diff --git a/raw-migrated-files/docs-content/serverless/endpoint-protection-rules.md b/raw-migrated-files/docs-content/serverless/endpoint-protection-rules.md
deleted file mode 100644
index 8c1d5b7bca..0000000000
--- a/raw-migrated-files/docs-content/serverless/endpoint-protection-rules.md
+++ /dev/null
@@ -1,49 +0,0 @@
-# Endpoint protection rules [endpoint-protection-rules]
-
-Endpoint protection rules are [prebuilt rules](../../../solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md) designed to help you manage and respond to alerts generated by {{elastic-endpoint}}, the installed component that performs {{elastic-defend}}'s threat monitoring and prevention. These rules include the Endpoint Security rule as well as additional detection and prevention rules for different {{elastic-defend}} protection features.
-
-::::{important}
-To receive {{elastic-endpoint}} alerts, you must install {{agent}} and the {{elastic-defend}} integration on your hosts (refer to [Install Elastic Defend](../../../solutions/security/configure-elastic-defend/install-elastic-defend.md)).
-::::
-
-
-When endpoint protection rules are triggered, {{elastic-endpoint}} alerts are displayed as detection alerts in the {{security-app}}. The detection alert name is taken from the {{elastic-endpoint}} alert message and overwrites the prebuilt rule name in the Alerts table. For example, for malware protection, the following {{elastic-endpoint}} alerts are displayed as detection alerts:
-
-* Malware Prevention Alert
-* Malware Detection Alert
-
-
-## Endpoint Security rule [endpoint-sec-rule]
-
-The Endpoint Security rule automatically creates an alert from all incoming {{elastic-endpoint}} alerts.
-
-::::{note}
-When you install Elastic prebuilt rules, the Endpoint Security rule that is enabled by default.
-::::
-
-
-
-## Feature-specific protection rules [feature-protection-rules]
-
-The following endpoint protection rules give you more granular control over how you handle the generated alerts. These rules are tailored for each of {{elastic-defend}}'s endpoint protection features—malware, ransomware, memory threats, and malicious behavior. Enabling these rules allows you to configure more specific actions based on the protection feature and whether the malicious activity was prevented or detected.
-
-* Behavior - Detected - Elastic Defend
-* Behavior - Prevented - Endpoint Defend
-* Malicious File - Detected - Elastic Defend
-* Malicious File - Prevented - Elastic Defend
-* Memory Signature - Detected - Elastic Defend
-* Memory Signature - Prevented - Elastic Defend
-* Ransomware - Detected - Elastic Defend
-* Ransomware - Prevented - Elastic Defend
-
-::::{note}
-If you choose to use the feature-specific protection rules, we recommend that you disable the Endpoint Security rule, as using both will result in duplicate alerts.
-::::
-
-
-To use these rules, you need to manually enable them from the **Rules** page in the {{security-app}}. Follow the instructions for [installing and enabling Elastic prebuilt rules](../../../solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#load-prebuilt-rules).
-
-
-## Endpoint security exception handling [_endpoint_security_exception_handling]
-
-All endpoint protection rules share a common exception list called the Endpoint Security Exception List. This ensures that if you switch between using the Endpoint Security rule and the feature-specific protection rules, your existing [{{elastic-endpoint}} exceptions](../../../solutions/security/detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions) continue to apply.
diff --git a/raw-migrated-files/docs-content/serverless/security-allowlist-endpoint.md b/raw-migrated-files/docs-content/serverless/security-allowlist-endpoint.md
deleted file mode 100644
index d160dc62cd..0000000000
--- a/raw-migrated-files/docs-content/serverless/security-allowlist-endpoint.md
+++ /dev/null
@@ -1,76 +0,0 @@
-# Allowlist {{elastic-endpoint}} in third-party antivirus apps [security-allowlist-endpoint]
-
-::::{note} 
-If you use other antivirus (AV) software along with {{elastic-defend}}, you may need to add the other system as a trusted application in the {{security-app}}. Refer to [Trusted applications](../../../solutions/security/manage-elastic-defend/trusted-applications.md) for more information.
-
-::::
-
-
-Third-party antivirus (AV) applications may identify the expected behavior of {{elastic-endpoint}}—the installed component that performs {{elastic-defend}}'s threat monitoring and prevention—as a potential threat. Add {{elastic-endpoint}}'s digital signatures and file paths to your AV software’s allowlist to ensure {{elastic-endpoint}} continues to function as intended. We recommend you allowlist both the file paths and digital signatures, if applicable.
-
-::::{note} 
-Your AV software may refer to allowlisted processes as process exclusions, ignored processes, or trusted processes. It is important to note that file, folder, and path-based exclusions/exceptions are distinct from trusted applications and will not achieve the same result. This page explains how to ignore actions taken by processes, not how to ignore the files that spawned those processes.
-
-::::
-
-
-
-## Allowlist {{elastic-endpoint}} on Windows [security-allowlist-endpoint-allowlist-elastic-endpoint-on-windows] 
-
-File paths:
-
-* ELAM driver: `c:\Windows\system32\drivers\elastic-endpoint-driver.sys`
-* Driver: `c:\Windows\system32\drivers\ElasticElam.sys`
-* Executable: `c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe`
-
-    ::::{note} 
-    The executable runs as `elastic-endpoint.exe`.
-
-    ::::
-
-
-Digital signatures:
-
-* `Elasticsearch, Inc.`
-* `Elasticsearch B.V.`
-
-For additional information about allowlisting on Windows, refer to [Trusting Elastic Defend in other software](https://github.com/elastic/endpoint/blob/main/PerformanceIssues-Windows.md#trusting-elastic-defend-in-other-software).
-
-
-## Allowlist {{elastic-endpoint}} on macOS [security-allowlist-endpoint-allowlist-elastic-endpoint-on-macos] 
-
-File paths:
-
-* System extension (recursive directory structure): `/Applications/ElasticEndpoint.app/`
-
-    ::::{note} 
-    The system extension runs as `co.elastic.systemextension`.
-
-    ::::
-
-* Executable: `/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint`
-
-    ::::{note} 
-    The executable runs as `elastic-endpoint`.
-
-    ::::
-
-
-Digital signatures:
-
-* Authority/Developer ID Application: `Elasticsearch, Inc (2BT3HPN62Z)`
-* Team ID: `2BT3HPN62Z`
-
-
-## Allowlist {{elastic-endpoint}} on Linux [security-allowlist-endpoint-allowlist-elastic-endpoint-on-linux] 
-
-File path:
-
-* Executable: `/opt/Elastic/Endpoint/elastic-endpoint`
-
-    ::::{note} 
-    The executable runs as `elastic-endpoint`.
-
-    ::::
-
-
diff --git a/raw-migrated-files/docs-content/serverless/security-endpoint-event-capture.md b/raw-migrated-files/docs-content/serverless/security-endpoint-event-capture.md
deleted file mode 100644
index 02432cfefe..0000000000
--- a/raw-migrated-files/docs-content/serverless/security-endpoint-event-capture.md
+++ /dev/null
@@ -1,48 +0,0 @@
-# Event capture and {{elastic-defend}} [security-endpoint-event-capture]
-
-{{elastic-defend}} collects select data on system activity in order to detect and prevent as many threats as possible, while balancing storage and performance overhead. To that end, {{elastic-defend}} isn’t designed to capture all system events. Some event data that {{elastic-defend}} generates gets aggregated, truncated, or deduplicated as needed to optimize threat detection and prevention.
-
