Skip to content

[Security][Quality] Improve docs for Security detections and alerts#5253

Open
nastasha-solomon wants to merge 33 commits intomainfrom
issue-797
Open

[Security][Quality] Improve docs for Security detections and alerts#5253
nastasha-solomon wants to merge 33 commits intomainfrom
issue-797

Conversation

@nastasha-solomon
Copy link
Contributor

@nastasha-solomon nastasha-solomon commented Feb 21, 2026
edited
Loading

Summary

Restructures the Detections and alerts section. Significant changes include: reduced duplication, improved navigation and cross-linking, more audience-centric guidance, and extensible structures.

The new structure:

Detections and alerts
├── Before you begin
│   ├── Requirements and privileges
│   ├── Detections privileges
│   └── Advanced data source configuration
│       ├── Cross-cluster search detection rules
│       └── Using LogsDB index mode with Elastic Security
│
├── Prebuilt rules
│   ├── Install prebuilt rules
│   ├── Update prebuilt rules
│   ├── Customize prebuilt rules
│   └── MITRE ATT&CK coverage
│
├── Author rules
│   ├── Choose the right rule type
│   │   └── About building block rules
│   ├── Rule types
│   │   ├── EQL
│   │   ├── Custom query
│   │   ├── Threshold
│   │   ├── Indicator match
│   │   ├── New terms
│   │   ├── ES|QL
│   │   └── Machine learning
│   ├── Using the rule builder
│   ├── Using the API
│   ├── Common rule settings
│   ├── Set rule data sources
│   ├── Write investigation guides
│   └── Validate and test rules
│
├── Manage detection rules
│
├── Monitor rule executions
│
├── Fill rule execution gaps
│
├── Reduce noise and false positives
│   ├── Tune detection rules
│   ├── Rule exceptions
│   │   ├── Create and manage value lists
│   │   ├── Add and manage exceptions
│   │   └── Create and manage shared exception lists
│   └── Alert suppression
│
└── Manage detection alerts
    ├── Visualize detection alerts
    ├── View detection alert details
    ├── Add detection alerts to cases
    └── Query alert indices

This PR addresses https://github.com/elastic/docs-content-internal/issues/797, which is the main issue tracking quality improvements to the Security detection docs.

Review requests

For technical reviewers

Please verify accuracy in the following areas:

Rule type pages (new)

Please review the following pages for accuracy and completeness. Most of the content is a direct port. The net-new content is fairly limited.

(Fixes https://github.com/elastic/docs-content-internal/issues/239 by creating individual configuration guides for each rule type.)

Reference and decision guides (new or heavily rewritten to improve clarity and findability)

Page What to verify
Detections and alerts The sections about where to start and the detection program lifecycle for accuracy and fixes added for #1210
Detection rule concepts Mental model for rules, key component explanations, and glossary
Common rule settings All shared field descriptions for completeness and accuracy
Choose the right rule type Comparison table accuracy
Reduce noise and false positives Decision table, key distinctions table, scenario walkthrough
Using the API API endpoint paths and links for Stack and Serverless

Other rewritten pages

Page What to verify
Write investigation guides Markdown syntax table, Osquery steps, best practices
Set rule data sources Per-rule index pattern behavior, cold/frozen tier filter accuracy
Validate and test rules DaC workflow accuracy
Suppress detection alerts Info added to fix #1545 and https://github.com/elastic/security-docs-internal/issues/22
Prebuilt rules Info added to fix elastic/security-docs#3035, elastic/kibana#109016, #3994
Create and manage value lists Info added to fix elastic/security-docs#3754 and elastic/security-docs#4929

For editorial reviewers

Please check the following items for logical flow and navigation between pages and glaring style/formatting errors.

Hub pages
Please spot-check navigation and descriptions for the following:

Restructured pages

Prebuilt rules pages
Content from Use Elastic prebuilt rules and Update modified and unmodified Elastic prebuilt rules was moved around into three buckets: install, update, and customize prebuilt rule. To help convey capabilities provided at certain subscription levels, added comparison tables and specified when certain flows were gated behind subscriptions.

