elastic · natasha-moore-elastic · Feb 17, 2025 · Feb 17, 2025 · Feb 17, 2025 · Feb 17, 2025
@@ -58,7 +58,7 @@ To explore a case, click on its name. You can then:
 
     ::::
 
-* Examine [alerts](../../../solutions/security/investigate/open-manage-cases.md#cases-examine-alerts) and [indicators](../../../troubleshoot/security/indicators-of-compromise.md#review-indicator-in-case) attached to the case
+* Examine [alerts](../../../solutions/security/investigate/open-manage-cases.md#cases-examine-alerts) and [indicators](/solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case) attached to the case
 * [Add files](../../../solutions/security/investigate/open-manage-cases.md#cases-add-files)
 * [Add a Lens visualization](../../../solutions/security/investigate/open-manage-cases.md#cases-lens-visualization)
 * Modify the case’s description, assignees, category, severity, status, and tags.

@@ -446,7 +446,6 @@ toc:
       - file: docs-content/serverless/security-get-started-with-kspm.md
       - file: docs-content/serverless/security-host-isolation-exceptions.md
       - file: docs-content/serverless/security-hosts-overview.md
-      - file: docs-content/serverless/security-indicators-of-compromise.md
       - file: docs-content/serverless/security-ingest-data.md
       - file: docs-content/serverless/security-install-edr.md
       - file: docs-content/serverless/security-install-endpoint-manually.md

@@ -6,7 +6,7 @@ mapped_urls:
 
 # Enable threat intelligence integrations [security-enable-threat-intelligence-integrations]
 
-The Threat Intelligence view provides a streamlined way to collect threat intelligence data that you can use for threat detection and matching. Threat intelligence data consists of  [threat indicators](../../../troubleshoot/security/indicators-of-compromise.md#ti-indicators) ingested from third-party threat intelligence sources.
+The Threat Intelligence view provides a streamlined way to collect threat intelligence data that you can use for threat detection and matching. Threat intelligence data consists of  [threat indicators](/solutions/security/investigate/indicators-of-compromise.md#ti-indicators) ingested from third-party threat intelligence sources.
 
 Threat indicators describe potential threats, unusual behavior, or malicious activity on a network or in an environment. They are commonly used in indicator match rules to detect and match known threats. When an indicator match rule generates an alert, it includes information about the matched threat indicator.
 
@@ -40,7 +40,7 @@ There are a few scenarios when data won’t display in the Threat Intelligence v
     ::::
 
 3. Select an {{agent}} integration, then complete the installation steps.
-4. Return to the Threat Intelligence view on the Overview dashboard. If indicator data isn’t displaying, refresh the page or refer to these [troubleshooting steps](../../../troubleshoot/security/indicators-of-compromise.md#troubleshoot-indicators-page).
+4. Return to the Threat Intelligence view on the Overview dashboard. If indicator data isn’t displaying, refresh the page or refer to these [troubleshooting steps](../../../troubleshoot/security/indicators-of-compromise.md).
 
 
 ## Add a {{filebeat}} Threat Intel module integration [ti-mod-integration]

@@ -6,19 +6,11 @@ mapped_urls:
 
 # Indicators of compromise
 
-% What needs to be done: Refine
-
-% Scope notes: Pull out the troubleshooting section into its own topic, and leave the rest of the content in its current place 
-
-% Use migrated content from existing pages that map to this page:
-
-% - [x] ./raw-migrated-files/security-docs/security/indicators-of-compromise.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/security-indicators-of-compromise.md
-
 The Indicators page collects data from enabled threat intelligence feeds and provides a centralized view of indicators, also known as indicators of compromise (IoCs). This topic helps you set up the Indicators page and explains how to work with IoCs.
 
 ::::{admonition} Requirements
-* The Indicators page is an [Enterprise subscription](https://www.elastic.co/pricing) feature.
+* In {{stack}} 9.0.0+, the Indicators page is an [Enterprise subscription](https://www.elastic.co/pricing) feature.
+* In serverless, the Indicators page requires the Security Analytics Complete [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md)
 * You must have *one* of the following installed on the hosts you want to monitor:
 
     * **{{agent}}** - Install a [{{fleet}}-managed {{agent}}](https://www.elastic.co/guide/en/fleet/current/install-fleet-managed-elastic-agent.html) and ensure the agent’s status is `Healthy`. Refer to [{{fleet}} Troubleshooting](/troubleshoot/ingest/fleet/common-problems.md) if it isn’t.
@@ -56,26 +48,9 @@ Install a threat intelligence integration to add indicators to the Indicators pa
 4. Return to the Indicators page in {{elastic-sec}}. Refresh the page if indicator data isn’t displaying.
 