-You can supplement {{elastic-defend}}'s protection capabilities with [Elastic integrations](https://docs.elastic.co/en/integrations) and tools that provide more visibility and historical data. Consult the following sections to expand data collection for specific types of system events.
-
-
-## Network port creation and deletion [security-endpoint-event-capture-network-port-creation-and-deletion] 
-
-{{elastic-defend}} tracks TCP connections. If a port is created but no traffic flows, no events are generated.
-
-For complete capture of network port creation and deletion, consider capturing Windows event ID 5158 using the [Custom Windows Event Logs](https://docs.elastic.co/en/integrations/winlog) integration.
-
-
-## Network in/out connections [security-endpoint-event-capture-network-inout-connections] 
-
-{{elastic-defend}} tracks TCP connections, which don’t include network in/out connections.
-
-For complete network capture, consider deploying {{packetbeat}} using the [Network Packet Capture](https://docs.elastic.co/en/integrations/network_traffic) integration.
-
-
-## User behavior [security-endpoint-event-capture-user-behavior] 
-
-{{elastic-defend}} only captures user security events required by its behavioral protection. This doesn’t include every user event such as logins and logouts, or every time a user account is created, deleted, or modified.
-
-For complete capture of all or specific Windows security events, consider the [Custom Windows Event Logs](https://docs.elastic.co/en/integrations/winlog) integration.
-
-
-## System service registration, deletion, and modification [security-endpoint-event-capture-system-service-registration-deletion-and-modification] 
-
-{{elastic-defend}} only captures system service security events required by its behavioral protection engine. Service creation and modification can also be detected in registry activity, for which {{elastic-defend}} has internal rules such as [Registry or File Modification from Suspicious Memory](https://github.com/elastic/protections-artifacts/blob/6d54ae289b290b1d42a7717569483f6ce907200a/behavior/rules/persistence_registry_or_file_modification_from_suspicious_memory.toml).
-
-For complete capture of all or specific Windows security events, consider the [Custom Windows Event Logs](https://docs.elastic.co/en/integrations/winlog) integration. In particular, capture events such as [Windows event ID 4697](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697).
-
-
-## Kernel driver registration, deletion, and queries [security-endpoint-event-capture-kernel-driver-registration-deletion-and-queries] 
-
-{{elastic-defend}} scans every driver as it is loaded, but it doesn’t generate an event each time.
-
-Drivers are registered in the system as system services. You can capture this with Windows event ID 4697 using the [Custom Windows Event Logs](https://docs.elastic.co/en/integrations/winlog) integration.
-
-Also consider capturing Windows event ID 6 using {{winlogbeat}}'s [Sysmon module](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-module-sysmon.html).
-
-
-## System configuration file creation, modification, and deletion [security-endpoint-event-capture-system-configuration-file-creation-modification-and-deletion] 
-
-{{elastic-defend}} tracks creation, modification, and deletion of all files on the system. However, as mentioned above, the data might be aggregated, truncated, or deduplicated to provide only what’s required for threat detection and prevention.
-
diff --git a/raw-migrated-files/docs-content/serverless/security-endpoint-self-protection.md b/raw-migrated-files/docs-content/serverless/security-endpoint-self-protection.md
deleted file mode 100644
index 7b7addb83c..0000000000
--- a/raw-migrated-files/docs-content/serverless/security-endpoint-self-protection.md
+++ /dev/null
@@ -1,32 +0,0 @@
-# {{elastic-endpoint}} self-protection features [security-endpoint-self-protection]
-
-{{elastic-endpoint}}, the installed component that performs {{elastic-defend}}'s threat monitoring and prevention, protects itself against users and attackers that may try to interfere with its functionality. Protection features are consistently enhanced to prevent attackers who may attempt to use newer, more sophisticated tactics to interfere with the {{elastic-endpoint}}. Self-protection is enabled by default when {{elastic-endpoint}} installs on supported platforms, listed below.
-
-Self-protection is enabled on the following 64-bit Windows versions:
-
-* Windows 8.1
-* Windows 10
-* Windows 11
-* Windows Server 2012 R2
-* Windows Server 2016
-* Windows Server 2019
-* Windows Server 2022
-
-Self-protection is also enabled on the following macOS versions:
-
-* macOS 10.15 (Catalina)
-* macOS 11 (Big Sur)
-* macOS 12 (Monterey)
-
-::::{note}
-Other Windows and macOS variants (and all Linux distributions) do not have self-protection.
-
-::::
-
-
-Self-protection defines the following permissions:
-
-* Users — even Administrator/root — **cannot** delete {{elastic-endpoint}} files (located at `c:\Program Files\Elastic\Endpoint` on Windows, and `/Library/Elastic/Endpoint` on macOS).
-* Users **cannot** terminate the {{elastic-endpoint}} program or service.
-* Administrator/root users **can** read {{elastic-endpoint}}'s files. On Windows, the easiest way to read {{elastic-endpoint}} files is to start an Administrator `cmd.exe` prompt. On macOS, an Administrator can use the `sudo` command.
-* Administrator/root users **can** stop the {{elastic-agent}}'s service. On Windows, run the `sc stop "Elastic Agent"` command. On macOS, run the `sudo launchctl stop elastic-agent` command.
diff --git a/raw-migrated-files/docs-content/serverless/security-manage-endpoint-protection.md b/raw-migrated-files/docs-content/serverless/security-manage-endpoint-protection.md
deleted file mode 100644
index f292d34059..0000000000
--- a/raw-migrated-files/docs-content/serverless/security-manage-endpoint-protection.md
+++ /dev/null
@@ -1,3 +0,0 @@
-# Manage {{elastic-defend}} [security-manage-endpoint-protection]
-
-This section provides an overview of the management tools on the **Assets** page that administrators can use to manage endpoints, integration policies, trusted applications, event filters, host isolation exceptions, and blocked applications.
diff --git a/raw-migrated-files/docs-content/serverless/security-optimize-edr.md b/raw-migrated-files/docs-content/serverless/security-optimize-edr.md
deleted file mode 100644
index c8d7243046..0000000000
--- a/raw-migrated-files/docs-content/serverless/security-optimize-edr.md
+++ /dev/null
@@ -1,14 +0,0 @@
-# Optimize {{elastic-defend}} [security-optimize-edr]
-
-If you encounter problems like incompatibilities with other antivirus software, too many false positive alerts, or excessive storage or CPU usage, you can optimize {{elastic-defend}} to mitigate these issues.
-
-Endpoint artifacts — such as trusted applications and event filters — and Endpoint exceptions let you modify the behavior and performance of *{{elastic-endpoint}}*, the component installed on each host that performs {{elastic-defend}}'s threat monitoring, prevention, and response actions.
-
-The following table explains the differences between several Endpoint artifacts and exceptions, and how to use them:
-
-|  |  |
-| --- | --- |
-| [Trusted application](../../../solutions/security/manage-elastic-defend/trusted-applications.md) | **Prevents {{elastic-endpoint}} from monitoring a process.** Use to avoid conflicts with other software, usually other antivirus or endpoint security applications.<br><br>* Creates intentional blind spots in your security environment — use sparingly!<br>* Doesn’t monitor the application for threats, nor does it generate alerts, even if it behaves like malware, ransomware, etc.<br>* Doesn’t generate events for the application except process events for visualizations and other internal use by the {{stack}}.<br>* Might improve performance, since {{elastic-endpoint}} monitors fewer processes.<br>* Might still generate malicious behavior alerts, if the application’s process events indicate malicious behavior. To suppress alerts, create [Endpoint alert exceptions](../../../solutions/security/detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions).<br> |
