diff --git a/raw-migrated-files/docs-content/serverless/security-cases-open-manage.md b/raw-migrated-files/docs-content/serverless/security-cases-open-manage.md
index 8f75baa025..f48d7029c1 100644
--- a/raw-migrated-files/docs-content/serverless/security-cases-open-manage.md
+++ b/raw-migrated-files/docs-content/serverless/security-cases-open-manage.md
@@ -58,7 +58,7 @@ To explore a case, click on its name. You can then:
 
     ::::
 
-* Examine [alerts](../../../solutions/security/investigate/open-manage-cases.md#cases-examine-alerts) and [indicators](../../../troubleshoot/security/indicators-of-compromise.md#review-indicator-in-case) attached to the case
+* Examine [alerts](../../../solutions/security/investigate/open-manage-cases.md#cases-examine-alerts) and [indicators](/solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case) attached to the case
 * [Add files](../../../solutions/security/investigate/open-manage-cases.md#cases-add-files)
 * [Add a Lens visualization](../../../solutions/security/investigate/open-manage-cases.md#cases-lens-visualization)
 * Modify the case’s description, assignees, category, severity, status, and tags.
diff --git a/raw-migrated-files/docs-content/serverless/security-indicators-of-compromise.md b/raw-migrated-files/docs-content/serverless/security-indicators-of-compromise.md
deleted file mode 100644
index d87254edf1..0000000000
--- a/raw-migrated-files/docs-content/serverless/security-indicators-of-compromise.md
+++ /dev/null
@@ -1,190 +0,0 @@
-# Indicators of compromise [security-indicators-of-compromise]
-
-The Indicators page collects data from enabled threat intelligence feeds and provides a centralized view of indicators, also known as indicators of compromise (IoCs). This topic helps you set up the Indicators page and explains how to work with IoCs.
-
-::::{admonition} Requirements
-:class: note
-
-* The Indicators page requires the Security Analytics Complete [project feature](../../../deploy-manage/deploy/elastic-cloud/project-settings.md).
-* You must have *one* of the following installed on the hosts you want to monitor:
-
-    * **{{agent}}** - Install a [{{fleet}}-managed {{agent}}](https://www.elastic.co/guide/en/fleet/current/install-fleet-managed-elastic-agent.html) and ensure the agent’s status is `Healthy`. Refer to [{{fleet}} Troubleshooting](../../../troubleshoot/ingest/fleet/common-problems.md) if it isn’t.
-    * **{{filebeat}}** - Install [{{filebeat}}](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html).
-
-
-::::
-
-
-:::{image} ../../../images/serverless--cases-indicators-table.png
-:alt: Shows the Indicators page
-:class: screenshot
-:::
-
-
-## Threat intelligence and indicators [ti-indicators]
-
-Threat intelligence is a research function that analyzes current and emerging threats and recommends appropriate actions to strengthen a company’s security posture. Threat intelligence requires proactivity to be useful, such as gathering, analyzing, and investigating various threat and vulnerability data sources.
-
-An indicator, also referred to as an IoC, is a piece of information associated with a known threat or reported vulnerability. There are many types of indicators, including URLs, files, domains, email addresses, and more. Within SOC teams, threat intelligence analysts use indicators to detect, assess, and respond to threats.
-
-
-## Set up the Indicators page [setup-indicators-page]
-
-Install a threat intelligence integration to add indicators to the Indicators page.
-
-1. From the {{security-app}} main menu, select one of the following:
-
-    * **Intelligence** → **Indicators** → **Add Integrations**.
-    * **Project settings** → **Integrations**.
-
-2. In the search bar, search for `Threat Intelligence` to get a list of threat intelligence integrations.
-3. Select a threat intelligence integration, then complete the integration’s guided installation.
-
-    ::::{note}
-    For more information about available fields, go to the [Elastic integration documentation](https://docs.elastic.co/integrations) and search for a specific threat intelligence integration.
-
-    ::::
-
-4. Return to the Indicators page in {{elastic-sec}}. Refresh the page if indicator data isn’t displaying.
-
-
