[Security][Quality] Improve docs for Security detections and alerts#5253
Open
nastasha-solomon wants to merge 50 commits intomainfrom
Open
[Security][Quality] Improve docs for Security detections and alerts#5253nastasha-solomon wants to merge 50 commits intomainfrom
nastasha-solomon wants to merge 50 commits intomainfrom
Conversation
Contributor
Vale Linting ResultsSummary: 11 warnings, 36 suggestions found
|
| File | Line | Rule | Message |
|---|---|---|---|
| solutions/security/detect-and-alert/common-rule-settings.md | 117 | Elastic.Spelling | 'subtechniques' is a possible misspelling. |
| solutions/security/detect-and-alert/esql.md | 23 | Elastic.DontUse | Don't use '...'. |
| solutions/security/detect-and-alert/esql.md | 111 | Elastic.DontUse | Don't use '...'. |
| solutions/security/detect-and-alert/indicator-match.md | 16 | Elastic.Spelling | 'operationalizing' is a possible misspelling. |
| solutions/security/detect-and-alert/indicator-match.md | 24 | Elastic.Spelling | 'data's' is a possible misspelling. |
| solutions/security/detect-and-alert/manage-detection-rules.md | 166 | Elastic.DontUse | Don't use 'just'. |
| solutions/security/detect-and-alert/new-terms.md | 34 | Elastic.QuotesPunctuation | Place punctuation inside closing quotation marks. |
| solutions/security/detect-and-alert/reduce-noise-and-false-positives.md | 102 | Elastic.Spelling | 'deduplicates' is a possible misspelling. |
| solutions/security/detect-and-alert/tune-detection-rules.md | 17 | Elastic.DontUse | Don't use 'just'. |
| solutions/security/detect-and-alert/validate-and-test-rules.md | 24 | Elastic.Spelling | 'auditability' is a possible misspelling. |
| troubleshoot/security/detection-rules.md | 192 | Elastic.DontUse | Don't use 'note that'. |
💡 Suggestions (36)
| File | Line | Rule | Message |
|---|---|---|---|
| solutions/security/detect-and-alert/before-you-begin.md | 25 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/common-rule-settings.md | 94 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/common-rule-settings.md | 202 | Elastic.WordChoice | Consider using 'run, start' instead of 'execute', unless the term is in the UI. |
| solutions/security/detect-and-alert/common-rule-settings.md | 281 | Elastic.WordChoice | Consider using 'refer to (if it's a document), view (if it's a UI element)' instead of 'see', unless the term is in the UI. |
| solutions/security/detect-and-alert/common-rule-settings.md | 291 | Elastic.Wordiness | Consider using 'because' instead of 'since'. |
| solutions/security/detect-and-alert/custom-query.md | 22 | Elastic.WordChoice | Consider using 'efficient, basic' instead of 'simple', unless the term is in the UI. |
| solutions/security/detect-and-alert/customize-prebuilt-rules.md | 15 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/customize-prebuilt-rules.md | 56 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/detection-rule-concepts.md | 23 | Elastic.WordChoice | Consider using 'run, start' instead of 'execute', unless the term is in the UI. |
| solutions/security/detect-and-alert/detection-rule-concepts.md | 32 | Elastic.WordChoice | Consider using 'run, start' instead of 'execute', unless the term is in the UI. |
| solutions/security/detect-and-alert/detection-rule-concepts.md | 65 | Elastic.Wordiness | Consider using 'tell' instead of 'inform'. |
| solutions/security/detect-and-alert/detection-rule-concepts.md | 84 | Elastic.WordChoice | Consider using 'run, start' instead of 'Execute', unless the term is in the UI. |
| solutions/security/detect-and-alert/detection-rule-concepts.md | 86 | Elastic.WordChoice | Consider using 'run, start' instead of 'Execute', unless the term is in the UI. |
| solutions/security/detect-and-alert/detection-rule-concepts.md | 103 | Elastic.WordChoice | Consider using 'run, start' instead of 'execute', unless the term is in the UI. |
| solutions/security/detect-and-alert/detection-rule-concepts.md | 127 | Elastic.WordChoice | Consider using 'run, start' instead of 'execute', unless the term is in the UI. |
| solutions/security/detect-and-alert/esql.md | 23 | Elastic.Ellipses | In general, don't use an ellipsis. |
| solutions/security/detect-and-alert/esql.md | 111 | Elastic.Ellipses | In general, don't use an ellipsis. |
| solutions/security/detect-and-alert/fill-rule-gaps.md | 15 | Elastic.WordChoice | Consider using 'efficiently' instead of 'simply', unless the term is in the UI. |
| solutions/security/detect-and-alert/indicator-match.md | 20 | Elastic.Semicolons | Use semicolons judiciously. |
| solutions/security/detect-and-alert/indicator-match.md | 20 | Elastic.Wordiness | Consider using 'all' instead of 'all of '. |
| solutions/security/detect-and-alert/indicator-match.md | 20 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/indicator-match.md | 22 | Elastic.Wordiness | Consider using 'also' instead of 'In addition'. |
| solutions/security/detect-and-alert/manage-detection-rules.md | 27 | Elastic.WordChoice | Consider using 'deactivate, deselect, hide, turn off' instead of 'disable', unless the term is in the UI. |
| solutions/security/detect-and-alert/manage-detection-rules.md | 96 | Elastic.WordChoice | Consider using 'deactivate, deselect, hide, turn off' instead of 'disable', unless the term is in the UI. |
| solutions/security/detect-and-alert/manage-detection-rules.md | 166 | Elastic.Semicolons | Use semicolons judiciously. |
| solutions/security/detect-and-alert/mitre-attack-coverage.md | 79 | Elastic.WordChoice | Consider using 'deactivated, deselected, hidden, turned off, unavailable' instead of 'disabled', unless the term is in the UI. |
| solutions/security/detect-and-alert/monitor-rule-executions.md | 21 | Elastic.WordChoice | Consider using 'refer to (if it's a document), view (if it's a UI element)' instead of 'see', unless the term is in the UI. |
| solutions/security/detect-and-alert/prebuilt-rules.md | 34 | Elastic.Semicolons | Use semicolons judiciously. |
| solutions/security/detect-and-alert/prebuilt-rules.md | 80 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/prebuilt-rules.md | 80 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/reduce-noise-and-false-positives.md | 47 | Elastic.FirstPerson | Use caution when using first-person pronouns such as 'my.' |
| solutions/security/detect-and-alert/reduce-noise-and-false-positives.md | 90 | Elastic.Wordiness | Consider using 'all' instead of 'all of '. |
| solutions/security/detect-and-alert/reduce-noise-and-false-positives.md | 102 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/reduce-noise-and-false-positives.md | 102 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/set-rule-data-sources.md | 40 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
| solutions/security/detect-and-alert/set-rule-data-sources.md | 62 | Elastic.WordChoice | Consider using 'can, might' instead of 'may', unless the term is in the UI. |
The Vale linter checks documentation changes against the Elastic Docs style guide.
To use Vale locally or report issues, refer to Elastic style guide for Vale.
Contributor
yctercero
reviewed
Mar 2, 2026
|
|
||
| ### Data requirements | ||
|
|
||
| Custom query rules require at least one {{es}} index pattern or [data view](/solutions/security/get-started/data-views-elastic-security.md) that contains the events you want to match. The indices must be accessible to the user who creates or last edits the rule, because the rule executes with that user's [API key privileges](/solutions/security/detect-and-alert/detection-rule-concepts.md#rule-authorization-concept). |
Contributor
There was a problem hiding this comment.
Just a mental note so I don't forget we might need to update this for serverless UIAM stuff.
yctercero
reviewed
Mar 2, 2026
yctercero
reviewed
Mar 2, 2026
|
|
||
| Custom query rules require at least one {{es}} index pattern or [data view](/solutions/security/get-started/data-views-elastic-security.md) that contains the events you want to match. The indices must be accessible to the user who creates or last edits the rule, because the rule executes with that user's [API key privileges](/solutions/security/detect-and-alert/detection-rule-concepts.md#rule-authorization-concept). | ||
|
|
||
| <!-- CRAFT LAYER - COMMENTED OUT FOR REVIEW |
Contributor
There was a problem hiding this comment.
This is cool. Would be great to get the trade team's insight on this section.
Contributor
Author
There was a problem hiding this comment.
