[Detection Engine][Docs][9.0] New wording for frozen tier support (#920)

nastasha-solomon · web-flow · commit c4fd6934293e · 2025-04-10T16:27:00.000-04:00
### Description Contributes to elastic/security-team#12123. Corresponding 8.18 docs are at: elastic/security-docs#6659 ### Preview [Manage data in cold and frozen tiers](https://security-docs_bk_6659.docs-preview.app.elstc.co/guide/en/security/8.x/detection-engine-overview.html#cold-tier-detections) - Added the text that was provided in the associated doc issue. Also updated the title to better reflect the content in the section.
diff --git a/solutions/security/detect-and-alert.md b/solutions/security/detect-and-alert.md
@@ -42,25 +42,25 @@ To make sure you can access Detections and manage rules, see [Detections require
 
 
 
-## Compatibility with cold and frozen tier nodes [cold-tier-detections]
+## Manage data in cold and frozen tiers [cold-tier-detections]
 
 ```yaml {applies_to}
 stack:
 ```
 
-Cold and frozen [data tiers](/manage-data/lifecycle/data-tiers.md) hold time series data that is only accessed occasionally. In {{stack}} version >=7.11.0, {{elastic-sec}} supports cold but not frozen tier data for the following {{es}} indices:
+Cold [data tiers](/manage-data/lifecycle/data-tiers.md) store time series data that's accessed infrequently and rarely updated, while frozen data tiers hold time series data that's accessed even less frequently and never updated. If you're automating searches across different data tiers using rules, consider the following best practices and limitations.
 
-* Index patterns specified in `securitySolution:defaultIndex`
-* Index patterns specified in the definitions of detection rules, except for indicator match rules
-* Index patterns specified in the data sources selector on various {{security-app}} pages
+### Best practices [best-practices-data-tiers]
 
-{{elastic-sec}} does **NOT** support either cold or frozen tier data for the following {{es}} indices:
+* **Retention in hot tier**: We recommend keeping data in the hot tier ({{ilm-cap}} hot phase) for at least 24 hours. {{ilm-cap}} policies that move ingested data from the hot phase to another phase (for example, cold or frozen) in less than 24 hours may cause performance issues and/or rule execution errors.
+* **Replicas for mission-critical data**: Your data should have replicas if it must be highly available. Since frozen tiers don't support replicas, shard unavailability can cause partial rule run failures. Shard unavailability may be also encountered during or after {{stack}} upgrades. If this happens, you can [manually rerun](/solutions/security/detect-and-alert/manage-detection-rules.md#manually-run-rules) rules over the affected time period once the shards are available.
 
-* Index patterns controlled by {{elastic-sec}}, including alerts and list indices
-* Index patterns specified in the definition of indicator match rules
+### Limitations [limitations-data-tiers]
 
-Using either cold or frozen tier data for unsupported indices may result in detection rule timeouts and overall performance degradation.
+Data tiers are a powerful and useful tool. When using them, keep the following in mind:
 
+* To avoid rule failures, do not modify {{ilm}} policies for {elastic-sec}-controlled indices, such as alert and list indices.
+* Source data must have an {{ilm}} policy that keeps it in the hot or warm tiers for at least 24 hours before moving to cold or frozen tiers.
 
 ## Limited support for indicator match rules [support-indicator-rules]
 
