[SECURITY][9.1 & Serverless] Prebuilt rule reversion documentation (#2175)

nastasha-solomon · web-flow · commit f2ccc7b67706 · 2025-07-21T13:26:41.000-04:00
Contributes to #1940 by documenting how to check modified prebuilt rule fields and revert them. Previews: - [Modify existing rules settings](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/2175/solutions/security/detect-and-alert/manage-detection-rules#edit-rules-settings) - Added a note to the end about how to spot and view modified fields on prebuilt rules. - [Revert modifications to prebuilt rules](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/2175/solutions/security/detect-and-alert/manage-detection-rules#revert-rule-changes) - New section **Corresponding 8.19 PR**: elastic/security-docs#6937
diff --git a/solutions/security/detect-and-alert/manage-detection-rules.md b/solutions/security/detect-and-alert/manage-detection-rules.md
@@ -111,6 +111,32 @@ For {{ml}} rules, an indicator icon (![Error icon from rules table](/solutions/i
 4. If available, select **Overwrite all selected _x_** to overwrite the settings on the rules. For example, if you’re adding tags to multiple rules, selecting **Overwrite all selected rules tags** removes all the rules' original tags and replaces them with the tags you specify.
 5. Click **Save**.
 
+::::{note}
+
+```{applies_to}
+   stack: ga 9.1 
+```
+
+Modified fields on prebuilt rules are marked with the **Modified** badge. From the rule's details page, click the badge to view the changed fields. Changes are displayed in a side-by-side comparison of the original Elastic version and the modified version. Deleted characters are highlighted in red; added characters are highlighted in green. You can also view this comparison by clicking the **Modified Elastic rule** badge under the rule's name on the rule's details page.
+
+::::
+
+## Revert modifications to prebuilt rules [revert-rule-changes]
+
+```{applies_to}
+   stack: ga 9.1 
+```
+
+After modifying a prebuilt rule, you can restore it's original version. To do this:
+
+1. Open the rule's details page, click the **All actions** menu, then **Revert to Elastic version**.
+2. In the flyout, review the modified fields. Deleted characters are highlighted in red; added characters are highlighted in green.
+3. Click **Revert** to restore the modified fields to their original versions. 
+
+::::{note}
+If you haven’t updated the rule in a while, its original version might be unavailable for comparison. You can avoid this by regularly updating prebuilt rules.
+::::
+
 
 ## Manage rules [manage-rules-ui]
 