-| [Event filter](../../../solutions/security/manage-elastic-defend/event-filters.md) | **Prevents event documents from being written to {{es}}.** Use to reduce storage usage in {{es}}.<br><br>Does NOT lower CPU usage for {{elastic-endpoint}}. It still monitors event data for possible threats, but without writing event data to {{es}}.<br> |
-| [Blocklist](../../../solutions/security/manage-elastic-defend/blocklist.md) | **Prevents known malware from running.** Use to extend {{elastic-defend}}'s protection against malicious processes.<br><br>NOT intended to broadly block benign applications for non-security reasons.<br> |
-| [Endpoint alert exception](../../../solutions/security/detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions) | **Prevents {{elastic-endpoint}} from generating alerts or stopping processes.** Use to reduce false positive alerts, and to keep {{elastic-endpoint}} from preventing processes you want to allow.<br><br>Might also improve performance: {{elastic-endpoint}} checks for exceptions *before* most other processing, and stops monitoring a process if an exception allows it.<br> |
diff --git a/raw-migrated-files/security-docs/security/allowlist-endpoint-3rd-party-av-apps.md b/raw-migrated-files/security-docs/security/allowlist-endpoint-3rd-party-av-apps.md
deleted file mode 100644
index 139b5114ae..0000000000
--- a/raw-migrated-files/security-docs/security/allowlist-endpoint-3rd-party-av-apps.md
+++ /dev/null
@@ -1,70 +0,0 @@
-# Allowlist {{elastic-endpoint}} in third-party antivirus apps [allowlist-endpoint-3rd-party-av-apps]
-
-::::{note} 
-If you use other antivirus (AV) software along with {{elastic-defend}}, you may need to add the other system as a trusted application in the {{security-app}}. Refer to [*Trusted applications*](../../../solutions/security/manage-elastic-defend/trusted-applications.md) for more information.
-::::
-
-
-Third-party antivirus (AV) applications may identify the expected behavior of {{elastic-endpoint}}—the installed component that performs {{elastic-defend}}'s threat monitoring and prevention—as a potential threat. Add {{elastic-endpoint}}'s digital signatures and file paths to your AV software’s allowlist to ensure {{elastic-endpoint}} continues to function as intended. We recommend you allowlist both the file paths and digital signatures, if applicable.
-
-::::{note} 
-Your AV software may refer to allowlisted processes as process exclusions, ignored processes, or trusted processes. It is important to note that file, folder, and path-based exclusions/exceptions are distinct from trusted applications and will not achieve the same result. This page explains how to ignore actions taken by processes, not how to ignore the files that spawned those processes.
-::::
-
-
-
-## Allowlist {{elastic-endpoint}} on Windows [allowlist-endpoint-on-windows] 
-
-File paths:
-
-* ELAM driver: `c:\Windows\system32\drivers\ElasticElam.sys`
-* Driver: `c:\Windows\system32\drivers\elastic-endpoint-driver.sys`
-* Executable: `c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe`
-
-    ::::{note} 
-    The executable runs as `elastic-endpoint.exe`.
-    ::::
-
-
-Digital signatures:
-
-* `Elasticsearch, Inc.`
-* `Elasticsearch B.V.`
-
-For additional information about allowlisting on Windows, refer to [Trusting Elastic Defend in other software](https://github.com/elastic/endpoint/blob/main/PerformanceIssues-Windows.md#trusting-elastic-defend-in-other-software).
-
-
-## Allowlist {{elastic-endpoint}} on macOS [allowlist-endpoint-on-macos] 
-
-File paths:
-
-* System extension (recursive directory structure): `/Applications/ElasticEndpoint.app/`
-
-    ::::{note} 
-    The system extension runs as `co.elastic.systemextension`.
-    ::::
-
-* Executable: `/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint`
-
-    ::::{note} 
-    The executable runs as `elastic-endpoint`.
-    ::::
-
-
-Digital signatures:
-
-* Authority/Developer ID Application: `Elasticsearch, Inc (2BT3HPN62Z)`
-* Team ID: `2BT3HPN62Z`
-
-
-## Allowlist {{elastic-endpoint}} on Linux [allowlist-endpoint-on-linux] 
-
-File path:
-
-* Executable: `/opt/Elastic/Endpoint/elastic-endpoint`
-
-    ::::{note} 
-    The executable runs as `elastic-endpoint`.
-    ::::
-
-
diff --git a/raw-migrated-files/security-docs/security/endpoint-artifacts.md b/raw-migrated-files/security-docs/security/endpoint-artifacts.md
deleted file mode 100644
index 416bc1dde1..0000000000
--- a/raw-migrated-files/security-docs/security/endpoint-artifacts.md
+++ /dev/null
@@ -1,14 +0,0 @@
-# Optimize {{elastic-defend}} [endpoint-artifacts]
-
-If you encounter problems like incompatibilities with other antivirus software, too many false positive alerts, or excessive storage or CPU usage, you can optimize {{elastic-defend}} to mitigate these issues.
-
-Endpoint artifacts — such as trusted applications and event filters — and Endpoint exceptions let you modify the behavior and performance of *{{elastic-endpoint}}*, the component installed on each host that performs {{elastic-defend}}'s threat monitoring, prevention, and response actions.
-
-The following table explains the differences between several Endpoint artifacts and exceptions, and how to use them:
-
-|     |     |
-| --- | --- |
-| [Trusted application](../../../solutions/security/manage-elastic-defend/trusted-applications.md) | **Prevents {{elastic-endpoint}} from monitoring a process.** Use to avoid conflicts with other software, usually other antivirus or endpoint security applications.<br><br>* Creates intentional blind spots in your security environment — use sparingly!<br>* Doesn’t monitor the application for threats, nor does it generate alerts, even if it behaves like malware, ransomware, etc.<br>* Doesn’t generate events for the application except process events for visualizations and other internal use by the {{stack}}.<br>* Might improve performance, since {{elastic-endpoint}} monitors fewer processes.<br>* Might still generate malicious behavior alerts, if the application’s process events indicate malicious behavior. To suppress alerts, create [Endpoint alert exceptions](../../../solutions/security/detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions).<br> |
-| [Event filter](../../../solutions/security/manage-elastic-defend/event-filters.md) | **Prevents event documents from being written to {{es}}.** Use to reduce storage usage in {{es}}.<br><br>Does NOT lower CPU usage for {{elastic-endpoint}}. It still monitors event data for possible threats, but without writing event data to {{es}}.<br> |
-| [Blocklist](../../../solutions/security/manage-elastic-defend/blocklist.md) | **Prevents known malware from running.** Use to extend {{elastic-defend}}'s protection against malicious processes.<br><br>NOT intended to broadly block benign applications for non-security reasons.<br> |
-| [Endpoint alert exception](../../../solutions/security/detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions) | **Prevents {{elastic-endpoint}} from generating alerts or stopping processes.** Use to reduce false positive alerts, and to keep {{elastic-endpoint}} from preventing processes you want to allow.<br><br>Might also improve performance: {{elastic-endpoint}} checks for exceptions *before* most other processing, and stops monitoring a process if an exception allows it.<br> |
