[Security][Quality] Improve docs for Security detections and alerts#5253
Open
nastasha-solomon wants to merge 117 commits intomainfrom
Open
[Security][Quality] Improve docs for Security detections and alerts#5253nastasha-solomon wants to merge 117 commits intomainfrom
nastasha-solomon wants to merge 117 commits intomainfrom
Conversation
Contributor
Vale Linting ResultsSummary: 10 warnings, 60 suggestions found
|
| File | Line | Rule | Message |
|---|---|---|---|
| solutions/security/detect-and-alert/common-rule-settings.md | 117 | Elastic.Spelling | 'subtechniques' is a possible misspelling. |
| solutions/security/detect-and-alert/esql.md | 21 | Elastic.DontUse | Don't use '...'. |
| solutions/security/detect-and-alert/esql.md | 163 | Elastic.DontUse | Don't use '...'. |
| solutions/security/detect-and-alert/indicator-match.md | 16 | Elastic.Spelling | 'operationalizing' is a possible misspelling. |
| solutions/security/detect-and-alert/install-prebuilt-rules.md | 122 | Elastic.Spelling | 'auditability' is a possible misspelling. |
| solutions/security/detect-and-alert/prebuilt-rules-airgapped.md | 21 | Elastic.Spelling | 'prebundled' is a possible misspelling. |
| solutions/security/detect-and-alert/query-alert-indices.md | 63 | Elastic.Spelling | 'triaged' is a possible misspelling. |
| solutions/security/detect-and-alert/validate-and-test-rules.md | 24 | Elastic.Spelling | 'auditability' is a possible misspelling. |
| solutions/security/detect-and-alert/view-detection-alert-details.md | 40 | Elastic.Latinisms | Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'. |
| troubleshoot/security/detection-rules.md | 192 | Elastic.DontUse | Don't use 'note that'. |
💡 Suggestions (60)
| File | Line | Rule | Message |
|---|---|---|---|
| explore-analyze/alerting/alerts/rule-types.md | 16 | Elastic.WordChoice | Consider using 'refer to (if it's a document), view (if it's a UI element)' instead of 'see', unless the term is in the UI. |
| reference/glossary/index.md | 259 | Elastic.WordChoice | Consider using 'refer to (if it's a document), view (if it's a UI element)' instead of 'See', unless the term is in the UI. |
| reference/glossary/index.md | 425 | Elastic.Wordiness | Consider using 'to' instead of 'in order to'. |
| solutions/security/detect-and-alert/about-building-block-rules.md | 20 | Elastic.WordChoice | Consider using 'run, start' instead of 'execute', unless the term is in the UI. |
| solutions/security/detect-and-alert/common-rule-settings.md | 202 | Elastic.WordChoice | Consider using 'run, start' instead of 'execute', unless the term is in the UI. |
| solutions/security/detect-and-alert/common-rule-settings.md | 281 | Elastic.WordChoice | Consider using 'refer to (if it's a document), view (if it's a UI element)' instead of 'see', unless the term is in the UI. |
| solutions/security/detect-and-alert/common-rule-settings.md | 291 | Elastic.Wordiness | Consider using 'because' instead of 'since'. |
| solutions/security/detect-and-alert/custom-query.md | 20 | Elastic.WordChoice | Consider using 'efficient, basic' instead of 'simple', unless the term is in the UI. |
| solutions/security/detect-and-alert/custom-query.md | 90 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/detection-rule-concepts.md | 32 | Elastic.WordChoice | Consider using 'run, start' instead of 'execute', unless the term is in the UI. |
| solutions/security/detect-and-alert/detection-rule-concepts.md | 65 | Elastic.Wordiness | Consider using 'tell' instead of 'inform'. |
| solutions/security/detect-and-alert/detection-rule-concepts.md | 85 | Elastic.WordChoice | Consider using 'run, start' instead of 'Execute', unless the term is in the UI. |
| solutions/security/detect-and-alert/detection-rule-concepts.md | 87 | Elastic.WordChoice | Consider using 'run, start' instead of 'Execute', unless the term is in the UI. |
| solutions/security/detect-and-alert/detection-rule-concepts.md | 111 | Elastic.WordChoice | Consider using 'run, start' instead of 'execute', unless the term is in the UI. |
| solutions/security/detect-and-alert/detection-rule-concepts.md | 135 | Elastic.WordChoice | Consider using 'run, start' instead of 'execute', unless the term is in the UI. |
| solutions/security/detect-and-alert/esql.md | 21 | Elastic.Ellipses | In general, don't use an ellipsis. |
| solutions/security/detect-and-alert/esql.md | 163 | Elastic.Ellipses | In general, don't use an ellipsis. |
| solutions/security/detect-and-alert/fill-rule-gaps.md | 15 | Elastic.WordChoice | Consider using 'efficiently' instead of 'simply', unless the term is in the UI. |
| solutions/security/detect-and-alert/indicator-match.md | 20 | Elastic.Semicolons | Use semicolons judiciously. |
| solutions/security/detect-and-alert/indicator-match.md | 20 | Elastic.Wordiness | Consider using 'all' instead of 'all of '. |
| solutions/security/detect-and-alert/indicator-match.md | 20 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/indicator-match.md | 133 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/install-prebuilt-rules.md | 105 | Elastic.WordChoice | Consider using 'deactivate, deselect, hide, turn off' instead of 'Disable', unless the term is in the UI. |