-### Troubleshooting [troubleshoot-indicators-page]
-
-If indicator data is not appearing in the Indicators table after you installed a threat intelligence integration:
-
-* Verify that the index storing indicator documents is included in the [default {{elastic-sec}} indices](../../../solutions/security/get-started/configure-advanced-settings.md#update-sec-indices) (`securitySolution:defaultIndex`). The index storing indicator documents will differ based on the way you’re collecting indicator data:
-
-    * **{{agent}} integrations** - `logs_ti*`
-    * **{{filebeat}} integrations** - `filebeat-*`
-
-* Ensure the indicator data you’re ingesting is mapped to [Elastic Common Schema (ECS)](https://www.elastic.co/guide/en/ecs/current).
-
-::::{note}
-These troubleshooting steps also apply to the [Threat Intelligence view](../../../solutions/security/get-started/enable-threat-intelligence-integrations.md).
-
-::::
-
-
-
-## Indicators page UI [intelligence-page-ui]
-
-After you add indicators to the Indicators page, you can [examine](../../../troubleshoot/security/indicators-of-compromise.md#examine-indicator-details), search, filter, and take action on indicator data. Indicators also appear in the Trend view, which shows the total values in the legend.
-
-:::{image} ../../../images/serverless--cases-interact-with-indicators-table.gif
-:alt: Shows how to interact with the Intelligence page
-:class: screenshot
-:::
-
-
-### Examine indicator details [examine-indicator-details]
-
-Learn more about an indicator by clicking **View details**, then opening the Indicator details flyout. The flyout contains these informational tabs:
-
-* **Overview**: A summary of the indicator, including the indicator’s name, the threat intelligence feed it came from, the indicator type, and additional relevant data.
-
-    ::::{note}
-    Some threat intelligence feeds provide  [Traffic Light Protocol (TLP) markings](https://www.cisa.gov/tlp#:~:text=Introduction,shared%20with%20the%20appropriate%20audience). The `TLP Marking` and `Confidence` fields will be empty if the feed doesn’t provide that data.
-
-    ::::
-
-* **Table**: The indicator data in table format.
-* **JSON**: The indicator data in JSON format.
-
-    :::{image} ../../../images/serverless--cases-indicator-details-flyout.png
-    :alt: Shows the Indicator details flyout
-    :class: screenshot
-    :::
-
-
-
-## Find related security events [find-related-sec-events]
-
-Investigate an indicator in [Timeline](../../../solutions/security/investigate/timeline.md) to identify and predict related events in your environment. You can add an indicator to Timeline from the Indicators table or the Indicator details flyout.
-
-:::{image} ../../../images/serverless--cases-indicator-query-timeline.png
-:alt: Shows the results of an indicator being investigated in Timeline
-:class: screenshot
-:::
-
-When you add an indicator to Timeline, a new Timeline opens with an auto-generated KQL query. The query contains the indicator field-value pair that you selected plus the field-value pair of the automatically mapped source event. By default, the query’s time range is set to seven days before and after the indicator’s `timestamp`.
-
-
-### Example indicator Timeline investigation [example-indicator-timeline]
-
-The following image shows a file hash indictor being investigated in Timeline. The indicator field-value pair is:
-
-`threat.indicator.file.hash.sha256 : 116dd9071887611c19c24aedde270285a4cf97157b846e6343407cf3bcec115a`
-
-:::{image} ../../../images/serverless--cases-indicator-in-timeline.png
-:alt: Shows the results of an indicator being investigated in Timeline
-:class: screenshot
-:::
-
-The auto-generated query contains the indicator field-value pair (mentioned previously) and the auto-mapped source event field-value pair, which is:
-
-`file.hash.sha256 : 116dd9071887611c19c24aedde270285a4cf97157b846e6343407cf3bcec115a`
-
-The query results show an alert with a matching `file.hash.sha256` field value, which may indicate suspicious or malicious activity in the environment.
-
-
-## Attach indicators to cases [attach-indicator-to-case]
-
-Attaching indicators to cases provides more context and available actions for your investigations. This feature allows you to easily share or escalate threat intelligence to other teams.