Yes, that's the plan! In my next phase of improving the rule guides, I'm hoping to add more prescriptive guidance for writing queries and annotated examples from our library of prebuilt rules.
yctercero
reviewed
Mar 2, 2026
yctercero
reviewed
Mar 2, 2026
yctercero
reviewed
Mar 2, 2026
yctercero
reviewed
Mar 2, 2026
| * The threat signal is **novelty**, not a specific pattern or count. | ||
| * You want to combine up to three fields to detect **novel combinations**, such as a `host.ip` and `user.name` pair that has never been observed together before. | ||
|
|
||
| New terms rules are **not** the best fit when: |
Contributor
There was a problem hiding this comment.
Nitpick suggestion: maybe worth just sticking to having a section on what the rule is best fit for? If not we're repeating this in each rule type page.
Contributor
Author
There was a problem hiding this comment.
That's a valid observation. There are several reasons why I chose to repeat this pattern across the rule guides:
- Speeds up decision-making - Lets users confirm or reject a rule type's fit before reading through the lower-level configuration details.
- Reduces misconfigurations - Should prevent users from making common mistakes early on, such as choosing threshold when event order matters.
- Creates connected navigation - Each "not best fit" bullet links to the right alternative, turning seven standalone pages into an interconnected decision tree.
- Matches practitioner thinking - Rule selection is usually elimination ("can this handle sequences?"), not feature comparison. The negative framing fits that mindset.
- Lowers the learning curve - When users visit any one page, they're able to indirectly learn the other available rule types and the use cases they're good fits for.
yctercero
reviewed
Mar 2, 2026
Co-authored-by: Yara Tercero <[email protected]>
Co-authored-by: Yara Tercero <[email protected]>
Co-authored-by: Yara Tercero <[email protected]>
Co-authored-by: Yara Tercero <[email protected]>
…rules in air-gapped environments (#4972) <!-- Thank you for contributing to the Elastic Docs! 🎉 Use this template to help us efficiently review your contribution. --> <!-- Describe what your PR changes or improves. If your PR fixes an issue, link it here. If your PR does not fix an issue, describe the reason you are making the change. --> This PR creates [a dedicated page](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/4972/solutions/security/detect-and-alert/prebuilt-rules-airgapped) for installing and updating Elastic prebuilt detection rules in air-gapped environments. The following methods are covered: - Using a self-hosted Package Registry (recommended) - Manually transferring prebuilt rules using the export/import process Fixes: - elastic/security-docs#4652 - elastic/security-docs#2932 <!-- To help us ensure compliance with the Elastic open source and documentation guidelines, please answer the following: --> 1. Did you use a generative AI (GenAI) tool to assist in creating this contribution? - [x] Yes - [ ] No <!-- 2. If you answered "Yes" to the previous question, please specify the tool(s) and model(s) used (e.g., Google Gemini, OpenAI ChatGPT-4, etc.). Tool(s) and model(s) used: --> Cursor, claude-4.5-opus-high --------- Co-authored-by: natasha-moore-elastic <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Restructures the Detections and alerts section. Significant changes include: reduced duplication, improved navigation and cross-linking, more audience-centric guidance, and extensible structures.
The new structure:
This PR addresses https://github.com/elastic/docs-content-internal/issues/797, which is the main issue tracking quality improvements to the Security detection docs. It also addresses some gaps and doc bugs that have been sitting in the backlog for 3453485384953794348 years.
Review requests
For technical reviewers
Please verify accuracy in the following areas:
Rule type pages (new)
Please review the following pages for accuracy and completeness. Most of the content is a direct port. The net-new content is fairly limited.
(Fixes https://github.com/elastic/docs-content-internal/issues/239 by creating individual configuration guides for each rule type.)
Reference and decision guides (new or heavily rewritten to improve clarity and findability)
Other rewritten pages
For editorial reviewers
Please check the following items for logical flow and navigation between pages and glaring style/formatting errors.
Hub pages
Please spot-check navigation and descriptions for the following:
Restructured pages
Prebuilt rules pages
Content from Use Elastic prebuilt rules and Update modified and unmodified Elastic prebuilt rules was moved around into three buckets: install, update, and customize prebuilt rule. To help convey capabilities provided at certain subscription levels, added comparison tables and specified when certain flows were gated behind subscriptions.
Generative AI disclosure
Cursor, Claude