter state and time range. Use these counts to understand the scale of a situation before drilling into individual rows — for example, whether a single noisy rule is responsible for most activity, or whether many rules are firing at the same time. Counts update dynamically as you change filters or adjust the time range.
+
+<!-- [CONTENT NEEDED: The specific metrics shown in each KPI panel (total episodes, distinct firing rules, assigned to current user, unassigned, acknowledged, snoozed) are accurate as of 9.5.0 but the panel layout and labels may change before GA. Add a labeled breakdown of each panel once the UI stabilizes.] -->
+
+**Episode histogram** shows how episode counts have changed across the selected time range. Use it to identify when a wave of alert episodes began, whether the situation is improving, and whether a spike was an isolated event or part of a broader pattern. You can break down the chart by dimensions such as status, rule, or assignee. Selecting a range directly in the histogram narrows the global time filter and focuses the table on that interval.
+
+:::{note}
+The episode histogram queries up to 10,000 alert episodes per time range. If your environment exceeds this limit, a warning appears in the chart. Narrow the time range or add filters to stay within this cap.
+:::
+
 ## Filter and search
 
 - **Rule:** Limit rows to one or more rules.