more alert pages

nastasha-solomon · nastasha-solomon · commit 1f3e4d287704 · 2025-02-14T11:44:54.000-05:00
diff --git a/solutions/security/detect-and-alert.md b/solutions/security/detect-and-alert.md
@@ -4,8 +4,6 @@ mapped_urls:
   - https://www.elastic.co/guide/en/serverless/current/security-detection-engine-overview.html
 ---
 
-# Detections and alerts
-
 % What needs to be done: Align serverless/stateful
 
 % Use migrated content from existing pages that map to this page:
@@ -19,4 +17,129 @@ $$$support-indicator-rules$$$
 
 $$$detections-permissions$$$
 
-$$$machine-learning-model$$$
+$$$machine-learning-model$$$
+
+# Detections and alerts [detection-engine-overview]
+
+Use the detection engine to create and manage rules and view the alerts these rules create. Rules periodically search indices (such as `logs-*` and `filebeat-*`) for suspicious source events and create alerts when a rule’s conditions are met. When an alert is created, its status is `Open`. To help track investigations, an alert’s [status](detect-and-alert/manage-detection-alerts.md#detection-alert-status) can be set as `Open`, `Acknowledged`, or `Closed`.
+
+:::{image} ../../../images/security-alert-page.png
+:alt: Alerts page
+:class: screenshot
+:::
+
+In addition to creating [your own rules](detect-and-alert/create-detection-rule.md), enable [Elastic prebuilt rules](detect-and-alert/install-manage-elastic-prebuilt-rules.md#load-prebuilt-rules) to immediately start detecting suspicious activity. For detailed information on all the prebuilt rules, see the [*Prebuilt rule reference*](https://www.elastic.co/guide/en/security/current/prebuilt-rules.html) section. Once the prebuilt rules are loaded and running, [*Tune detection rules*](detect-and-alert/tune-detection-rules.md) and [Add and manage exceptions](detect-and-alert/add-manage-exceptions.md) explain how to modify the rules to reduce false positives and get a better set of actionable alerts. You can also use exceptions and value lists when creating or modifying your own rules.
+
+There are several special prebuilt rules you need to know about:
+
+* [**Endpoint protection rules**](manage-elastic-defend/endpoint-protection-rules.md): Automatically create alerts based on {{elastic-defend}}'s threat monitoring and prevention.
+* [**External Alerts**](https://www.elastic.co/guide/en/security/current/external-alerts.html): Automatically creates an alert for all incoming third-party system alerts (for example, Suricata alerts).
+
+If you want to receive notifications via external systems, such as Slack or email, when alerts are created, use the {{kib}} [Alerting and Actions](../../explore-analyze/alerts-cases.md) framework.
+
+::::{note}
+To use {{kib}} Alerting for detection alert notifications, you need the [appropriate license](https://www.elastic.co/subscriptions).
+::::
+
+
+After rules have started running, you can monitor their executions to verify they are functioning correctly, as well as view, manage, and troubleshoot alerts (see [*Manage detection alerts*](detect-and-alert/manage-detection-alerts.md) and [*Monitor and troubleshoot rule executions*](../../troubleshoot/security/detection-rules.md)).
+
+You can create and manage rules and alerts via the UI or the [Detections API](https://www.elastic.co/guide/en/security/current/rule-api-overview.html).
+
+::::{important}
+To make sure you can access Detections and manage rules, see [*Detections requirements*](detect-and-alert/detections-requirements.md).
+
+::::
+
+
+
+## Compatibility with cold and frozen tier nodes [cold-tier-detections]
+
+Cold and frozen [data tiers](../../manage-data/lifecycle/data-tiers.md) hold time series data that is only accessed occasionally. In {{stack}} version >=7.11.0, {{elastic-sec}} supports cold but not frozen tier data for the following {{es}} indices:
+
+* Index patterns specified in `securitySolution:defaultIndex`
+* Index patterns specified in the definitions of detection rules, except for indicator match rules
+* Index patterns specified in the data sources selector on various {{security-app}} pages
+
+{{elastic-sec}} does **NOT** support either cold or frozen tier data for the following {{es}} indices:
+
+* Index patterns controlled by {{elastic-sec}}, including alerts and list indices
+* Index patterns specified in the definition of indicator match rules
+
+Using either cold or frozen tier data for unsupported indices may result in detection rule timeouts and overall performance degradation.
+
+
+## Limited support for indicator match rules [support-indicator-rules]
+
+Indicator match rules provide a powerful capability to search your security data; however, their queries can consume significant deployment resources. When creating an [indicator match rule](detect-and-alert/create-detection-rule.md#create-indicator-rule), we recommend limiting the time range of the indicator index query to the minimum period necessary for the desired rule coverage. For example, the default indicator index query `@timestamp > "now-30d/d"` searches specified indicator indices for indicators ingested during the past 30 days and rounds the query start time down to the nearest day (resolves to UTC `00:00:00`). Without this limitation, the rule will include all of the indicators in your indicator indices, which may extend the time it takes for the indicator index query to complete.
+
+In addition, the following support restrictions are in place:
+
+* Indicator match rules don’t support cold or frozen data. Cold or frozen data in indices queried by indicator match rules must be older than the time range queried by the rule. If your data’s timestamps are unreliable, you can exclude cold and frozen tier data using a [Query DSL filter](detect-and-alert/exclude-cold-frozen-data-from-individual-rules.md).