diff --git a/raw-migrated-files/security-docs/security/endpoint-event-capture.md b/raw-migrated-files/security-docs/security/endpoint-event-capture.md
deleted file mode 100644
index 416621a7df..0000000000
--- a/raw-migrated-files/security-docs/security/endpoint-event-capture.md
+++ /dev/null
@@ -1,48 +0,0 @@
-# Event capture and {{elastic-defend}} [endpoint-event-capture]
-
-{{elastic-defend}} collects selective data on system activities in order to detect and prevent as many threats as possible, while balancing storage and performance overhead. To that end, {{elastic-defend}} isn’t designed to provide a complete capture of all system events. The event data that {{elastic-defend}} generates might be aggregated, truncated, or deduplicated as needed to optimize threat detection and prevention.
-
-You can supplement {{elastic-defend}}'s protection capabilities with additional [Elastic integrations](https://docs.elastic.co/en/integrations) and tools that provide more visibility and historical data. Consult the following sections to expand data collection for specific system events.
-
-
-## Network port creation and deletion [_network_port_creation_and_deletion] 
-
-{{elastic-defend}} tracks TCP connections. If a port is created but no traffic flows, no events are generated.
-
-For complete capture of network port creation and deletion, consider capturing Windows event ID 5158 using the [Custom Windows Event Logs](https://docs.elastic.co/en/integrations/winlog) integration.
-
-
-## Network in/out connections [_network_inout_connections] 
-
-{{elastic-defend}} tracks TCP connections, which don’t include network in/out connections.
-
-For complete network capture, consider deploying {{packetbeat}} using the [Network Packet Capture](https://docs.elastic.co/en/integrations/network_traffic) integration.
-
-
-## User behavior [_user_behavior] 
-
-{{elastic-defend}} only captures user security events required by its behavioral protection. This doesn’t include every user event such as logins and logouts, or every time a user account is created, deleted, or modified.
-
-For complete capture of all or specific Windows security events, consider the [Custom Windows Event Logs](https://docs.elastic.co/en/integrations/winlog) integration.
-
-
-## System service registration, deletion, and modification [_system_service_registration_deletion_and_modification] 
-
-{{elastic-defend}} only captures system service security events required by its behavioral protection engine. Service creation and modification can also be detected in registry activity, for which {{elastic-defend}} has internal rules such as [Registry or File Modification from Suspicious Memory](https://github.com/elastic/protections-artifacts/blob/6d54ae289b290b1d42a7717569483f6ce907200a/behavior/rules/persistence_registry_or_file_modification_from_suspicious_memory.toml).
-
-For complete capture of all or specific Windows security events, consider the [Custom Windows Event Logs](https://docs.elastic.co/en/integrations/winlog) integration. In particular, capture events such as [Windows event ID 4697](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697).
-
-
-## Kernel driver registration, deletion, and queries [_kernel_driver_registration_deletion_and_queries] 
-
-{{elastic-defend}} scans every driver as it is loaded, but it doesn’t generate an event each time.
-
-Drivers are registered in the system as system services. You can capture this with Windows event ID 4697 using the [Custom Windows Event Logs](https://docs.elastic.co/en/integrations/winlog) integration.
-
-Also consider capturing Windows event ID 6 using {{winlogbeat}}'s [Sysmon module](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-module-sysmon.html).
-
-
-## System configuration file creation, modification, and deletion [_system_configuration_file_creation_modification_and_deletion] 
-
-{{elastic-defend}} tracks creation, modification, and deletion of all files on the system. However, as mentioned above, the data might be aggregated, truncated, or deduplicated to provide only what’s required for threat detection and prevention.
-
diff --git a/raw-migrated-files/security-docs/security/endpoint-protection-rules.md b/raw-migrated-files/security-docs/security/endpoint-protection-rules.md
deleted file mode 100644
index 51babd1690..0000000000
--- a/raw-migrated-files/security-docs/security/endpoint-protection-rules.md
+++ /dev/null
@@ -1,49 +0,0 @@
-# Endpoint protection rules [endpoint-protection-rules]
-
-Endpoint protection rules are [prebuilt rules](../../../solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md) designed to help you manage and respond to alerts generated by {{elastic-endpoint}}, the installed component that performs {{elastic-defend}}'s threat monitoring and prevention. These rules include the [Endpoint Security](https://www.elastic.co/guide/en/security/current/endpoint-security.html) rule as well as additional detection and prevention rules for different {{elastic-defend}} protection features.
-
-::::{important}
-To receive {{elastic-endpoint}} alerts, you must install {{agent}} and the {{elastic-defend}} integration  on your hosts (refer to [Install {{elastic-defend}}](../../../solutions/security/configure-elastic-defend/install-elastic-defend.md)).
-::::
-
-
-When endpoint protection rules are triggered, {{elastic-endpoint}} alerts are displayed as detection alerts in the {{security-app}}. The detection alert name is taken from the {{elastic-endpoint}} alert message and overwrites the prebuilt rule name in the Alerts table. For example, for malware protection, the following {{elastic-endpoint}} alerts are displayed as detection alerts:
-
-* Malware Prevention Alert
-* Malware Detection Alert
-
-
-## Endpoint Security rule [endpoint-sec-rule]
-
-The Endpoint Security rule automatically creates an alert from all incoming {{elastic-endpoint}} alerts.
-
-::::{note}
-When you install Elastic prebuilt rules, the {{elastic-defend}} is enabled by default.
-::::
-
-
-
-## Feature-specific protection rules [feature-protection-rules]
-
-The following endpoint protection rules give you more granular control over how you handle the generated alerts. These rules are tailored for each of {{elastic-defend}}'s endpoint protection features—malware, ransomware, memory threats, and malicious behavior. Enabling these rules allows you to configure more specific actions based on the protection feature and whether the malicious activity was prevented or detected.
-
-* Behavior - Detected - Elastic Defend
-* Behavior - Prevented - Endpoint Defend
-* Malicious File - Detected - Elastic Defend
-* Malicious File - Prevented - Elastic Defend
-* Memory Signature - Detected - Elastic Defend
-* Memory Signature - Prevented - Elastic Defend
-* Ransomware - Detected - Elastic Defend
-* Ransomware - Prevented - Elastic Defend
-
-::::{note}
-If you choose to use the feature-specific protection rules, we recommend that you disable the Endpoint Security rule, as using both will result in duplicate alerts.
-::::
-
-
-To use these rules, you need to manually enable them from the **Rules** page in the {{security-app}}. Follow the instructions for [installing and enabling Elastic prebuilt rules](../../../solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#load-prebuilt-rules).
-
-
-## Endpoint security exception handling [_endpoint_security_exception_handling]
-
-All endpoint protection rules share a common exception list called the Endpoint Security Exception List. This ensures that if you switch between using the Endpoint Security rule and the feature-specific protection rules, your existing [{{elastic-endpoint}} exceptions](../../../solutions/security/detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions) continue to apply.