Generative AI disclosure

  1. Did you use a generative AI (GenAI) tool to assist in creating this contribution?
  • Yes
  • No

Cursor, Claude

@nastasha-solomon nastasha-solomon self-assigned this Feb 21, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 21, 2026
edited
Loading

Vale Linting Results

Summary: 11 warnings, 38 suggestions found

⚠️ Warnings (11)
File Line Rule Message
solutions/security/detect-and-alert/common-rule-settings.md 119 Elastic.Spelling 'subtechniques' is a possible misspelling.
solutions/security/detect-and-alert/esql.md 23 Elastic.DontUse Don't use '...'.
solutions/security/detect-and-alert/esql.md 111 Elastic.DontUse Don't use '...'.
solutions/security/detect-and-alert/indicator-match.md 16 Elastic.Spelling 'operationalizing' is a possible misspelling.
solutions/security/detect-and-alert/indicator-match.md 24 Elastic.Spelling 'data's' is a possible misspelling.
solutions/security/detect-and-alert/manage-detection-rules.md 166 Elastic.DontUse Don't use 'just'.
solutions/security/detect-and-alert/new-terms.md 34 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
solutions/security/detect-and-alert/reduce-noise-and-false-positives.md 102 Elastic.Spelling 'deduplicates' is a possible misspelling.
solutions/security/detect-and-alert/tune-detection-rules.md 17 Elastic.DontUse Don't use 'just'.
solutions/security/detect-and-alert/validate-and-test-rules.md 24 Elastic.Spelling 'auditability' is a possible misspelling.
troubleshoot/security/detection-rules.md 192 Elastic.DontUse Don't use 'note that'.
💡 Suggestions (38)
File Line Rule Message
solutions/security/detect-and-alert/before-you-begin.md 25 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
solutions/security/detect-and-alert/choose-the-right-rule-type.md 23 Elastic.Ellipses In general, don't use an ellipsis.
solutions/security/detect-and-alert/common-rule-settings.md 94 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
solutions/security/detect-and-alert/common-rule-settings.md 204 Elastic.WordChoice Consider using 'run, start' instead of 'execute', unless the term is in the UI.
solutions/security/detect-and-alert/common-rule-settings.md 283 Elastic.WordChoice Consider using 'refer to (if it's a document), view (if it's a UI element)' instead of 'see', unless the term is in the UI.
solutions/security/detect-and-alert/common-rule-settings.md 293 Elastic.Wordiness Consider using 'because' instead of 'since'.
solutions/security/detect-and-alert/custom-query.md 22 Elastic.WordChoice Consider using 'efficient, basic' instead of 'simple', unless the term is in the UI.
solutions/security/detect-and-alert/customize-prebuilt-rules.md 15 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
solutions/security/detect-and-alert/customize-prebuilt-rules.md 56 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
solutions/security/detect-and-alert/detection-rule-concepts.md 23 Elastic.WordChoice Consider using 'run, start' instead of 'execute', unless the term is in the UI.
solutions/security/detect-and-alert/detection-rule-concepts.md 32 Elastic.WordChoice Consider using 'run, start' instead of 'execute', unless the term is in the UI.
solutions/security/detect-and-alert/detection-rule-concepts.md 65 Elastic.Wordiness Consider using 'tell' instead of 'inform'.
solutions/security/detect-and-alert/detection-rule-concepts.md 84 Elastic.WordChoice Consider using 'run, start' instead of 'Execute', unless the term is in the UI.
solutions/security/detect-and-alert/detection-rule-concepts.md 86 Elastic.WordChoice Consider using 'run, start' instead of 'Execute', unless the term is in the UI.
solutions/security/detect-and-alert/detection-rule-concepts.md 103 Elastic.WordChoice Consider using 'run, start' instead of 'execute', unless the term is in the UI.
solutions/security/detect-and-alert/detection-rule-concepts.md 127 Elastic.WordChoice Consider using 'run, start' instead of 'execute', unless the term is in the UI.
solutions/security/detect-and-alert/esql.md 23 Elastic.Ellipses In general, don't use an ellipsis.
solutions/security/detect-and-alert/esql.md 111 Elastic.Ellipses In general, don't use an ellipsis.
solutions/security/detect-and-alert/fill-rule-gaps.md 15 Elastic.WordChoice Consider using 'efficiently' instead of 'simply', unless the term is in the UI.
solutions/security/detect-and-alert/indicator-match.md 20 Elastic.Semicolons Use semicolons judiciously.
solutions/security/detect-and-alert/indicator-match.md 20 Elastic.Wordiness Consider using 'all' instead of 'all of '.
solutions/security/detect-and-alert/indicator-match.md 20 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
solutions/security/detect-and-alert/indicator-match.md 22 Elastic.Wordiness Consider using 'also' instead of 'In addition'.
solutions/security/detect-and-alert/manage-detection-rules.md 27 Elastic.WordChoice Consider using 'deactivate, deselect, hide, turn off' instead of 'disable', unless the term is in the UI.
solutions/security/detect-and-alert/manage-detection-rules.md 96 Elastic.WordChoice Consider using 'deactivate, deselect, hide, turn off' instead of 'disable', unless the term is in the UI.
solutions/security/detect-and-alert/manage-detection-rules.md 166 Elastic.Semicolons Use semicolons judiciously.
solutions/security/detect-and-alert/mitre-attack-coverage.md 79 Elastic.WordChoice Consider using 'deactivated, deselected, hidden, turned off, unavailable' instead of 'disabled', unless the term is in the UI.
solutions/security/detect-and-alert/monitor-rule-executions.md 21 Elastic.WordChoice Consider using 'refer to (if it's a document), view (if it's a UI element)' instead of 'see', unless the term is in the UI.
solutions/security/detect-and-alert/prebuilt-rules.md 31 Elastic.Semicolons Use semicolons judiciously.
solutions/security/detect-and-alert/prebuilt-rules.md 77 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
solutions/security/detect-and-alert/prebuilt-rules.md 77 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
solutions/security/detect-and-alert/reduce-noise-and-false-positives.md 47 Elastic.FirstPerson Use caution when using first-person pronouns such as 'my.'
solutions/security/detect-and-alert/reduce-noise-and-false-positives.md 90 Elastic.Wordiness Consider using 'all' instead of 'all of '.
solutions/security/detect-and-alert/reduce-noise-and-false-positives.md 102 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
solutions/security/detect-and-alert/reduce-noise-and-false-positives.md 102 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
solutions/security/detect-and-alert/rule-types.md 16 Elastic.Ellipses In general, don't use an ellipsis.
solutions/security/detect-and-alert/set-rule-data-sources.md 40 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
solutions/security/detect-and-alert/set-rule-data-sources.md 62 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

