First draft

nastasha-solomon · nastasha-solomon · commit a0ef068e97a3 · 2025-03-14T13:49:22.000-04:00
diff --git a/raw-migrated-files/docs-content/serverless/security-detection-engine-overview.md b/raw-migrated-files/docs-content/serverless/security-detection-engine-overview.md
diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml
@@ -104,7 +104,6 @@ toc:
       - file: docs-content/serverless/project-settings-alerts.md
       - file: docs-content/serverless/project-settings-content.md
       - file: docs-content/serverless/security-automatic-import.md
-      - file: docs-content/serverless/security-detection-engine-overview.md
       - file: docs-content/serverless/security-vuln-management-faq.md
       - file: docs-content/serverless/what-is-observability-serverless.md
   - file: elasticsearch-hadoop/elasticsearch-hadoop/index.md
diff --git a/solutions/security/detect-and-alert.md b/solutions/security/detect-and-alert.md
@@ -8,22 +8,7 @@ applies_to:
     security: all
 ---
 
-# Detections and alerts
-
-% What needs to be done: Align serverless/stateful
-
-% Use migrated content from existing pages that map to this page:
-
-% - [x] ./raw-migrated-files/security-docs/security/detection-engine-overview.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/security-detection-engine-overview.md
-
-% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc):
-
-$$$support-indicator-rules$$$
-
-$$$detections-permissions$$$
-
-$$$machine-learning-model$$$
+# Detections and alerts [security-detection-engine-overview]
 
 Use the detection engine to create and manage rules and view the alerts these rules create. Rules periodically search indices (such as `logs-*` and `filebeat-*`) for suspicious source events and create alerts when a rule’s conditions are met. When an alert is created, its status is `Open`. To help track investigations, an alert’s [status](/solutions/security/detect-and-alert/manage-detection-alerts.md#detection-alert-status) can be set as `Open`, `Acknowledged`, or `Closed`.
 
@@ -32,7 +17,7 @@ Use the detection engine to create and manage rules and view the alerts these ru
 :screenshot:
 :::
 
-In addition to creating [your own rules](/solutions/security/detect-and-alert/create-detection-rule.md), enable [Elastic prebuilt rules](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#load-prebuilt-rules) to immediately start detecting suspicious activity. For detailed information on all the prebuilt rules, see the [*Prebuilt rule reference*](security-docs://reference/prebuilt-rules/index.md) section. Once the prebuilt rules are loaded and running, [*Tune detection rules*](/solutions/security/detect-and-alert/tune-detection-rules.md) and [Add and manage exceptions](/solutions/security/detect-and-alert/add-manage-exceptions.md) explain how to modify the rules to reduce false positives and get a better set of actionable alerts. You can also use exceptions and value lists when creating or modifying your own rules.
+In addition to creating [your own rules](/solutions/security/detect-and-alert/create-detection-rule.md), enable [Elastic prebuilt rules](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#load-prebuilt-rules) to immediately start detecting suspicious activity. For detailed information on all the prebuilt rules, see the [Prebuilt rule reference](security-docs://reference/prebuilt-rules/index.md) section. Once the prebuilt rules are loaded and running, [Tune detection rules](/solutions/security/detect-and-alert/tune-detection-rules.md) and [Add and manage exceptions](/solutions/security/detect-and-alert/add-manage-exceptions.md) explain how to modify the rules to reduce false positives and get a better set of actionable alerts. You can also use exceptions and value lists when creating or modifying your own rules.
 
 There are several special prebuilt rules you need to know about:
 
@@ -42,23 +27,27 @@ There are several special prebuilt rules you need to know about:
 If you want to receive notifications via external systems, such as Slack or email, when alerts are created, use the {{kib}} [Alerting and Actions](/explore-analyze/alerts-cases.md) framework.
 
 ::::{note}
-To use {{kib}} Alerting for detection alert notifications, you need the [appropriate license](https://www.elastic.co/subscriptions).
+To use {{kib}} Alerting for detection alert notifications in the {{stack}}, you need the [appropriate license](https://www.elastic.co/subscriptions).
 ::::
 
 
-After rules have started running, you can monitor their executions to verify they are functioning correctly, as well as view, manage, and troubleshoot alerts (see [*Manage detection alerts*](/solutions/security/detect-and-alert/manage-detection-alerts.md) and [*Monitor and troubleshoot rule executions*](/troubleshoot/security/detection-rules.md)).
+After rules have started running, you can monitor their executions to verify they are functioning correctly, as well as view, manage, and troubleshoot alerts (see [Manage detection alerts](/solutions/security/detect-and-alert/manage-detection-alerts.md) and [Monitor and troubleshoot rule executions](/troubleshoot/security/detection-rules.md)).
 
 You can create and manage rules and alerts via the UI or the [Detections API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-security-detections-api).
 
 ::::{important}
-To make sure you can access Detections and manage rules, see [*Detections requirements*](/solutions/security/detect-and-alert/detections-requirements.md).
+To make sure you can access Detections and manage rules, see [Detections requirements](/solutions/security/detect-and-alert/detections-requirements.md).
 
 ::::
 
 
 
 ## Compatibility with cold and frozen tier nodes [cold-tier-detections]
 
+```yaml {applies_to}
+stack:
+```
+
 Cold and frozen [data tiers](/manage-data/lifecycle/data-tiers.md) hold time series data that is only accessed occasionally. In {{stack}} version >=7.11.0, {{elastic-sec}} supports cold but not frozen tier data for the following {{es}} indices:
 
 * Index patterns specified in `securitySolution:defaultIndex`
@@ -85,7 +74,7 @@ In addition, the following support restrictions are in place:
 
 ## Detections configuration and index privilege prerequisites [detections-permissions]
 
-[*Detections requirements*](/solutions/security/detect-and-alert/detections-requirements.md) provides detailed information on all the permissions required to initiate and use the Detections feature.
+[Detections requirements](/solutions/security/detect-and-alert/detections-requirements.md) provides detailed information on all the permissions required to initiate and use the Detections feature.
 
 
 ## Malware prevention [malware-prevention]
@@ -115,6 +104,8 @@ Behavioral ransomware prevention on the Elastic Endpoint detects and stops ranso
 
 For information on how to enable ransomware protection on your host, see [Ransomware protection](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#ransomware-protection).
 
+% Check on this note
+
 ::::{note}
 Ransomware prevention is a paid feature and is enabled by default if you have a [Platinum or Enterprise license](https://www.elastic.co/pricing).
 ::::
@@ -145,5 +136,5 @@ Depending on your privileges and whether detection system indices have already b
 
 ## Using logsdb index mode [detections-logsdb-index-mode]
 
-To learn how your rules and alerts are affected by using the [logsdb index mode](/manage-data/data-store/data-streams/logs-data-stream.md), refer to [*Using logsdb index mode with {{elastic-sec}}*](/solutions/security/detect-and-alert/using-logsdb-index-mode-with-elastic-security.md).
+To learn how your rules and alerts are affected by using the [logsdb index mode](/manage-data/data-store/data-streams/logs-data-stream.md), refer to [Using logsdb index mode with {{elastic-sec}}](/solutions/security/detect-and-alert/using-logsdb-index-mode-with-elastic-security.md).
 