-
-To add indicators to cases:
-
-1. From the Indicators table, click the **More actions** (![More actions](../../../images/serverless-boxesHorizontal.svg "")) menu. Alternatively, open an indicator’s details, then select **Take action**.
-2. Select one of the following:
-
-    * **Add to existing case**: From the **Select case** dialog box, select the case to which you want to attach the indicator.
-    * **Add to new case**: Configure the case details. Refer to [Open a new case](../../../solutions/security/investigate/open-manage-cases.md#cases-ui-open) to learn more about opening a new case.
-
-        The indicator is added to the case as a new comment.
-
-
-:::{image} ../../../images/serverless--cases-indicator-added-to-case.png
-:alt: An indicator attached to a case
-:class: screenshot
-:::
-
-
-### Review indicator details in cases [review-indicator-in-case]
-
-When you attach an indicator to a case, the indicator is added as a new comment with the following details:
-
-* **Indicator name**: Click the linked name to open the Indicator details flyout, which contains the following tabs:
-
-    * **Overview**: A summary of the threat indicator, including its name and type, which threat intelligence feed it came from, and additional relevant data.
-
-        ::::{note}
-        Some threat intelligence feeds provide  [Traffic Light Protocol (TLP) markings](https://www.cisa.gov/tlp#:~:text=Introduction,shared%20with%20the%20appropriate%20audience). The `TLP Marking` and `Confidence` fields will be empty if the feed doesn’t provide that data.
-
-        ::::
-
-    * **Table**: The indicator data in table format.
-    * **JSON**: The indicator data in JSON format.
-
-* **Feed name**: The threat feed from which the indicator was ingested.
-* **Indicator type**: The indicator type, for example, `file` or `.exe`.
-
-
-### Remove indicators from cases [delete-indicator-from-case]
-
-To remove an indicator attached to a case, click the **More actions** (![More actions](../../../images/serverless-boxesHorizontal.svg "")) menu → **Delete attachment** in the case comment.
-
-:::{image} ../../../images/serverless--cases-remove-indicator.png
-:alt: Removing an indicator from a case
-:class: screenshot
-:::
-
-
-## Use data from indicators to expand the blocklist [add-indicator-to-blocklist]
-
-Add indicator values to the [blocklist](../../../solutions/security/manage-elastic-defend/blocklist.md) to prevent selected applications from running on your hosts. You can use MD5, SHA-1, or SHA-256 hash values from `file` type indicators.
-
-You can add indicator values to the blocklist from the Indicators table or the Indicator details flyout. From the Indicators table, select the **More actions** (![More actions](../../../images/serverless-boxesHorizontal.svg "")) menu → **Add blocklist entry***.  Alternatively, open an indicator’s details, then select the ***Take action** menu → **Add blocklist entry**.
-
-::::{note}
-Refer to [Blocklist](../../../solutions/security/manage-elastic-defend/blocklist.md) for more information about blocklist entries.
-
-::::
diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml
index 64dc1581ff..f8ddbc4fe7 100644
--- a/raw-migrated-files/toc.yml
+++ b/raw-migrated-files/toc.yml
@@ -446,7 +446,6 @@ toc:
       - file: docs-content/serverless/security-get-started-with-kspm.md
       - file: docs-content/serverless/security-host-isolation-exceptions.md
       - file: docs-content/serverless/security-hosts-overview.md
-      - file: docs-content/serverless/security-indicators-of-compromise.md
       - file: docs-content/serverless/security-ingest-data.md
       - file: docs-content/serverless/security-install-edr.md
       - file: docs-content/serverless/security-install-endpoint-manually.md
diff --git a/solutions/security/get-started/enable-threat-intelligence-integrations.md b/solutions/security/get-started/enable-threat-intelligence-integrations.md
index b33743717b..0d3d227411 100644
--- a/solutions/security/get-started/enable-threat-intelligence-integrations.md
+++ b/solutions/security/get-started/enable-threat-intelligence-integrations.md
@@ -6,7 +6,7 @@ mapped_urls:
 