diff --git a/raw-migrated-files/security-docs/security/endpoint-self-protection.md b/raw-migrated-files/security-docs/security/endpoint-self-protection.md
deleted file mode 100644
index 0d9fb40388..0000000000
--- a/raw-migrated-files/security-docs/security/endpoint-self-protection.md
+++ /dev/null
@@ -1,32 +0,0 @@
-# {{elastic-endpoint}} self-protection features [endpoint-self-protection]
-
-{{elastic-endpoint}}, the installed component that performs {{elastic-defend}}'s threat monitoring and prevention, protects itself against users and attackers that may try to interfere with its functionality. Protection features are consistently enhanced to prevent attackers who may attempt to use newer, more sophisticated tactics to interfere with the {{elastic-endpoint}}. Self-protection is enabled by default when {{elastic-endpoint}} installs on supported platforms, listed below.
-
-Self-protection is enabled on the following 64-bit Windows versions:
-
-* Windows 8.1
-* Windows 10
-* Windows 11
-* Windows Server 2012 R2
-* Windows Server 2016
-* Windows Server 2019
-* Windows Server 2022
-
-Self-protection is also enabled on the following macOS versions:
-
-* macOS 10.15 (Catalina)
-* macOS 11 (Big Sur)
-* macOS 12 (Monterey)
-
-::::{note} 
-Other Windows and macOS variants (and all Linux distributions) do not have self-protection.
-::::
-
-
-For {{stack}} version >= 7.11.0, self-protection defines the following permissions:
-
-* Users — even Administrator/root — **cannot** delete {{elastic-endpoint}} files (located at `c:\Program Files\Elastic\Endpoint` on Windows, and `/Library/Elastic/Endpoint` on macOS).
-* Users **cannot** terminate the {{elastic-endpoint}} program or service.
-* Administrator/root users **can** read {{elastic-endpoint}}'s files. On Windows, the easiest way to read {{elastic-endpoint}} files is to start an Administrator `cmd.exe` prompt. On macOS, an Administrator can use the `sudo` command.
-* Administrator/root users **can** stop the {{elastic-agent}}'s service. On Windows, run the `sc stop "Elastic Agent"` command. On macOS, run the `sudo launchctl stop elastic-agent` command.
-
diff --git a/raw-migrated-files/security-docs/security/sec-manage-intro.md b/raw-migrated-files/security-docs/security/sec-manage-intro.md
deleted file mode 100644
index 776ba92409..0000000000
--- a/raw-migrated-files/security-docs/security/sec-manage-intro.md
+++ /dev/null
@@ -1,3 +0,0 @@
-# Manage {{elastic-defend}} [sec-manage-intro]
-
-The following section provides an overview of the management tools admins can use to manage endpoints, integration policies, trusted applications, event filters, host isolation exceptions, and blocked applications.
diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml
index 73d5a9c1ce..a676db37bf 100644
--- a/raw-migrated-files/toc.yml
+++ b/raw-migrated-files/toc.yml
@@ -261,7 +261,6 @@ toc:
       - file: docs-content/serverless/elasticsearch-ingest-data-file-upload.md
       - file: docs-content/serverless/elasticsearch-ingest-data-through-api.md
       - file: docs-content/serverless/elasticsearch-manage-project.md
-      - file: docs-content/serverless/endpoint-protection-rules.md
       - file: docs-content/serverless/general-billing-stop-project.md
       - file: docs-content/serverless/general-manage-organization.md
       - file: docs-content/serverless/general-ml-nlp-auto-scale.md
@@ -402,7 +401,6 @@ toc:
       - file: docs-content/serverless/security-alert-suppression.md
       - file: docs-content/serverless/security-alerts-manage.md
       - file: docs-content/serverless/security-alerts-run-osquery.md
-      - file: docs-content/serverless/security-allowlist-endpoint.md
       - file: docs-content/serverless/security-automated-response-actions.md
       - file: docs-content/serverless/security-automatic-import.md
       - file: docs-content/serverless/security-behavioral-detection-use-cases.md
@@ -444,10 +442,8 @@ toc:
       - file: docs-content/serverless/security-elastic-endpoint-deploy-reqs.md
       - file: docs-content/serverless/security-endpoint-data-volume.md
       - file: docs-content/serverless/security-endpoint-diagnostic-data.md
-      - file: docs-content/serverless/security-endpoint-event-capture.md
       - file: docs-content/serverless/security-endpoint-management-req.md
       - file: docs-content/serverless/security-endpoint-protection-intro.md
-      - file: docs-content/serverless/security-endpoint-self-protection.md
       - file: docs-content/serverless/security-endpoints-page.md
       - file: docs-content/serverless/security-environment-variable-capture.md
       - file: docs-content/serverless/security-ers-requirements.md
@@ -469,10 +465,8 @@ toc:
       - file: docs-content/serverless/security-llm-connector-guides.md
       - file: docs-content/serverless/security-llm-performance-matrix.md
       - file: docs-content/serverless/security-machine-learning.md
-      - file: docs-content/serverless/security-manage-endpoint-protection.md
       - file: docs-content/serverless/security-ml-requirements.md
       - file: docs-content/serverless/security-network-page-overview.md
-      - file: docs-content/serverless/security-optimize-edr.md
       - file: docs-content/serverless/security-osquery-placeholder-fields.md
       - file: docs-content/serverless/security-osquery-response-action.md
       - file: docs-content/serverless/security-overview-dashboard.md
@@ -772,7 +766,6 @@ toc:
       - file: security-docs/security/alert-suppression.md
       - file: security-docs/security/alerts-run-osquery.md
       - file: security-docs/security/alerts-ui-manage.md
-      - file: security-docs/security/allowlist-endpoint-3rd-party-av-apps.md
       - file: security-docs/security/artifact-control.md
       - file: security-docs/security/assistant-connect-to-azure-openai.md
       - file: security-docs/security/assistant-connect-to-bedrock.md
@@ -820,14 +813,10 @@ toc:
       - file: security-docs/security/detections-logsdb-index-mode-impact.md
       - file: security-docs/security/detections-permissions-section.md
       - file: security-docs/security/elastic-endpoint-deploy-reqs.md
-      - file: security-docs/security/endpoint-artifacts.md
       - file: security-docs/security/endpoint-data-volume.md
       - file: security-docs/security/endpoint-diagnostic-data.md
-      - file: security-docs/security/endpoint-event-capture.md
       - file: security-docs/security/endpoint-management-req.md
       - file: security-docs/security/endpoint-protection-intro.md
-      - file: security-docs/security/endpoint-protection-rules.md
-      - file: security-docs/security/endpoint-self-protection.md
       - file: security-docs/security/environment-variable-capture.md
       - file: security-docs/security/ers-requirements.md
       - file: security-docs/security/es-overview.md
@@ -871,7 +860,6 @@ toc:
       - file: security-docs/security/rules-ui-create.md
       - file: security-docs/security/rules-ui-management.md
       - file: security-docs/security/runtime-fields.md
-      - file: security-docs/security/sec-manage-intro.md
       - file: security-docs/security/sec-requirements.md
       - file: security-docs/security/security-assistant.md
       - file: security-docs/security/security-posture-faq.md
diff --git a/solutions/security/manage-elastic-defend.md b/solutions/security/manage-elastic-defend.md
index b42b935178..43af52510d 100644
--- a/solutions/security/manage-elastic-defend.md
+++ b/solutions/security/manage-elastic-defend.md
@@ -4,11 +4,6 @@ mapped_urls:
   - https://www.elastic.co/guide/en/serverless/current/security-manage-endpoint-protection.html
 ---
 