 
-### Troubleshooting [troubleshoot-indicators-page]
-
-If indicator data is not appearing in the Indicators table after you installed a threat intelligence integration:
-
-* Verify that the index storing indicator documents is included in the [default {{elastic-sec}} indices](/solutions/security/get-started/configure-advanced-settings.md#update-sec-indices) (`securitySolution:defaultIndex`). The index storing indicator documents will differ based on the way you’re collecting indicator data:
-
-    * **{{agent}} integrations** - `logs_ti*`
-    * **{{filebeat}} integrations** - `filebeat-*`
-
-* Ensure the indicator data you’re ingesting is mapped to [Elastic Common Schema (ECS)](https://www.elastic.co/guide/en/ecs/current).
-
-::::{note}
-These troubleshooting steps also apply to the [Threat Intelligence view](/solutions/security/get-started/enable-threat-intelligence-integrations.md).
-::::
-
-
-
 ## Indicators page UI [intelligence-page-ui]
 
-After you add indicators to the Indicators page, you can [examine](/troubleshoot/security/indicators-of-compromise.md#examine-indicator-details), search, filter, and take action on indicator data. Indicators also appear in the Trend view, which shows the total values in the legend.
+After you add indicators to the Indicators page, you can [examine](#examine-indicator-details), search, filter, and take action on indicator data. Indicators also appear in the Trend view, which shows the total values in the legend.
 
 :::{image} ../../../images/security-interact-with-indicators-table.gif
 :alt: interact with indicators table

@@ -115,7 +115,7 @@ To explore a case, click on its name. You can then:
     Comments can contain Markdown. For syntax help, click the Markdown icon (![Click markdown icon](../../../images/security-markdown-icon.png "")) in the bottom right of the comment.
     ::::
 
-* Examine [alerts](/solutions/security/investigate/open-manage-cases.md#cases-examine-alerts) and [indicators](/troubleshoot/security/indicators-of-compromise.md#review-indicator-in-case) attached to the case
+* Examine [alerts](/solutions/security/investigate/open-manage-cases.md#cases-examine-alerts) and [indicators](/solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case) attached to the case
 * [Add files](/solutions/security/investigate/open-manage-cases.md#cases-add-files)
 * [Add a Lens visualization](/solutions/security/investigate/open-manage-cases.md#cases-lens-visualization)
 * Modify the case’s description, assignees, category, severity, status, and tags.

@@ -1,26 +1,25 @@
 ---
+navigation_title: "Indicators of compromise"
 mapped_pages:
   - https://www.elastic.co/guide/en/security/current/indicators-of-compromise.html
   - https://www.elastic.co/guide/en/serverless/current/security-indicators-of-compromise.html
 ---
 
-# Indicators of compromise
 
-% What needs to be done: Refine
+# Troubleshoot indicators of compromise [troubleshoot-indicators-page]
 
-% Scope notes: Pull out the troubleshooting section into its own topic, and leave the rest of the content in its current place
+If indicator data is not appearing in the Indicators table after you installed a threat intelligence integration:
 
-% Use migrated content from existing pages that map to this page:
+* Verify that the index storing indicator documents is included in the [default {{elastic-sec}} indices](/solutions/security/get-started/configure-advanced-settings.md#update-sec-indices) (`securitySolution:defaultIndex`). The index storing indicator documents will differ based on the way you’re collecting indicator data:
 
-% - [ ] ./raw-migrated-files/security-docs/security/indicators-of-compromise.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/security-indicators-of-compromise.md
+    * **{{agent}} integrations** - `logs_ti*`
+    * **{{filebeat}} integrations** - `filebeat-*`
 
-% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc):
-
-$$$review-indicator-in-case$$$
+* Ensure the indicator data you’re ingesting is mapped to [Elastic Common Schema (ECS)](https://www.elastic.co/guide/en/ecs/current).
 
-$$$ti-indicators$$$
+::::{note}
+These troubleshooting steps also apply to the [Threat Intelligence view](/solutions/security/get-started/enable-threat-intelligence-integrations.md).
+::::
 
-$$$troubleshoot-indicators-page$$$
 
-$$$examine-indicator-details$$$
+% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc):