elastic · nastasha-solomon · Feb 21, 2026 · Feb 21, 2026 · Feb 23, 2026 · Feb 23, 2026
@@ -55,7 +55,7 @@ The rule type also affects the privileges that are required to create and edit r
 * For {{ml}} rules, you must have `all` privileges for the **Analytics > {{ml-app}}** feature.
 * For {{stack-monitor-app}} rules, you must have the `monitoring_user` role.
 * For most {{observability}} rules, you must have `all` privileges for the appropriate {{observability}} features. However, for a custom threshold rule, you only need the `stack alerts` privilege.
-* For Security rules, refer to [](../../../solutions/security/detect-and-alert/detections-requirements.md).
+* For Security rules, refer to [](../../../solutions/security/detect-and-alert/turn-on-detections.md).
 
 ::::
 
@@ -68,7 +68,7 @@ The rule type also affects the privileges that are required to create and edit r
 * `Read` for the **Management > {{connectors-feature}}** feature.
 
 ::::{note}
-The rule type also affects the privileges that are required. For example, to view {{ml}} rules, you must have `read` privileges for the **Analytics > {{ml-app}}** feature. For {{stack-monitor-app}} rules, you must have the `monitoring_user` role. For {{observability}} rules, you must have `read` privileges for the appropriate {{observability}} features. For Security rules, refer to [](../../../solutions/security/detect-and-alert/detections-requirements.md).
+The rule type also affects the privileges that are required. For example, to view {{ml}} rules, you must have `read` privileges for the **Analytics > {{ml-app}}** feature. For {{stack-monitor-app}} rules, you must have the `monitoring_user` role. For {{observability}} rules, you must have `read` privileges for the appropriate {{observability}} features. For Security rules, refer to [](../../../solutions/security/detect-and-alert/turn-on-detections.md).
 
 ::::
 

@@ -10,7 +10,7 @@ products:
 
 # Rule types [rule-types]
 
-A rule is a set of [conditions](../alerts.md#rules-conditions), [schedules](../alerts.md#rules-schedule), and [actions](../alerts.md#rules-actions ) that enable notifications. {{kib}} provides rules built into the {{stack}} and rules registered by one of the {{kib}} apps. You can create most rules types in [{{stack-manage-app}} > {{rules-ui}}](create-manage-rules.md). Security rules must be defined in the Security app. For more information, refer to the documentation about [creating a detection rule](../../../solutions/security/detect-and-alert/create-detection-rule.md).
+A rule is a set of [conditions](../alerts.md#rules-conditions), [schedules](../alerts.md#rules-schedule), and [actions](../alerts.md#rules-actions ) that enable notifications. {{kib}} provides rules built into the {{stack}} and rules registered by one of the {{kib}} apps. You can create most rules types in [{{stack-manage-app}} > {{rules-ui}}](create-manage-rules.md). Security rules must be defined in the Security app. For more information, refer to the documentation about [creating a detection rule](../../../solutions/security/detect-and-alert/using-the-rule-builder.md).
 
 ::::{note}
 Some rule types are subscription features, while others are free features. For a comparison of the Elastic subscription levels, see [the subscription page](https://www.elastic.co/subscriptions).

@@ -13,7 +13,7 @@ Use {{elastic-sec}} to protect your systems from security threats.
 
 * [**SIEM:**](https://www.elastic.co/security/siem): {{elastic-sec}}'s modern SIEM provides a centralized platform for ingesting, analyzing, and managing security data from various sources. 
 * [**Third-party integration support**](/solutions/security/get-started/ingest-data-to-elastic-security.md): Ingest data from a various tools and data sources so you can centralize your security data.
-* [**Threat detection and analytics:**](/solutions/security/detect-and-alert.md): Identify threats by using [prebuilt rules](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md) with the ability to customize or create custom detection rules, automatically detect anomalous activity with built-in machine learning jobs, or proactively search for threats using our powerful [threat hunting and interactive visualization tools](/solutions/security/investigate.md). 
+* [**Threat detection and analytics:**](/solutions/security/detect-and-alert.md): Identify threats by using [prebuilt rules](/solutions/security/detect-and-alert/install-prebuilt-rules.md) with the ability to customize or create custom detection rules, automatically detect anomalous activity with built-in machine learning jobs, or proactively search for threats using our powerful [threat hunting and interactive visualization tools](/solutions/security/investigate.md). 
 * [**Automatic migration**](/solutions/security/get-started/automatic-migration.md): Migrate SIEM rules from other platforms to {{elastic-sec}}. 
 * [**Endpoint protection and threat prevention**](/solutions/security/configure-elastic-defend.md): Automatically stop cybersecurity attacks—such as malware and ransomware—before damage and loss can occur.
 * [**AI-powered features**](/solutions/security/ai.md): Leverage generative AI to help enhance threat detection, assist with incident response, and improve day-to-day security operations.
@@ -37,7 +37,7 @@ Before diving into setup and configuration, familiarize yourself with the founda
 * [**{{elastic-defend}}:**](/solutions/security/configure-elastic-defend/install-elastic-defend.md) {{elastic-sec}}'s Endpoint Detection and Response (EDR) tool that protects endpoints from malicious activity. {{elastic-defend}} uses a combination of techniques like machine learning, behavioral analysis, and prebuilt rules to detect, prevent, and respond to threats in real-time.
 * [**{{elastic-endpoint}}:**](/solutions/security/manage-elastic-defend/elastic-endpoint-self-protection-features.md) The security component, enabled by {{agent}}, that performs {{elastic-defend}}'s threat monitoring and prevention capabilities. 
 * [**Detection engine:**](/solutions/security/detect-and-alert.md) The framework that detects threats by using rules to search for suspicious events in your data, and generates alerts when events meet a rule's criteria.
-* [**Detection rules:**](/solutions/security/detect-and-alert/about-detection-rules.md) Sets of conditions that identify potential threats and malicious activities. Rules analyze various data sources, including logs and network traffic, to detect anomalies, suspicious behaviors, or known attack patterns. {{elastic-sec}} ships out-of-the-box prebuilt rules, and you can create your own custom rules. 
+* [**Detection rules:**](/solutions/security/detect-and-alert/choose-the-right-rule-type.md) Sets of conditions that identify potential threats and malicious activities. Rules analyze various data sources, including logs and network traffic, to detect anomalies, suspicious behaviors, or known attack patterns. {{elastic-sec}} ships out-of-the-box prebuilt rules, and you can create your own custom rules. 
 * [**Alerts:**](/solutions/security/detect-and-alert/manage-detection-alerts.md) Notifications that are generated when rule conditions are met. Alerts include a wide range of information about potential threats, including host, user, network, and other contextual data to assist your investigation.  
 * [**Machine learning and anomaly detection:**](/solutions/security/advanced-entity-analytics/anomaly-detection.md) Anomaly detection jobs identify anomalous events or patterns in your data. Use these with machine learning detection rules to generate alerts when behavior deviates from normal activity.
 * [**Entity analytics:**](/solutions/security/advanced-entity-analytics/overview.md) A threat detection feature that combines the power of Elastic’s detection engine and machine learning capabilities to identify unusual behavior for hosts, users, and services. 

