Summary
This PR adds cross-project search (CPS) project context to Security alert documents and the event log, so analysts can see which linked project(s) were in scope when a detection rule generated an alert. Currently the alert schema documentation lists no fields for CPS or linked project identifiers — only kibana.space_ids — and the cross-project search documentation (both the CPS overview and the cross-cluster search detection rules page) makes no mention of CPS metadata in alert documents. With this change, new fields appear in alert documents indicating the CPS project context, and the event log gains entries for CPS-scoped executions. These additions are invisible to users unless documented in the alert schema reference and in CPS-related detection rule guidance.
Why this needs docs: The alert schema reference documents all fields available for alert investigation and will be factually incomplete without the new CPS project fields; the cross-project search and detection rules pages have no coverage of how CPS context is reflected in generated alerts.
Resources
- PR #266495 — [Security Solution][CPS] Adding CPS Data to Alert Document and Event Log
Screenshots from PR
Availability
| Channel |
Details |
| Stack |
v9.5.0 |
| Serverless |
May 18–May 22 |
| Feature flag |
None — active by default |
Created with Docs Quest Scanner by @nastasha-solomon
Suggested edits
Alert schema > Kibana alert fields
- What the docs say: The schema lists kibana.space_ids as the only project/space identifier field. No CPS-related fields are documented.
- What to add: Add documentation for the new CPS-related fields added to alert documents in 9.5.0. Identify the exact field names from the PR (e.g., fields indicating linked project identifiers or CPS context) and add them to the alert schema reference with type, description, and example values. Applies from 9.5.0; confirm serverless applicability given CPS is a serverless feature.
Cross-cluster search and detection rules > Cross-project search context in alerts
- What the docs say: The page covers CCS setup and role configuration but has no content about cross-project search (CPS) or how project context is recorded in generated alerts or the event log.
- What to add: Add a section (or a separate page if CPS for detection rules warrants it) explaining that from 9.5.0, when a detection rule runs in a cross-project search context, the resulting alert document includes fields identifying the linked project(s) in scope, and the event log records CPS execution context. This helps analysts understand rule scope during investigations. Applies from 9.5.0 (serverless only for CPS; stateful retains CCS).
Summary
This PR adds cross-project search (CPS) project context to Security alert documents and the event log, so analysts can see which linked project(s) were in scope when a detection rule generated an alert. Currently the alert schema documentation lists no fields for CPS or linked project identifiers — only kibana.space_ids — and the cross-project search documentation (both the CPS overview and the cross-cluster search detection rules page) makes no mention of CPS metadata in alert documents. With this change, new fields appear in alert documents indicating the CPS project context, and the event log gains entries for CPS-scoped executions. These additions are invisible to users unless documented in the alert schema reference and in CPS-related detection rule guidance.
Why this needs docs: The alert schema reference documents all fields available for alert investigation and will be factually incomplete without the new CPS project fields; the cross-project search and detection rules pages have no coverage of how CPS context is reflected in generated alerts.
Resources
Screenshots from PR
Availability
Created with Docs Quest Scanner by @nastasha-solomon
Suggested edits
Alert schema > Kibana alert fields
Cross-cluster search and detection rules > Cross-project search context in alerts