 # Enable threat intelligence integrations [security-enable-threat-intelligence-integrations]
 
-The Threat Intelligence view provides a streamlined way to collect threat intelligence data that you can use for threat detection and matching. Threat intelligence data consists of  [threat indicators](../../../troubleshoot/security/indicators-of-compromise.md#ti-indicators) ingested from third-party threat intelligence sources.
+The Threat Intelligence view provides a streamlined way to collect threat intelligence data that you can use for threat detection and matching. Threat intelligence data consists of  [threat indicators](/solutions/security/investigate/indicators-of-compromise.md#ti-indicators) ingested from third-party threat intelligence sources.
 
 Threat indicators describe potential threats, unusual behavior, or malicious activity on a network or in an environment. They are commonly used in indicator match rules to detect and match known threats. When an indicator match rule generates an alert, it includes information about the matched threat indicator.
 
@@ -40,7 +40,7 @@ There are a few scenarios when data won’t display in the Threat Intelligence v
     ::::
 
 3. Select an {{agent}} integration, then complete the installation steps.
-4. Return to the Threat Intelligence view on the Overview dashboard. If indicator data isn’t displaying, refresh the page or refer to these [troubleshooting steps](../../../troubleshoot/security/indicators-of-compromise.md#troubleshoot-indicators-page).
+4. Return to the Threat Intelligence view on the Overview dashboard. If indicator data isn’t displaying, refresh the page or refer to these [troubleshooting steps](../../../troubleshoot/security/indicators-of-compromise.md).
 
 
 ## Add a {{filebeat}} Threat Intel module integration [ti-mod-integration]
diff --git a/solutions/security/investigate/indicators-of-compromise.md b/solutions/security/investigate/indicators-of-compromise.md
index af8c1bb447..c5b2401e83 100644
--- a/solutions/security/investigate/indicators-of-compromise.md
+++ b/solutions/security/investigate/indicators-of-compromise.md
@@ -6,19 +6,11 @@ mapped_urls:
 
 # Indicators of compromise
 
-% What needs to be done: Refine
-
-% Scope notes: Pull out the troubleshooting section into its own topic, and leave the rest of the content in its current place 
-
-% Use migrated content from existing pages that map to this page:
-
-% - [x] ./raw-migrated-files/security-docs/security/indicators-of-compromise.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/security-indicators-of-compromise.md
-
 The Indicators page collects data from enabled threat intelligence feeds and provides a centralized view of indicators, also known as indicators of compromise (IoCs). This topic helps you set up the Indicators page and explains how to work with IoCs.
 
 ::::{admonition} Requirements
-* The Indicators page is an [Enterprise subscription](https://www.elastic.co/pricing) feature.
+* In {{stack}} 9.0.0+, the Indicators page is an [Enterprise subscription](https://www.elastic.co/pricing) feature.
+* In serverless, the Indicators page requires the Security Analytics Complete [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md)
 * You must have *one* of the following installed on the hosts you want to monitor:
 
     * **{{agent}}** - Install a [{{fleet}}-managed {{agent}}](https://www.elastic.co/guide/en/fleet/current/install-fleet-managed-elastic-agent.html) and ensure the agent’s status is `Healthy`. Refer to [{{fleet}} Troubleshooting](/troubleshoot/ingest/fleet/common-problems.md) if it isn’t.
@@ -56,26 +48,9 @@ Install a threat intelligence integration to add indicators to the Indicators pa
 4. Return to the Indicators page in {{elastic-sec}}. Refresh the page if indicator data isn’t displaying.
 
 
-### Troubleshooting [troubleshoot-indicators-page]
-
-If indicator data is not appearing in the Indicators table after you installed a threat intelligence integration:
-
-* Verify that the index storing indicator documents is included in the [default {{elastic-sec}} indices](/solutions/security/get-started/configure-advanced-settings.md#update-sec-indices) (`securitySolution:defaultIndex`). The index storing indicator documents will differ based on the way you’re collecting indicator data:
-
-    * **{{agent}} integrations** - `logs_ti*`
-    * **{{filebeat}} integrations** - `filebeat-*`
-
-* Ensure the indicator data you’re ingesting is mapped to [Elastic Common Schema (ECS)](https://www.elastic.co/guide/en/ecs/current).
-
-::::{note}
-These troubleshooting steps also apply to the [Threat Intelligence view](/solutions/security/get-started/enable-threat-intelligence-integrations.md).
-::::
-
-
-
 ## Indicators page UI [intelligence-page-ui]
 