| solutions/security/detect-and-alert/install-prebuilt-rules.md | 105 | Elastic.WordChoice | Consider using 'deactivated, deselected, hidden, turned off, unavailable' instead of 'disabled', unless the term is in the UI. |
| solutions/security/detect-and-alert/manage-detection-alerts.md | 154 | Elastic.WordChoice | Consider using 'run, start' instead of 'Execute', unless the term is in the UI. |
| solutions/security/detect-and-alert/manage-detection-rules.md | 82 | Elastic.WordChoice | Consider using 'deactivate, deselect, hide, turn off' instead of 'disable', unless the term is in the UI. |
| solutions/security/detect-and-alert/manage-detection-rules.md | 84 | Elastic.WordChoice | Consider using 'deactivate, deselect, hide, turn off' instead of 'Disable', unless the term is in the UI. |
| solutions/security/detect-and-alert/manage-detection-rules.md | 94 | Elastic.WordChoice | Consider using 'deactivate, deselect, hide, turn off' instead of 'disable', unless the term is in the UI. |
| solutions/security/detect-and-alert/manage-detection-rules.md | 185 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/mitre-attack-coverage.md | 79 | Elastic.WordChoice | Consider using 'deactivated, deselected, hidden, turned off, unavailable' instead of 'disabled', unless the term is in the UI. |
| solutions/security/detect-and-alert/new-terms.md | 81 | Elastic.HeadingColons | Capitalize ': f'. |
| solutions/security/detect-and-alert/new-terms.md | 109 | Elastic.HeadingColons | Capitalize ': n'. |
| solutions/security/detect-and-alert/new-terms.md | 133 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/prebuilt-rule-components.md | 20 | Elastic.Semicolons | Use semicolons judiciously. |
| solutions/security/detect-and-alert/prebuilt-rule-components.md | 41 | Elastic.WordChoice | Consider using 'deactivated, deselected, hidden, turned off, unavailable' instead of 'disabled', unless the term is in the UI. |
| solutions/security/detect-and-alert/prebuilt-rule-components.md | 60 | Elastic.Semicolons | Use semicolons judiciously. |
| solutions/security/detect-and-alert/prebuilt-rule-components.md | 60 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/prebuilt-rule-components.md | 78 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/prebuilt-rule-components.md | 78 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/prebuilt-rules-airgapped.md | 231 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/query-alert-indices.md | 43 | Elastic.Wordiness | Consider using 'all' instead of 'all of '. |
| solutions/security/detect-and-alert/reduce-noise-and-false-positives.md | 47 | Elastic.FirstPerson | Use caution when using first-person pronouns such as 'my.' |
| solutions/security/detect-and-alert/reduce-noise-and-false-positives.md | 92 | Elastic.Wordiness | Consider using 'all' instead of 'all of '. |
| solutions/security/detect-and-alert/reduce-noise-and-false-positives.md | 104 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/reduce-noise-and-false-positives.md | 104 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/set-rule-data-sources.md | 40 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/set-rule-data-sources.md | 62 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/using-the-rule-ui.md | 69 | Elastic.WordChoice | Consider using 'deactivate, deselect, hide, turn off' instead of 'disable', unless the term is in the UI. |
| solutions/security/detect-and-alert/view-detection-alert-details.md | 19 | Elastic.Wordiness | Consider using 'act' instead of 'Take action'. |
| solutions/security/detect-and-alert/view-detection-alert-details.md | 200 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/view-detection-alert-details.md | 229 | Elastic.WordChoice | Consider using 'refer to (if it's a document), view (if it's a UI element)' instead of 'See', unless the term is in the UI. |
| solutions/security/detect-and-alert/view-detection-alert-details.md | 230 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/view-detection-alert-details.md | 232 | Elastic.Versions | Use 'or later' instead of 'or higher' when referring to versions. |
| solutions/security/detect-and-alert/view-detection-alert-details.md | 232 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/view-detection-alert-details.md | 233 | Elastic.Versions | Use 'or later' instead of 'or higher' when referring to versions. |
| solutions/security/detect-and-alert/visualize-detection-alerts.md | 117 | Elastic.Semicolons | Use semicolons judiciously. |
| solutions/security/detect-and-alert/visualize-detection-alerts.md | 152 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/get-started/automatic-migration.md | 138 | Elastic.Repetition | "the" is repeated. |
| solutions/security/get-started/configure-advanced-settings.md | 93 | Elastic.Semicolons | Use semicolons judiciously. |
| troubleshoot/security/detection-rules.md | 206 | Elastic.Wordiness | Consider using 'also' instead of 'In addition'. |
The Vale linter checks documentation changes against the Elastic Docs style guide.