@github-actions
Copy link
Contributor

github-actions bot commented Feb 21, 2026
edited
Loading

🔍 Preview links for changed docs

More links …

@nastasha-solomon nastasha-solomon mentioned this pull request Feb 26, 2026
Open
@nastasha-solomon nastasha-solomon mentioned this pull request Feb 28, 2026
Open
@nastasha-solomon
Merge main into issue-797
4778ca5 
Resolved conflicts:
- redirects.yml: kept both sets of redirects (detect-and-alert restructure + cases/alerting restructure)
- detect-and-alert.md: kept our detection lifecycle intro text
- manage-detection-rules.md: kept our updated links to common-rule-settings.md
- elastic-security-requirements.md: combined our detections link with main's cases link

Deleted files (renamed/merged in our branch):
- create-detection-rule.md (renamed to using-the-rule-builder.md)
- reduce-notifications-alerts.md (merged into manage-detection-rules.md)
- cases-requirements.md (deleted in main, replaced with control-case-access.md)

Made-with: Cursor
@nastasha-solomon nastasha-solomon mentioned this pull request Feb 28, 2026
Open
This was referenced Feb 28, 2026
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@approksiu approksiu Awaiting requested review from approksiu

@banderror banderror Awaiting requested review from banderror

@yctercero yctercero Awaiting requested review from yctercero

At least 1 approving review is required to merge this pull request.

Assignees

@nastasha-solomon nastasha-solomon

Labels

None yet

Projects

None yet

Milestone

No milestone

1 participant

@nastasha-solomon