-# Manage Elastic Defend
+# Manage {{elastic-defend}} [sec-manage-intro]
 
-% What needs to be done: Lift-and-shift
-
-% Use migrated content from existing pages that map to this page:
-
-% - [ ] ./raw-migrated-files/security-docs/security/sec-manage-intro.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/security-manage-endpoint-protection.md
\ No newline at end of file
+The following section provides an overview of the management tools admins can use to manage endpoints, integration policies, trusted applications, event filters, host isolation exceptions, and blocked applications.
diff --git a/solutions/security/manage-elastic-defend/allowlist-elastic-endpoint-in-third-party-antivirus-apps.md b/solutions/security/manage-elastic-defend/allowlist-elastic-endpoint-in-third-party-antivirus-apps.md
index a7110a9c47..8e64155147 100644
--- a/solutions/security/manage-elastic-defend/allowlist-elastic-endpoint-in-third-party-antivirus-apps.md
+++ b/solutions/security/manage-elastic-defend/allowlist-elastic-endpoint-in-third-party-antivirus-apps.md
@@ -4,11 +4,74 @@ mapped_urls:
   - https://www.elastic.co/guide/en/serverless/current/security-allowlist-endpoint.html
 ---
 
-# Allowlist Elastic Endpoint in third-party antivirus apps
 
-% What needs to be done: Lift-and-shift
 
-% Use migrated content from existing pages that map to this page:
+# Allowlist {{elastic-endpoint}} in third-party antivirus apps [allowlist-endpoint-3rd-party-av-apps]
+
+::::{note} 
+If you use other antivirus (AV) software along with {{elastic-defend}}, you may need to add the other system as a trusted application in the {{security-app}}. Refer to [*Trusted applications*](trusted-applications.md) for more information.
+::::
+
+
+Third-party antivirus (AV) applications may identify the expected behavior of {{elastic-endpoint}}—the installed component that performs {{elastic-defend}}'s threat monitoring and prevention—as a potential threat. Add {{elastic-endpoint}}'s digital signatures and file paths to your AV software’s allowlist to ensure {{elastic-endpoint}} continues to function as intended. We recommend you allowlist both the file paths and digital signatures, if applicable.
+
+::::{note} 
+Your AV software may refer to allowlisted processes as process exclusions, ignored processes, or trusted processes. It is important to note that file, folder, and path-based exclusions/exceptions are distinct from trusted applications and will not achieve the same result. This page explains how to ignore actions taken by processes, not how to ignore the files that spawned those processes.
+::::
+
+
+
+## Allowlist {{elastic-endpoint}} on Windows [allowlist-endpoint-on-windows] 
+
+File paths:
+
+* ELAM driver: `c:\Windows\system32\drivers\ElasticElam.sys`
+* Driver: `c:\Windows\system32\drivers\elastic-endpoint-driver.sys`
+* Executable: `c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe`
+
+    ::::{note} 
+    The executable runs as `elastic-endpoint.exe`.
+    ::::
+
+
+Digital signatures:
+
+* `Elasticsearch, Inc.`
+* `Elasticsearch B.V.`
+
+For additional information about allowlisting on Windows, refer to [Trusting Elastic Defend in other software](https://github.com/elastic/endpoint/blob/main/PerformanceIssues-Windows.md#trusting-elastic-defend-in-other-software).
+
+
+## Allowlist {{elastic-endpoint}} on macOS [allowlist-endpoint-on-macos] 
+
+File paths:
+
+* System extension (recursive directory structure): `/Applications/ElasticEndpoint.app/`
+
+    ::::{note} 
+    The system extension runs as `co.elastic.systemextension`.
+    ::::
+
+* Executable: `/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint`
+
+    ::::{note} 
+    The executable runs as `elastic-endpoint`.
+    ::::
+
+
+Digital signatures:
+
+* Authority/Developer ID Application: `Elasticsearch, Inc (2BT3HPN62Z)`
+* Team ID: `2BT3HPN62Z`
+
+
+## Allowlist {{elastic-endpoint}} on Linux [allowlist-endpoint-on-linux] 
+
+File path:
+
+* Executable: `/opt/Elastic/Endpoint/elastic-endpoint`
+
+    ::::{note} 
+    The executable runs as `elastic-endpoint`.
+    ::::
 
-% - [ ] ./raw-migrated-files/security-docs/security/allowlist-endpoint-3rd-party-av-apps.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/security-allowlist-endpoint.md
\ No newline at end of file
diff --git a/solutions/security/manage-elastic-defend/elastic-endpoint-self-protection-features.md b/solutions/security/manage-elastic-defend/elastic-endpoint-self-protection-features.md
index 9fe4b57907..366aba38e2 100644
--- a/solutions/security/manage-elastic-defend/elastic-endpoint-self-protection-features.md
+++ b/solutions/security/manage-elastic-defend/elastic-endpoint-self-protection-features.md
@@ -4,11 +4,34 @@ mapped_urls:
   - https://www.elastic.co/guide/en/serverless/current/security-endpoint-self-protection.html
 ---
 
-# Elastic Endpoint self-protection features
+# {{elastic-endpoint}} self-protection features [endpoint-self-protection]
 
-% What needs to be done: Lift-and-shift
+{{elastic-endpoint}}, the installed component that performs {{elastic-defend}}'s threat monitoring and prevention, protects itself against users and attackers that may try to interfere with its functionality. Protection features are consistently enhanced to prevent attackers who may attempt to use newer, more sophisticated tactics to interfere with the {{elastic-endpoint}}. Self-protection is enabled by default when {{elastic-endpoint}} installs on supported platforms, listed below.
 