To use Vale locally or report issues, refer to Elastic style guide for Vale.
Contributor
alaudazzi
reviewed
Mar 10, 2026
Contributor
natasha-moore-elastic
left a comment
natasha-moore-elastic
left a comment
There was a problem hiding this comment.
Comments on the Reduce noise and false positives section.
Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com>
Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com>
Resolved modify/delete conflict for create-detection-rule.md by keeping the deletion (content was restructured into using-the-rule-builder.md and rule type-specific pages). Made-with: Cursor
Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com>
Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com>
georgewallace
approved these changes
Mar 10, 2026
Contributor
georgewallace
left a comment
georgewallace
left a comment
There was a problem hiding this comment.
Reviewing just our purview (Manage data) No issues on the manage-data content. Just link changes.
approksiu
requested changes
Mar 12, 2026
Contributor
approksiu
left a comment
approksiu
left a comment
There was a problem hiding this comment.
Reviewed till "author rules", will submit the second part in a bit
| | Your goal | Start here | | ||
| |---|---| | ||
| | Set up detection for the first time | [Setup](/solutions/security/detect-and-alert/before-you-begin.md#one-time-setup) → [Install prebuilt rules](/solutions/security/detect-and-alert/install-prebuilt-rules.md) | | ||
| | Take over an existing deployment | [MITRE ATT&CK coverage](/solutions/security/detect-and-alert/mitre-attack-coverage.md) → [Monitor rule executions](/solutions/security/detect-and-alert/monitor-rule-executions.md) | |
Contributor
There was a problem hiding this comment.
What does it mean "take over an existing deployment"? Maybe "manage existing deployment" - as it applies to users who have a deployment as a continuous task of coverage and rules monitoring.
| To use {{kib}} Alerting for detection alert notifications in the {{stack}}, you need the [appropriate license](https://www.elastic.co/subscriptions). | ||
| :::: | ||
| 1. **Confirm requirements.** Verify infrastructure, privileges, and data availability. | ||
| 2. **Assess coverage gaps.** Use MITRE ATT&CK coverage to identify priority areas. |
Contributor
There was a problem hiding this comment.
Use MITRE ATT&CK coverage to identify priority areas. -> "Perform threat modelling and use MITRE ATT&CK coverage to identify priority areas."
Note: There might be requirements how the MITRE ATT&CK should be referenced https://attack.mitre.org/resources/legal-and-branding/ - do we follow their guideline?
| The {{elastic-sec}} Labs team uses the [detection-rules](https://github.com/elastic/detection-rules) repo to develop, test, and release {{elastic-sec}}'s[ prebuilt rules](https://github.com/elastic/detection-rules/tree/main/rules). The repo provides DaC features and allows you to customize settings to simplify the setup for managing user rules with the DaC pipeline. | ||
|
|
||
| To get started, refer to the [DaC documentation](https://github.com/elastic/detection-rules/blob/main/README.md#detections-as-code-dac). | ||
| A minimal viable detection program (prebuilt rules enabled for your highest-priority tactics, running correctly, with noise managed to an actionable level) is a meaningful outcome at any stage of this workflow. You do not need to complete every stage before your detection program delivers value. |
Contributor
There was a problem hiding this comment.
-> your highest priority tactics and techniques
|
|
||
| | Part | Purpose | | ||
| |------|---------| | ||
| | Query | Specifies the threat behavior or pattern to detect. The query searches your [data sources](#data-sources-concept) using syntax that varies by [rule type](/solutions/security/detect-and-alert/choose-the-right-rule-type.md) (KQL, EQL, {{ml}} anomaly scores, or threat indicator matches). | |
Contributor
There was a problem hiding this comment.
ESQL is missing from the list
| |------|---------| | ||
| | Query | Specifies the threat behavior or pattern to detect. The query searches your [data sources](#data-sources-concept) using syntax that varies by [rule type](/solutions/security/detect-and-alert/choose-the-right-rule-type.md) (KQL, EQL, {{ml}} anomaly scores, or threat indicator matches). | | ||
| | Schedule | Controls how often the rule runs and how far back it searches. The interval you set determines both. For example, a rule with a 5-minute interval runs every 5 minutes and searches the last 5 minutes of data each time. An optional look-back setting extends the search window to help catch late-arriving events. | | ||
| | Rule actions | Specifies what happens when the rule detects a match. You can [send notifications](#notifications-concept), create tickets, or trigger integrations with external systems. | |
Contributor
There was a problem hiding this comment.
-> or trigger actions on external systems
| When updated versions are available for your installed prebuilt rules, the **Rule Updates** tab appears on the **Rules** page. | ||
|
|
||
| :::{admonition} Automatic updates | ||
| On {{stack}}, automatic updates are supported for the current {{elastic-sec}} version and the latest three previous minor releases. For example, if you're on version 9.0, you can use the Rules UI to update prebuilt rules until version 9.4 is released. After that, you can still manually download and install updates, but must upgrade {{elastic-sec}} to receive automatic updates again. |
Contributor
There was a problem hiding this comment.
We are supporting 8.19 for a while, and latest 3 versions, so it is current + latest 2. See https://support.elastic.dev/knowledge/view/685735b8
| :::: | ||
|
|
||
| ::::{dropdown} Basic–Platinum / Security Analytics Essentials | ||
| :name: basic-modified-rules |
Contributor
There was a problem hiding this comment.
In this case user can no longer modify rules, do we mean here the rules modifications done on Enterprise and then subscription is downgraded? Kind of an edge case. Maybe clarify more this situation.
| To update your prebuilt rules, first update your self-hosted {{package-registry}} with a newer distribution image, then install the rule updates in {{elastic-sec}}. | ||
|
|
||
| ::::{important} | ||
| Elastic releases prebuilt rule updates continuously. To receive the latest updates in an air-gapped environment, we recommend updating your self-hosted {{package-registry}} at least monthly. Prebuilt rule updates are version-specific. Updating your {{package-registry}} provides rule updates designed for your current {{stack}} version, not rules designed for newer versions. To receive rules designed for a newer version, you must upgrade your entire {{stack}}. |
Contributor
There was a problem hiding this comment.
we do biweekly rule updates.
| | Edit prebuilt rules directly | — | ✓ | | ||
| | Revert to Elastic version | — | ✓ | | ||
|
|
||
| :::{note} |
Contributor
There was a problem hiding this comment.
For rules customisation it is true, but for other features there are more discrepancies. Maybe call out directly serverless subscriptions, so users are not mislead by this statement?
| ### Considerations for editing prebuilt rules | ||
|
|
||
| * **Updates might cause conflicts**: When Elastic releases an update that changes the same fields you modified, you need to resolve the conflict. Refer to [Resolve update conflicts](/solutions/security/detect-and-alert/update-prebuilt-rules.md#resolve-reduce-rule-conflicts). | ||
| * **Revert if needed**: You can restore the original Elastic version at any time. Refer to [Revert to Elastic version](#revert-prebuilt-rules). |
Contributor
There was a problem hiding this comment.
If the original version is present. Is we are missing it, the option to revert will be hidden. Updating on time prevents this from happening.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Restructures the Detections and alerts section. Significant changes include: reduced duplication, improved navigation and cross-linking, more audience-centric guidance, and extensible structures.
The new structure:
This PR addresses https://github.com/elastic/docs-content-internal/issues/797, which is the main issue tracking quality improvements to the Security detection docs. It also addresses some gaps and doc bugs that have been sitting in the backlog for 3453485384953794348 years.
Review requests
For technical reviewers
Please verify accuracy in the following areas:
Rule type pages (new)
Please review the following pages for accuracy and completeness. Most of the content is a direct port. The net-new content is fairly limited.
(Fixes https://github.com/elastic/docs-content-internal/issues/239 by creating individual configuration guides for each rule type.)
Reference and decision guides (new or heavily rewritten to improve clarity and findability)
Other rewritten pages
For editorial reviewers
Please check the following items for logical flow and navigation between pages and glaring style/formatting errors.
Hub pages
Please spot-check navigation and descriptions for the following:
Restructured pages
Prebuilt rules pages
Content from Use Elastic prebuilt rules and Update modified and unmodified Elastic prebuilt rules was moved around into three buckets: install, update, and customize prebuilt rule. To help convey capabilities provided at certain subscription levels, added comparison tables and specified when certain flows were gated behind subscriptions.
Generative AI disclosure
Cursor, Claude