[Internal]: Anomaly Detection: Alerting rule filtering

[rbrtj]

Description

The feature will be available in the 9.3 release or in the next serverless deployment (approximately December 8th, 2025).

We're introducing a new Anomaly Detection alerting rule filtering feature that enables users to filter their alerts, providing a more granular way to reduce alert noise.
Users can define a KQL query, with autosuggestion support for the most relevant fields. The KQL bar is available only for Record/Influencer result types, as the Bucket result type does not expose meaningful fields to filter on. The filter is applied when fetching anomalies during rule execution, allowing users to:

• Alert only when any partitioning fields (partition_field, by_field or over_field) in the anomalies match a condition.
• Alert only when any influencers fields in the anomalies match a condition
• Provide alerting conditions based on actual or typical values with support for comparison operators (>, <, =, etc.)

Resources

Feature introduced in - elastic/kibana#240100
Exploration doc - https://docs.google.com/document/d/1s779vQMVfGZnDFuXkqLG8av1s4Ql3YYheB0XRCCO1gU/edit?tab=t.0
Issue - https://github.com/elastic/ml-team/issues/1672

Which documentation set does this change impact?

Elastic On-Prem and Cloud (all)

https://www.elastic.co/docs/solutions/observability/incident-management/create-an-anomaly-detection-rule

Feature differences

N/A

What release is this request related to?

9.3

Serverless release

The week of December 8th 2025

Collaboration model

The documentation team

Point of contact.

Main contact: @rbrtj