-% Use migrated content from existing pages that map to this page:
+Self-protection is enabled on the following 64-bit Windows versions:
 
-% - [ ] ./raw-migrated-files/security-docs/security/endpoint-self-protection.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/security-endpoint-self-protection.md
\ No newline at end of file
+* Windows 8.1
+* Windows 10
+* Windows 11
+* Windows Server 2012 R2
+* Windows Server 2016
+* Windows Server 2019
+* Windows Server 2022
+
+Self-protection is also enabled on the following macOS versions:
+
+* macOS 10.15 (Catalina)
+* macOS 11 (Big Sur)
+* macOS 12 (Monterey)
+
+::::{note} 
+Other Windows and macOS variants (and all Linux distributions) do not have self-protection.
+::::
+
+
+For {{stack}} version >= 7.11.0, self-protection defines the following permissions:
+
+* Users — even Administrator/root — **cannot** delete {{elastic-endpoint}} files (located at `c:\Program Files\Elastic\Endpoint` on Windows, and `/Library/Elastic/Endpoint` on macOS).
+* Users **cannot** terminate the {{elastic-endpoint}} program or service.
+* Administrator/root users **can** read {{elastic-endpoint}}'s files. On Windows, the easiest way to read {{elastic-endpoint}} files is to start an Administrator `cmd.exe` prompt. On macOS, an Administrator can use the `sudo` command.
+* Administrator/root users **can** stop the {{elastic-agent}}'s service. On Windows, run the `sc stop "Elastic Agent"` command. On macOS, run the `sudo launchctl stop elastic-agent` command.
diff --git a/solutions/security/manage-elastic-defend/endpoint-protection-rules.md b/solutions/security/manage-elastic-defend/endpoint-protection-rules.md
index a41cbe012c..70a549fcd4 100644
--- a/solutions/security/manage-elastic-defend/endpoint-protection-rules.md
+++ b/solutions/security/manage-elastic-defend/endpoint-protection-rules.md
@@ -4,11 +4,52 @@ mapped_urls:
   - https://www.elastic.co/guide/en/serverless/current/endpoint-protection-rules.html
 ---
 
-# Endpoint protection rules
+# Endpoint protection rules [endpoint-protection-rules]
 
-% What needs to be done: Lift-and-shift
+Endpoint protection rules are [prebuilt rules](../detect-and-alert/install-manage-elastic-prebuilt-rules.md) designed to help you manage and respond to alerts generated by {{elastic-endpoint}}, the installed component that performs {{elastic-defend}}'s threat monitoring and prevention. These rules include the Endpoint Security rule as well as additional detection and prevention rules for different {{elastic-defend}} protection features.
 
-% Use migrated content from existing pages that map to this page:
+::::{important}
+To receive {{elastic-endpoint}} alerts, you must install {{agent}} and the {{elastic-defend}} integration  on your hosts (refer to [Install {{elastic-defend}}](../configure-elastic-defend/install-elastic-defend.md)).
+::::
 
-% - [ ] ./raw-migrated-files/security-docs/security/endpoint-protection-rules.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/endpoint-protection-rules.md
\ No newline at end of file
+
+When endpoint protection rules are triggered, {{elastic-endpoint}} alerts are displayed as detection alerts in the {{security-app}}. The detection alert name is taken from the {{elastic-endpoint}} alert message and overwrites the prebuilt rule name in the Alerts table. For example, for malware protection, the following {{elastic-endpoint}} alerts are displayed as detection alerts:
+
+* Malware Prevention Alert
+* Malware Detection Alert
+
+
+## Endpoint Security rule [endpoint-sec-rule]
+
+The Endpoint Security rule automatically creates an alert from all incoming {{elastic-endpoint}} alerts.
+
+::::{note}
+When you install Elastic prebuilt rules, the {{elastic-defend}} is enabled by default.
+::::
+
+
+
+## Feature-specific protection rules [feature-protection-rules]
+
+The following endpoint protection rules give you more granular control over how you handle the generated alerts. These rules are tailored for each of {{elastic-defend}}'s endpoint protection features—malware, ransomware, memory threats, and malicious behavior. Enabling these rules allows you to configure more specific actions based on the protection feature and whether the malicious activity was prevented or detected.
+
+* Behavior - Detected - Elastic Defend
+* Behavior - Prevented - Endpoint Defend
+* Malicious File - Detected - Elastic Defend
+* Malicious File - Prevented - Elastic Defend
+* Memory Signature - Detected - Elastic Defend
+* Memory Signature - Prevented - Elastic Defend
+* Ransomware - Detected - Elastic Defend
+* Ransomware - Prevented - Elastic Defend
+
+::::{note}
+If you choose to use the feature-specific protection rules, we recommend that you disable the Endpoint Security rule, as using both will result in duplicate alerts.
+::::
+
+
+To use these rules, you need to manually enable them from the **Rules** page in the {{security-app}}. Follow the instructions for [installing and enabling Elastic prebuilt rules](../detect-and-alert/install-manage-elastic-prebuilt-rules.md#load-prebuilt-rules).
+
+
+## Endpoint security exception handling [_endpoint_security_exception_handling]
+
+All endpoint protection rules share a common exception list called the Endpoint Security Exception List. This ensures that if you switch between using the Endpoint Security rule and the feature-specific protection rules, your existing [{{elastic-endpoint}} exceptions](../detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions) continue to apply.
diff --git a/solutions/security/manage-elastic-defend/event-capture-elastic-defend.md b/solutions/security/manage-elastic-defend/event-capture-elastic-defend.md
index 74291ca344..897f12138a 100644
--- a/solutions/security/manage-elastic-defend/event-capture-elastic-defend.md
+++ b/solutions/security/manage-elastic-defend/event-capture-elastic-defend.md
@@ -4,11 +4,51 @@ mapped_urls:
   - https://www.elastic.co/guide/en/serverless/current/security-endpoint-event-capture.html
 ---
 
-# Event capture and Elastic Defend
+# Event capture and {{elastic-defend}} [endpoint-event-capture]
 
-% What needs to be done: Lift-and-shift
+{{elastic-defend}} collects selective data on system activities in order to detect and prevent as many threats as possible, while balancing storage and performance overhead. To that end, {{elastic-defend}} isn’t designed to provide a complete capture of all system events. The event data that {{elastic-defend}} generates might be aggregated, truncated, or deduplicated as needed to optimize threat detection and prevention.
 