+* Indicator match rules with an additional look-back time value greater than 24 hours are not supported.
+
+
+## Detections configuration and index privilege prerequisites [detections-permissions]
+
+[*Detections requirements*](detect-and-alert/detections-requirements.md) provides detailed information on all the permissions required to initiate and use the Detections feature.
+
+
+## Malware prevention [malware-prevention]
+
+Malware, short for malicious software, is any software program designed to damage or execute unauthorized actions on a computer system. Examples of malware include viruses, worms, Trojan horses, adware, scareware, and spyware. Some malware, such as viruses, can severely damage a computer’s hard drive by deleting files or directory information. Other malware, such as spyware, can obtain user data without their knowledge.
+
+Malware may be stealthy and appear as legitimate executable code, scripts, active content, and other software. It is also often embedded in non-malicious files, non-suspicious websites, and standard programs — sometimes making the root source difficult to identify. If infected and not resolved promptly, malware can cause irreparable damage to a computer network.
+
+For information on how to enable malware protection on your host, see [Malware Protection](configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#malware-protection).
+
+
+### Machine learning model [machine-learning-model]
+
+To determine if a file is malicious or benign, a machine learning model looks for static attributes of files (without executing the file) that include file structure, layout, and content. This includes information such as file header data, imports, exports, section names, and file size. These attributes are extracted from millions of benign and malicious file samples, which then are passed to a machine-learning algorithm that distinguishes a benign file from a malicious one. The machine learning model is updated as new data is procured and analyzed.
+
+
+### Threshold [_threshold]
+
+A malware threshold determines the action the agent should take if malware is detected. The Elastic Agent uses a recommended threshold level that generates a balanced number of alerts with a low probability of undetected malware. This threshold also minimizes the number of false positive alerts.
+
+
+## Ransomware prevention [ransomware-prevention]
+
+Ransomware is computer malware that installs discreetly on a user’s computer and encrypts data until a specified amount of money (ransom) is paid. Ransomware is usually similar to other malware in its delivery and execution, infecting systems through spear-phishing or drive-by downloads. If not resolved immediately, ransomware can cause irreparable damage to an entire computer network.
+
+Behavioral ransomware prevention on the Elastic Endpoint detects and stops ransomware attacks on Windows systems by analyzing data from low-level system processes, and is effective across an array of widespread ransomware families — including those targeting the system’s master boot record.
+
+For information on how to enable ransomware protection on your host, see [Ransomware protection](configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#ransomware-protection).
+
+::::{note}
+Ransomware prevention is a paid feature and is enabled by default if you have a [Platinum or Enterprise license](https://www.elastic.co/pricing).
+::::
+
+
+
+### Resolve UI error messages [_resolve_ui_error_messages]
+
+Depending on your privileges and whether detection system indices have already been created for the {{kib}} space, you might get one of these error messages when you open the **Alerts** or **Rules** page:
+
+* **`Let’s set up your detection engine`**
+
+    If you get this message, a user with specific privileges must visit the **Alerts** or **Rules** page before you can view detection alerts and rules. Refer to [Enable and access detections](detect-and-alert/detections-requirements.md#enable-detections-ui) for a list of all the requirements.
+
+    ::::{note}
+    For **self-managed** {{stack}} deployments only, this message may be displayed when the [`xpack.encryptedSavedObjects.encryptionKey`](#detections-permissions) setting has not been added to the `kibana.yml` file. For more information, refer to [Configure self-managed {{stack}} deployments](detect-and-alert/detections-requirements.md#detections-on-prem-requirements).
+    ::::
+
+* **`Detection engine permissions required`**
+
+    If you get this message, you do not have the [required privileges](#detections-permissions) to view the **Detections** feature, and you should contact your {{kib}} administrator.
+
+    ::::{note}
+    For **self-managed** {{stack}} deployments only, this message may be displayed when the [`xpack.security.enabled`](#detections-permissions) setting is not enabled in the `elasticsearch.yml` file. For more information, refer to [Configure self-managed {{stack}} deployments](detect-and-alert/detections-requirements.md#detections-on-prem-requirements).
+    ::::
+
+
+
+## Using logsdb index mode [detections-logsdb-index-mode]
+
+To learn how your rules and alerts are affected by using the [logsdb index mode](../../manage-data/data-store/index-types/logsdb.md), refer to [*Using logsdb index mode with {{elastic-sec}}*](detect-and-alert/using-logsdb-index-mode-with-elastic-security.md).
+
diff --git a/solutions/security/detect-and-alert/detections-requirements.md b/solutions/security/detect-and-alert/detections-requirements.md
@@ -4,7 +4,8 @@ mapped_urls:
   - https://www.elastic.co/guide/en/serverless/current/security-detections-requirements.html
 ---
 
