Visual event analyzer

nastasha-solomon · nastasha-solomon · commit 7b3eeaf67c00 · 2025-02-19T13:21:35.000-05:00
diff --git a/raw-migrated-files/docs-content/serverless/security-visual-event-analyzer.md b/raw-migrated-files/docs-content/serverless/security-visual-event-analyzer.md
diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml
@@ -429,7 +429,6 @@ toc:
       - file: docs-content/serverless/security-turn-on-risk-engine.md
       - file: docs-content/serverless/security-ui.md
       - file: docs-content/serverless/security-view-alert-details.md
-      - file: docs-content/serverless/security-visual-event-analyzer.md
       - file: docs-content/serverless/security-visualize-alerts.md
       - file: docs-content/serverless/security-vuln-management-dashboard-dash.md
       - file: docs-content/serverless/security-vuln-management-faq.md
diff --git a/solutions/security/investigate/timeline.md b/solutions/security/investigate/timeline.md
@@ -223,7 +223,7 @@ From the **Correlation** tab, you can also do the following:
 ## Use {{esql}} to investigate events [esql-in-timeline]
 
 ::::{note}
-Elastic Stack 9.0.0+ {{esql}} is enabled by default in {{kib}}. It can be disabled using the `enableESQL` setting from the [Advanced Settings](https://www.elastic.co/guide/en/kibana/current/advanced-options.html). This will hide the {{esql}} user interface from various applications. However, users will be able to access existing {{esql}} artifacts like saved searches and visualizations.
+{{esql}} is enabled by default in {{stack}} 9.0.0+. It can be disabled using the `enableESQL` setting from the [Advanced Settings](https://www.elastic.co/guide/en/kibana/current/advanced-options.html). This will hide the {{esql}} user interface from various applications. However, users will be able to access existing {{esql}} artifacts like saved searches and visualizations.
 ::::
 
 
diff --git a/solutions/security/investigate/visual-event-analyzer.md b/solutions/security/investigate/visual-event-analyzer.md
@@ -4,19 +4,12 @@ mapped_urls:
   - https://www.elastic.co/guide/en/serverless/current/security-visual-event-analyzer.html
 ---
 
-# Visual event analyzer
-
-% What needs to be done: Align serverless/stateful
-
-% Use migrated content from existing pages that map to this page:
-
-% - [x] ./raw-migrated-files/security-docs/security/visual-event-analyzer.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/security-visual-event-analyzer.md
+# Visual event analyzer [security-visual-event-analyzer]
 
 {{elastic-sec}} allows any event detected by {{elastic-endpoint}} to be analyzed using a process-based visual analyzer, which shows a graphical timeline of processes that led up to the alert and the events that occurred immediately after. Examining events in the visual event analyzer is useful to determine the origin of potentially malicious activity and other areas in your environment that may be compromised. It also enables security analysts to drill down into all related hosts, processes, and other events to aid in their investigations.
 
 ::::{tip}
-If you’re experiencing performance degradation, you can [exclude cold and frozen tier data](/solutions/security/get-started/configure-advanced-settings.md#exclude-cold-frozen-tiers) from analyzer queries.
+If you’re on {{stack}} 9.0.0+ amd experiencing performance degradation, you can [exclude cold and frozen tier data](/solutions/security/get-started/configure-advanced-settings.md#exclude-cold-frozen-tiers) from analyzer queries.
 ::::
 
 
@@ -45,7 +38,7 @@ To find events that can be visually analyzed:
 
     * `agent.type:"winlogbeat" and event.module: "sysmon" and process.entity_id : *`
 
-3. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer. The event analyzer is accessible from the **Hosts***, ***Alerts**, and **Timelines** pages, as well as the alert details flyout.
+3. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer. The event analyzer is accessible from the **Hosts**, **Alerts**, and **Timelines** pages, as well as the alert details flyout.
 
     ::::{tip}
     Turn on the `securitySolution:enableVisualizationsInFlyout` [advanced setting](/solutions/security/get-started/configure-advanced-settings.md#visualizations-in-flyout) to access the event analyzer from the **Visualize** tab in the alert or event details flyout.
@@ -174,12 +167,11 @@ When you select an `event.category` pill, all the events within that category ar
 :::
 
 ::::{note}
-In {{stack}} versions 7.10.0 and newer, there is no limit to the number of events that can be associated with a process. However, in {{stack}} versions 7.9.0 and earlier, each process is limited to only 100 events.
+- There is no limit to the number of events that can be associated with a process.
+- In {{stack}} 9.0.0+, you need a [Platinum or Enterprise subscription](https://www.elastic.co/pricing) to examine alerts associated with events.
 ::::
 
 
-If you have a [Platinum or Enterprise subscription](https://www.elastic.co/pricing), you can also examine alerts associated with events.
-
 To examine alerts associated with the event, select the alert pill (***x* alert**). The left pane lists the total number of associated alerts, and alerts are ordered from oldest to newest. Each alert shows the type of event that produced it (`event.category`), the event timestamp (`@timestamp`), and rule that generated the alert (`kibana.alert.rule.name`). Click on the rule name to open the alert’s details.
 
 In the example screenshot below, five alerts were generated by the analyzed event (`lsass.exe`). The left pane displays the associated alerts and basic information about each one.