-% Use migrated content from existing pages that map to this page:
+You can supplement {{elastic-defend}}'s protection capabilities with additional [Elastic integrations](https://docs.elastic.co/en/integrations) and tools that provide more visibility and historical data. Consult the following sections to expand data collection for specific system events.
+
+
+## Network port creation and deletion [_network_port_creation_and_deletion] 
+
+{{elastic-defend}} tracks TCP connections. If a port is created but no traffic flows, no events are generated.
+
+For complete capture of network port creation and deletion, consider capturing Windows event ID 5158 using the [Custom Windows Event Logs](https://docs.elastic.co/en/integrations/winlog) integration.
+
+
+## Network in/out connections [_network_inout_connections] 
+
+{{elastic-defend}} tracks TCP connections, which don’t include network in/out connections.
+
+For complete network capture, consider deploying {{packetbeat}} using the [Network Packet Capture](https://docs.elastic.co/en/integrations/network_traffic) integration.
+
+
+## User behavior [_user_behavior] 
+
+{{elastic-defend}} only captures user security events required by its behavioral protection. This doesn’t include every user event such as logins and logouts, or every time a user account is created, deleted, or modified.
+
+For complete capture of all or specific Windows security events, consider the [Custom Windows Event Logs](https://docs.elastic.co/en/integrations/winlog) integration.
+
+
+## System service registration, deletion, and modification [_system_service_registration_deletion_and_modification] 
+
+{{elastic-defend}} only captures system service security events required by its behavioral protection engine. Service creation and modification can also be detected in registry activity, for which {{elastic-defend}} has internal rules such as [Registry or File Modification from Suspicious Memory](https://github.com/elastic/protections-artifacts/blob/6d54ae289b290b1d42a7717569483f6ce907200a/behavior/rules/persistence_registry_or_file_modification_from_suspicious_memory.toml).
+
+For complete capture of all or specific Windows security events, consider the [Custom Windows Event Logs](https://docs.elastic.co/en/integrations/winlog) integration. In particular, capture events such as [Windows event ID 4697](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697).
+
+
+## Kernel driver registration, deletion, and queries [_kernel_driver_registration_deletion_and_queries] 
+
+{{elastic-defend}} scans every driver as it is loaded, but it doesn’t generate an event each time.
+
+Drivers are registered in the system as system services. You can capture this with Windows event ID 4697 using the [Custom Windows Event Logs](https://docs.elastic.co/en/integrations/winlog) integration.
+
+Also consider capturing Windows event ID 6 using {{winlogbeat}}'s [Sysmon module](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-module-sysmon.html).
+
+
+## System configuration file creation, modification, and deletion [_system_configuration_file_creation_modification_and_deletion] 
+
+{{elastic-defend}} tracks creation, modification, and deletion of all files on the system. However, as mentioned above, the data might be aggregated, truncated, or deduplicated to provide only what’s required for threat detection and prevention.
 
-% - [ ] ./raw-migrated-files/security-docs/security/endpoint-event-capture.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/security-endpoint-event-capture.md
\ No newline at end of file
diff --git a/solutions/security/manage-elastic-defend/identify-antivirus-software-on-hosts.md b/solutions/security/manage-elastic-defend/identify-antivirus-software-on-hosts.md
index 58807d21bc..274b41f3b2 100644
--- a/solutions/security/manage-elastic-defend/identify-antivirus-software-on-hosts.md
+++ b/solutions/security/manage-elastic-defend/identify-antivirus-software-on-hosts.md
@@ -20,7 +20,7 @@ After you’ve installed {{elastic-defend}} on one or more hosts, you can use **
 ::::{admonition} Requirements
 To use this feature, you need:
 
-* A Security Analytics Complete [subscription](https://www.elastic.co/pricing/serverless-security).
+* In serverless, a Security Analytics Complete [subscription](https://www.elastic.co/pricing/serverless-security).
 * The **Endpoint Insights: Read** or **Endpoint Insights: All** security sub-feature privilege.
 * A working [LLM connector](../ai/set-up-connectors-for-large-language-models-llm.md) for AI Assistant.
 
diff --git a/solutions/security/manage-elastic-defend/optimize-elastic-defend.md b/solutions/security/manage-elastic-defend/optimize-elastic-defend.md
index 74de599cf9..31d37cb47d 100644
--- a/solutions/security/manage-elastic-defend/optimize-elastic-defend.md
+++ b/solutions/security/manage-elastic-defend/optimize-elastic-defend.md
@@ -4,11 +4,17 @@ mapped_urls:
   - https://www.elastic.co/guide/en/serverless/current/security-optimize-edr.html
 ---
 
-# Optimize Elastic Defend
+# Optimize {{elastic-defend}} [endpoint-artifacts]
 
-% What needs to be done: Lift-and-shift
+If you encounter problems like incompatibilities with other antivirus software, too many false positive alerts, or excessive storage or CPU usage, you can optimize {{elastic-defend}} to mitigate these issues.
 
-% Use migrated content from existing pages that map to this page:
+Endpoint artifacts — such as trusted applications and event filters — and Endpoint exceptions let you modify the behavior and performance of *{{elastic-endpoint}}*, the component installed on each host that performs {{elastic-defend}}'s threat monitoring, prevention, and response actions.
 
-% - [ ] ./raw-migrated-files/security-docs/security/endpoint-artifacts.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/security-optimize-edr.md
\ No newline at end of file
+The following table explains the differences between several Endpoint artifacts and exceptions, and how to use them:
+
+|     |     |
+| --- | --- |
+| [Trusted application](trusted-applications.md) | **Prevents {{elastic-endpoint}} from monitoring a process.** Use to avoid conflicts with other software, usually other antivirus or endpoint security applications.<br><br> - Creates intentional blind spots in your security environment — use sparingly!<br>- Doesn’t monitor the application for threats, nor does it generate alerts, even if it behaves like malware, ransomware, etc.<br>- Doesn’t generate events for the application except process events for visualizations and other internal use by the {{stack}}.<br>- Might improve performance, since {{elastic-endpoint}} monitors fewer processes.<br>- Might still generate malicious behavior alerts, if the application’s process events indicate malicious behavior. To suppress alerts, create [Endpoint alert exceptions](../detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions).<br> |
+| [Event filter](event-filters.md) | **Prevents event documents from being written to {{es}}.** Use to reduce storage usage in {{es}}.<br><br>Does NOT lower CPU usage for {{elastic-endpoint}}. It still monitors event data for possible threats, but without writing event data to {{es}}.<br> |
+| [Blocklist](blocklist.md) | **Prevents known malware from running.** Use to extend {{elastic-defend}}'s protection against malicious processes.<br><br>NOT intended to broadly block benign applications for non-security reasons.<br> |
+| [Endpoint alert exception](../detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions) | **Prevents {{elastic-endpoint}} from generating alerts or stopping processes.** Use to reduce false positive alerts, and to keep {{elastic-endpoint}} from preventing processes you want to allow.<br><br>Might also improve performance: {{elastic-endpoint}} checks for exceptions *before* most other processing, and stops monitoring a process if an exception allows it.<br> |