Removes comments

Author: nastasha-solomon

images/security-sec-admin-user.png

@@ -569,10 +569,8 @@ When configuring an {{esql}} rule’s **[Custom highlighted fields](/solutions/s
     10. **Building block** (optional): Select to create a building-block rule. By default, alerts generated from a building-block rule are not displayed in the UI. See [*About building block rules*](/solutions/security/detect-and-alert/about-building-block-rules.md) for more information.
     11. **Max alerts per run** (optional): Specify the maximum number of alerts the rule can create each time it runs. Default is 100.
 
-% Verify whether this note applies to Serverless too.
-
         ::::{note}
-        This setting can be superseded by the [{{kib}} configuration setting](asciidocalypse://docs/kibana/docs/reference/configuration-reference/alerting-settings.md#alert-settings) `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by *any* rule in the {{kib}} alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to `1000`, the rule can generate no more than 1000 alerts even if **Max alerts per run** is set higher.
+        In {{stack}}, this setting can be superseded by the [{{kib}} configuration setting](asciidocalypse://docs/kibana/docs/reference/configuration-reference/alerting-settings.md#alert-settings) `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by *any* rule in the {{kib}} alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to `1000`, the rule can generate no more than 1000 alerts even if **Max alerts per run** is set higher.
         ::::
 
     12. **Indicator prefix override**: Define the location of indicator data within the structure of indicator documents. When the indicator match rule executes, it queries specified indicator indices and references this setting to locate fields with indicator data. This data is used to enrich indicator match alerts with metadata about matched threat indicators. The default value for this setting is `threat.indicator`.

solutions/security/detect-and-alert/create-detection-rule.md

@@ -45,34 +45,18 @@ To use the Detections feature, it must be enabled, your role must have access to
 For instructions about using {{ml}} jobs and rules, refer to [Machine learning job and rule requirements](/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md).
 ::::
 
-% Need to revisit this note and the ones in the following table.
-
-::::{important}
-In {{stack}} version 8.0.0, the `.siem-signals-<space-id>` index was renamed to `.alerts-security.alerts-<space-id>`. Detection alert indices are created for each {{kib}} space. For the default space, the alerts index is named `.alerts-security.alerts-default`. If you’re upgrading to 8.0.0 {{stack}} or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.
-::::
-
 
 ### Custom role privileges [security-detections-requirements-custom-role-privileges]
 The following table describes the required privileges to access the Detections feature, including rules and alerts. For more information on {{kib}} privileges, refer to [Feature access based on user privileges](/deploy-manage/manage-spaces.md#spaces-control-user-access).
 
 | Action | Cluster Privileges | Index Privileges | Kibana Privileges |
 | --- | --- | --- | --- |
-| Enable detections in your space | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>* `.alerts-security.alerts-<space-id>`<br>* `.siem-signals-<space-id>` 1<br>* `.lists-<space-id>`<br>* `.items-<space-id>`<br><br>1 **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | `All` for the `Security` feature |
-| Enable detections in all spaces<br>**NOTE**: To turn on detections, visit the Rules and Alerts pages for each space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams:<br><br>* `.alerts-security.alerts-<space-id>`<br>* `.siem-signals-<space-id>` 1<br>* `.lists-<space-id>`<br>* `.items-<space-id>`<br><br>1 **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | `All` for the `Security` feature |
-| Preview rules | N/A | `read` for these indices:<br><br>* `.preview.alerts-security.alerts-<space-id>`<br>* `.internal.preview.alerts-security.alerts-<space-id>-*`<br> | `All` for the `Security` feature |
-| Manage rules | N/A | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>* `.alerts-security.alerts-<space-id`<br>* `.siem-signals-<space-id>`1<br>* `.lists-<space-id>`<br>* `.items-<space-id>`<br><br>1 **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | `All` for the `Security` feature<br><br>**NOTE:** You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:<br><br>* To provide full access to rule actions and connectors, give your role `All` privileges. With `Read` privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, `Read` privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.<br>* To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions,  you don’t need `Actions and Connectors` privileges.<br> |
-| Manage alerts<br>**NOTE**: Allows you to manage alerts, but not modify rules. | N/A | `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>* `.alerts-security.alerts-<space-id>`<br>* `.internal.alerts-security.alerts-<space-id>-*`<br>* `.siem-signals-<space-id>`1<br>* `.lists-<space-id>`<br>* `.items-<space-id>`<br><br>1 **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | `Read` for the `Security` feature |
-| Create the `.lists` and `.items` data streams in your space<br>**NOTE**: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these data streams, where `<space-id>` is the space name:<br><br>* `.lists-<space-id>`<br>* `.items-<space-id>`<br> | `All` for the `Security` and `Saved Objects Management` features |
-
-% Consider removing this example. 
-
-Here is an example of a user who has the Detections feature enabled in all {{kib}} spaces:
-
-:::{image} ../../../images/security-sec-admin-user.png
-:alt: Shows user with the Detections feature enabled in all Kibana spaces
-:class: screenshot
-:::
-
+| Enable detections in your space | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br> - `.alerts-security.alerts-<space-id>`<br> - `.siem-signals-<space-id>` <br> - `.lists-<space-id>`<br> - `.items-<space-id>`<br> | `All` for the `Security` feature |
+| Enable detections in all spaces<br>**NOTE**: To turn on detections, visit the Rules and Alerts pages for each space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams:<br><br> - `.alerts-security.alerts-<space-id>`<br> - `.siem-signals-<space-id>` <br> - `.lists-<space-id>`<br> - `.items-<space-id>`<br> | `All` for the `Security` feature |
+| Preview rules | N/A | `read` for these indices:<br><br> - `.preview.alerts-security.alerts-<space-id>`<br> - `.internal.preview.alerts-security.alerts-<space-id>-*`<br> | `All` for the `Security` feature |
+| Manage rules | N/A | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br> - `.alerts-security.alerts-<space-id`<br> - `.siem-signals-<space-id>`<br> - `.lists-<space-id>`<br> - `.items-<space-id>`<br>| `All` for the `Security` feature<br><br>**NOTE:** You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:<br><br> - To provide full access to rule actions and connectors, give your role `All` privileges. With `Read` privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, `Read` privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.<br> - To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions,  you don’t need `Actions and Connectors` privileges.<br> |
+| Manage alerts<br>**NOTE**: Allows you to manage alerts, but not modify rules. | N/A | `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br> - `.alerts-security.alerts-<space-id>`<br> - `.internal.alerts-security.alerts-<space-id>-*`<br> - `.siem-signals-<space-id>`<br> - `.lists-<space-id>`<br> - `.items-<space-id>`<br>| `Read` for the `Security` feature |
+| Create the `.lists` and `.items` data streams in your space<br>**NOTE**: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these data streams, where `<space-id>` is the space name:<br><br> - `.lists-<space-id>`<br> - `.items-<space-id>`<br> | `All` for the `Security` and `Saved Objects Management` features |
 
 ### Authorization [alerting-auth-model]
 

solutions/security/detect-and-alert/detections-requirements.md

@@ -17,12 +17,10 @@ Follow these guidelines to start using the {{security-app}}'s [prebuilt rules](a
 * [Update Elastic prebuilt rules](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#update-prebuilt-rules)
 * [Confirm rule prerequisites](/solutions/security/detect-and-alert/manage-detection-rules.md#rule-prerequisites)
 