-After you add indicators to the Indicators page, you can [examine](/troubleshoot/security/indicators-of-compromise.md#examine-indicator-details), search, filter, and take action on indicator data. Indicators also appear in the Trend view, which shows the total values in the legend.
+After you add indicators to the Indicators page, you can [examine](#examine-indicator-details), search, filter, and take action on indicator data. Indicators also appear in the Trend view, which shows the total values in the legend.
 
 :::{image} ../../../images/security-interact-with-indicators-table.gif
 :alt: interact with indicators table
diff --git a/solutions/security/investigate/open-manage-cases.md b/solutions/security/investigate/open-manage-cases.md
index 05687a204a..98c64498a8 100644
--- a/solutions/security/investigate/open-manage-cases.md
+++ b/solutions/security/investigate/open-manage-cases.md
@@ -115,7 +115,7 @@ To explore a case, click on its name. You can then:
     Comments can contain Markdown. For syntax help, click the Markdown icon (![Click markdown icon](../../../images/security-markdown-icon.png "")) in the bottom right of the comment.
     ::::
 
-* Examine [alerts](/solutions/security/investigate/open-manage-cases.md#cases-examine-alerts) and [indicators](/troubleshoot/security/indicators-of-compromise.md#review-indicator-in-case) attached to the case
+* Examine [alerts](/solutions/security/investigate/open-manage-cases.md#cases-examine-alerts) and [indicators](/solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case) attached to the case
 * [Add files](/solutions/security/investigate/open-manage-cases.md#cases-add-files)
 * [Add a Lens visualization](/solutions/security/investigate/open-manage-cases.md#cases-lens-visualization)
 * Modify the case’s description, assignees, category, severity, status, and tags.
diff --git a/troubleshoot/security/indicators-of-compromise.md b/troubleshoot/security/indicators-of-compromise.md
index 4346bedbce..cba74fd93c 100644
--- a/troubleshoot/security/indicators-of-compromise.md
+++ b/troubleshoot/security/indicators-of-compromise.md
@@ -1,26 +1,25 @@
 ---
+navigation_title: "Indicators of compromise"
 mapped_pages:
   - https://www.elastic.co/guide/en/security/current/indicators-of-compromise.html
   - https://www.elastic.co/guide/en/serverless/current/security-indicators-of-compromise.html
 ---
 
-# Indicators of compromise
 
-% What needs to be done: Refine
+# Troubleshoot indicators of compromise [troubleshoot-indicators-page]
 
-% Scope notes: Pull out the troubleshooting section into its own topic, and leave the rest of the content in its current place
+If indicator data is not appearing in the Indicators table after you installed a threat intelligence integration:
 
-% Use migrated content from existing pages that map to this page:
+* Verify that the index storing indicator documents is included in the [default {{elastic-sec}} indices](/solutions/security/get-started/configure-advanced-settings.md#update-sec-indices) (`securitySolution:defaultIndex`). The index storing indicator documents will differ based on the way you’re collecting indicator data:
 
-% - [ ] ./raw-migrated-files/security-docs/security/indicators-of-compromise.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/security-indicators-of-compromise.md
+    * **{{agent}} integrations** - `logs_ti*`
+    * **{{filebeat}} integrations** - `filebeat-*`
 
-% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc):
-
-$$$review-indicator-in-case$$$
+* Ensure the indicator data you’re ingesting is mapped to [Elastic Common Schema (ECS)](https://www.elastic.co/guide/en/ecs/current).
 
-$$$ti-indicators$$$
+::::{note}
+These troubleshooting steps also apply to the [Threat Intelligence view](/solutions/security/get-started/enable-threat-intelligence-integrations.md).
+::::
 
-$$$troubleshoot-indicators-page$$$
 
-$$$examine-indicator-details$$$
\ No newline at end of file
+% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc):