elastic · nastasha-solomon · Mar 19, 2025 · Mar 14, 2025 · Mar 14, 2025 · Mar 17, 2025
@@ -91,7 +91,6 @@ toc:
       - file: docs-content/serverless/project-setting-data.md
       - file: docs-content/serverless/project-settings-alerts.md
       - file: docs-content/serverless/project-settings-content.md
-      - file: docs-content/serverless/security-detection-engine-overview.md
       - file: docs-content/serverless/what-is-observability-serverless.md
   - file: elasticsearch-hadoop/elasticsearch-hadoop/index.md
     children:

@@ -58,7 +58,7 @@ To configure an integration policy:
 
 ## Malware protection [malware-protection]
 
-{{elastic-defend}} malware prevention detects and stops malicious attacks by using a [machine learning model](/solutions/security/detect-and-alert.md#machine-learning-model) that looks for static attributes to determine if a file is malicious or benign.
+{{elastic-defend}} malware prevention detects and stops malicious attacks by using a machine learning model that looks for static attributes to determine if a file is malicious or benign.
 
 By default, malware protection is enabled on Windows, macOS, and Linux hosts. To disable malware protection, turn off the **Malware protections** toggle.
 

@@ -8,22 +8,7 @@ applies_to:
     security: all
 ---
 
-# Detections and alerts
-
-% What needs to be done: Align serverless/stateful
-
-% Use migrated content from existing pages that map to this page:
-
-% - [x] ./raw-migrated-files/security-docs/security/detection-engine-overview.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/security-detection-engine-overview.md
-
-% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc):
-
-$$$support-indicator-rules$$$
-
-$$$detections-permissions$$$
-
-$$$machine-learning-model$$$
+# Detections and alerts [security-detection-engine-overview]
 
 Use the detection engine to create and manage rules and view the alerts these rules create. Rules periodically search indices (such as `logs-*` and `filebeat-*`) for suspicious source events and create alerts when a rule’s conditions are met. When an alert is created, its status is `Open`. To help track investigations, an alert’s [status](/solutions/security/detect-and-alert/manage-detection-alerts.md#detection-alert-status) can be set as `Open`, `Acknowledged`, or `Closed`.
 
@@ -32,7 +17,7 @@ Use the detection engine to create and manage rules and view the alerts these ru
 :screenshot:
 :::
 
-In addition to creating [your own rules](/solutions/security/detect-and-alert/create-detection-rule.md), enable [Elastic prebuilt rules](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#load-prebuilt-rules) to immediately start detecting suspicious activity. For detailed information on all the prebuilt rules, see the [*Prebuilt rule reference*](security-docs://reference/prebuilt-rules/index.md) section. Once the prebuilt rules are loaded and running, [*Tune detection rules*](/solutions/security/detect-and-alert/tune-detection-rules.md) and [Add and manage exceptions](/solutions/security/detect-and-alert/add-manage-exceptions.md) explain how to modify the rules to reduce false positives and get a better set of actionable alerts. You can also use exceptions and value lists when creating or modifying your own rules.
+In addition to creating [your own rules](/solutions/security/detect-and-alert/create-detection-rule.md), enable [Elastic prebuilt rules](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#load-prebuilt-rules) to immediately start detecting suspicious activity. For detailed information on all the prebuilt rules, see the [Prebuilt rule reference](security-docs://reference/prebuilt-rules/index.md) section. Once the prebuilt rules are loaded and running, [Tune detection rules](/solutions/security/detect-and-alert/tune-detection-rules.md) and [Add and manage exceptions](/solutions/security/detect-and-alert/add-manage-exceptions.md) explain how to modify the rules to reduce false positives and get a better set of actionable alerts. You can also use exceptions and value lists when creating or modifying your own rules.
 
 There are several special prebuilt rules you need to know about:
 
@@ -42,23 +27,27 @@ There are several special prebuilt rules you need to know about:
 If you want to receive notifications via external systems, such as Slack or email, when alerts are created, use the {{kib}} [Alerting and Actions](/explore-analyze/alerts-cases.md) framework.
 
 ::::{note}
-To use {{kib}} Alerting for detection alert notifications, you need the [appropriate license](https://www.elastic.co/subscriptions).
+To use {{kib}} Alerting for detection alert notifications in the {{stack}}, you need the [appropriate license](https://www.elastic.co/subscriptions).
 ::::
 
 
-After rules have started running, you can monitor their executions to verify they are functioning correctly, as well as view, manage, and troubleshoot alerts (see [*Manage detection alerts*](/solutions/security/detect-and-alert/manage-detection-alerts.md) and [*Monitor and troubleshoot rule executions*](/troubleshoot/security/detection-rules.md)).
+After rules have started running, you can monitor their executions to verify they are functioning correctly, as well as view, manage, and troubleshoot alerts (see [Manage detection alerts](/solutions/security/detect-and-alert/manage-detection-alerts.md) and [Monitor and troubleshoot rule executions](/troubleshoot/security/detection-rules.md)).
 
 You can create and manage rules and alerts via the UI or the [Detections API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-security-detections-api).
 
 ::::{important}
-To make sure you can access Detections and manage rules, see [*Detections requirements*](/solutions/security/detect-and-alert/detections-requirements.md).
+To make sure you can access Detections and manage rules, see [Detections requirements](/solutions/security/detect-and-alert/detections-requirements.md).
 
 ::::
 
 
 
 ## Compatibility with cold and frozen tier nodes [cold-tier-detections]
 
+```yaml {applies_to}
+stack:
+```
+
 Cold and frozen [data tiers](/manage-data/lifecycle/data-tiers.md) hold time series data that is only accessed occasionally. In {{stack}} version >=7.11.0, {{elastic-sec}} supports cold but not frozen tier data for the following {{es}} indices:
 
 * Index patterns specified in `securitySolution:defaultIndex`
@@ -111,5 +100,5 @@ Depending on your privileges and whether detection system indices have already b
 
 ## Using logsdb index mode [detections-logsdb-index-mode]
 
-To learn how your rules and alerts are affected by using the [logsdb index mode](/manage-data/data-store/data-streams/logs-data-stream.md), refer to [*Using logsdb index mode with {{elastic-sec}}*](/solutions/security/detect-and-alert/using-logsdb-index-mode-with-elastic-security.md).
+To learn how your rules and alerts are affected by using the [logsdb index mode](/manage-data/data-store/data-streams/logs-data-stream.md), refer to [Using logsdb index mode with {{elastic-sec}}](/solutions/security/detect-and-alert/using-logsdb-index-mode-with-elastic-security.md).