-# Detections requirements
+
+% Used the Serverless content for this page
 
 % What needs to be done: Align serverless/stateful
 
@@ -19,4 +20,45 @@ $$$enable-detections-ui$$$
 
 $$$adv-list-settings$$$
 
-$$$detections-on-prem-requirements$$$
+$$$detections-on-prem-requirements$$$
+
+# Detections requirements [security-detections-requirements]
+
+To use the [Detections feature](../detect-and-alert.md), you first need to configure a few settings. You also need the appropriate role to send [notifications](create-detection-rule.md) when detection alerts are generated.
+
+Additionally, there are some [advanced settings]() used to configure [value list](create-manage-value-lists.md) upload limits.
+
+
+## Enable and access detections [enable-detections-ui]
+
+To use the Detections feature, it must be enabled and you must have either the appropriate [predefined Security user role](../../../deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles) or a [custom role](../../../deploy-manage/users-roles/cloud-organization/user-roles.md) with privileges to access rules and alerts. If your role doesn’t have the privileges needed to enable this feature, you can request someone who has these privileges to visit your {{kib}} space, which will turn it on for you.
+
+::::{note}
+For instructions about using {{ml}} jobs and rules, refer to [Machine learning job and rule requirements](../advanced-entity-analytics/machine-learning-job-rule-requirements.md).
+
+::::
+
+
+
+### Custom role privileges [security-detections-requirements-custom-role-privileges]
+
+The following table describes the required custom role privileges to access the Detections feature, including rules and alerts. For more information on {{kib}} privileges, refer to [Custom roles](../../../deploy-manage/users-roles/cloud-organization/user-roles.md).
+
+| Action | Cluster Privilege | Index Privileges | {{kib}} Privileges |
+| --- | --- | --- | --- |
+| Enable detections in your space | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>* `.alerts-security.alerts-<space-id>`<br>* `.lists-<space-id>`<br>* `.items-<space-id>`<br> | `All` for the `Security` feature |
+| Enable detections in all spaces<br><br>**NOTE:** To turn on detections, visit the Rules and Alerts pages for each space.<br> | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams:<br><br>* `.alerts-security.alerts-<space-id>`<br>* `.lists-<space-id>`<br>* `.items-<space-id>`<br> | `All` for the `Security` feature |
+| Preview rules | N/A | `read` for these indices:<br><br>* `.preview.alerts-security.alerts-<space-id>`<br>* `.internal.preview.alerts-security.alerts-<space-id>-*`<br> | `All` for the `Security` feature |
+| Manage rules | N/A | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>* `.alerts-security.alerts-<space-id`<br>* `.lists-<space-id>`<br>* `.items-<space-id>`<br> | `All` for the `Security` feature<br><br>**NOTE:** You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:<br><br>* To provide full access to rule actions and connectors, give your role `All` privileges. With `Read` privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, `Read` privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.<br>* To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions,  you don’t need `Actions and Connectors` privileges.<br> |
+| Manage alerts<br><br>**NOTE**: Allows you to manage alerts, but not modify rules.<br> | N/A | `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>* `.alerts-security.alerts-<space-id>`<br>* `.internal.alerts-security.alerts-<space-id>-*`<br>* `.lists-<space-id>`<br>* `.items-<space-id>`<br> | `Read` for the `Security` feature |
+| Create the `.lists` and `.items` data streams in your space<br><br>**NOTE**: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space.<br> | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these data streams, where `<space-id>` is the space name:<br><br>* `.lists-<space-id>`<br>* `.items-<space-id>`<br> | `All` for the `Security` and `Saved Objects Management` features |
+
+
+### Authorization [alerting-auth-model]
+
+Rules, including all background detection and the actions they generate, are authorized using an [API key](../../../deploy-manage/api-keys/elasticsearch-api-keys.md) associated with the last user to edit the rule. Upon creating or modifying a rule, an API key is generated for that user, capturing a snapshot of their privileges. The API key is then used to run all background tasks associated with the rule including detection checks and executing actions.
+
+::::{important}
+If a rule requires certain privileges to run, such as index privileges, keep in mind that if a user without those privileges updates the rule, the rule will no longer function.
+
+::::