-% The third item in this note might need to be revised.
-
 ::::{note}
 * Most prebuilt rules don’t start running by default. You can use the **Install and enable** option to start running rules as you install them, or first install the rules, then enable them manually. After installation, only a few prebuilt rules will be enabled by default, such as the Endpoint Security rule.
 * You can’t modify most settings on Elastic prebuilt rules. You can only edit [rule actions](/solutions/security/detect-and-alert/create-detection-rule.md#rule-notifications) and [add exceptions](/solutions/security/detect-and-alert/add-manage-exceptions.md). If you want to modify other settings on a prebuilt rule, you must first duplicate it, then make your changes to the duplicated rule. However, your customized rule is entirely separate from the original prebuilt rule, and will not get updates from Elastic if the prebuilt rule is updated.
-* Automatic updates of Elastic prebuilt rules are supported for the current {{elastic-sec}} version and the latest three previous minor releases. For example, if you’re on {{elastic-sec}} 8.10, you’ll be able to use the Rules UI to update your prebuilt rules until {{elastic-sec}} 8.14 is released. After that point, you can still manually download and install updated prebuilt rules, but you must upgrade to the latest {{elastic-sec}} version to receive automatic updates.
+* On {{stack}}, automatic updates of Elastic prebuilt rules are supported for the current {{elastic-sec}} version and the latest three previous minor releases. For example, if you’re on {{elastic-sec}} 9.0, you’ll be able to use the Rules UI to update your prebuilt rules until {{elastic-sec}} 9.4 is released. After that point, you can still manually download and install updated prebuilt rules, but you must upgrade to the latest {{elastic-sec}} version to receive automatic updates.
 
 ::::
 

solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md

@@ -177,9 +177,11 @@ To change an alert’s status, do one of the following:
     :class: screenshot
     :::
 
-% Might need to add an admonition here 
+* To bulk-change the status of [grouped alerts](/solutions/security/detect-and-alert/manage-detection-alerts.md#group-alerts), select the **Take actions** menu for the group, then select a status.
 
-* [beta] To bulk-change the status of [grouped alerts](/solutions/security/detect-and-alert/manage-detection-alerts.md#group-alerts), select the **Take actions** menu for the group, then select a status.
+    ::::{warning}
+    This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+    ::::
 * In an alert’s details flyout, click **Take action** and select a status.
 
 

solutions/security/detect-and-alert/manage-detection-alerts.md

@@ -122,9 +122,7 @@ When duplicating a rule with exceptions, you can choose to duplicate the rule an
 
 
 
-## Run rules manually [manually-run-rules]
-
-% Might need to change this.
+## Run rules manually [manually-run-rules] 
 
 ::::{warning}
 This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

solutions/security/detect-and-alert/manage-detection-rules.md

@@ -6,15 +6,14 @@ mapped_urls:
 
 # Suppress detection alerts [security-alert-suppression]
 
-% Suppression is only in tech preview for event correlation rules (ESS and Serverless). Might need to handle the page tags differently.
 
 ::::{admonition} Requirements and notices
 * In {{stack}} alert suppression requires a [Platinum or higher subscription](https://www.elastic.co/pricing).
 * {{ml-cap}} rules have [additional requirements](/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md) for alert suppression.
+* This functionality is in technical preview for event correlation rules only and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
 
 ::::
 
-
 Alert suppression allows you to reduce the number of repeated or duplicate detection alerts created by these detection rule types:
 
 * [Custom query](/solutions/security/detect-and-alert/create-detection-rule.md#create-custom-rule)

solutions/security/detect-and-alert/suppress-detection-alerts.md

@@ -295,14 +295,7 @@ From the right panel, click **Correlations** to open the expanded Correlations v
 
 In the expanded view, corelation data is organized into several tables:
 
-* **Suppressed alerts**: Shows how many duplicate alerts were suppressed. This information only appears if alert suppression is enabled for the rule.
-
-% Need to update this note.
-
-    ::::{warning}
-    This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-    ::::
-
+* **Suppressed alerts**: Shows how many duplicate alerts were suppressed. This information only appears if [alert suppression](/solutions/security/detect-and-alert/suppress-detection-alerts.md) is enabled for the rule.
 * **Related cases**: Shows cases to which the alert has been added. Click a case’s name to open its details.
 * **Alerts related by source event**: Shows alerts created by the same source event. This can help you find alerts with a shared origin and provide more context about the source event. Click the **Investigate in timeline** button to examine related alerts in Timeline.
 * **Alerts related by session**: Shows alerts generated during the same [session](/solutions/security/investigate/session-view.md). These alerts share the same session ID, which is a unique ID for tracking a given Linux session. To use this feature, you must enable the **Collect session data** setting in your {{elastic-defend}} integration policy. Refer to [Enable Session View data](/solutions/security/investigate/session-view.md#enable-session-view) for more information.