@@ -147,4 +147,4 @@ By default, logs data streams use the following settings:
 - [](logs-data-stream-integrations.md)
 - [](/manage-data/data-store/templates.md)
 - [](/solutions/observability/logs/logs-index-template-defaults.md)
-- [](/solutions/security/detect-and-alert/using-logsdb-index-mode-with-elastic-security.md)
+- [Advanced data source configuration for {{elastic-sec}} rules](/solutions/security/detect-and-alert/advanced-data-source-configuration.md)
@@ -173,4 +173,4 @@ If your cluster is already near capacity, stability issues can occur if you enab
 
 - Review the documentation for [](logs-data-stream.md), [](/manage-data/data-store/templates.md), and the [](/solutions/observability/logs/logs-index-template-defaults.md)
 - [](logs-data-stream-configure.md)
-- [](/solutions/security/detect-and-alert/using-logsdb-index-mode-with-elastic-security.md)
+- [Advanced data source configuration for {{elastic-sec}} rules](/solutions/security/detect-and-alert/advanced-data-source-configuration.md)
@@ -100,4 +100,4 @@ To enable logsdb mode for integration data streams, create or update a `@custom`
 - [Review mappings and sorting](/manage-data/data-store/data-streams/logs-data-stream-configure.md#logsdb-host-name)
 - [](/manage-data/data-store/data-streams/use-data-stream.md)
 - [](/manage-data/data-store/data-streams/logs-data-stream-integrations.md)
-- [](/solutions/security/detect-and-alert/using-logsdb-index-mode-with-elastic-security.md)
+- [Advanced data source configuration for {{elastic-sec}} rules](/solutions/security/detect-and-alert/advanced-data-source-configuration.md)
@@ -702,6 +702,46 @@ redirects:
   'solutions/observability/observability-ai-assistant.md': 'solutions/observability/ai/observability-ai-assistant.md'
   'solutions/observability/llm-performance-matrix.md': 'solutions/observability/ai/llm-performance-matrix.md'
 
+# Related to Detect & Alert section restructure (issue #1210)
+  # Renamed files
+  'solutions/security/detect-and-alert/detections-requirements.md': 'solutions/security/detect-and-alert/detections-privileges.md'
+  'solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md': 'solutions/security/detect-and-alert/install-prebuilt-rules.md'
+  'solutions/security/detect-and-alert/prebuilt-rules-update-modified-unmodified.md': 'solutions/security/detect-and-alert/update-prebuilt-rules.md'
+  'solutions/security/detect-and-alert/mitre-attandckr-coverage.md': 'solutions/security/detect-and-alert/mitre-attack-coverage.md'
+  'solutions/security/detect-and-alert/about-detection-rules.md': 'solutions/security/detect-and-alert/choose-the-right-rule-type.md'
+  'solutions/security/detect-and-alert/create-detection-rule.md': 'solutions/security/detect-and-alert/using-the-rule-builder.md'
+  'solutions/security/detect-and-alert/launch-timeline-from-investigation-guides.md': 'solutions/security/detect-and-alert/write-investigation-guides.md'
+  'solutions/security/detect-and-alert/exclude-cold-frozen-data-from-individual-rules.md': 'solutions/security/detect-and-alert/set-rule-data-sources.md'
+  'solutions/security/detect-and-alert/suppress-detection-alerts.md': 'solutions/security/detect-and-alert/alert-suppression.md'
+  'solutions/security/detect-and-alert/reduce-notifications-alerts.md':
+    to: 'solutions/security/detect-and-alert/manage-detection-rules.md'
+    anchors:
+      '': 'snooze-rule-actions'
+  'solutions/security/detect-and-alert/snooze-rule-actions.md':
+    to: 'solutions/security/detect-and-alert/manage-detection-rules.md'
+    anchors:
+      '': 'snooze-rule-actions'
+  'solutions/security/detect-and-alert/reference.md': 'solutions/security/detect-and-alert/common-rule-settings.md'
+  'solutions/security/detect-and-alert/detections-reference.md': 'solutions/security/detect-and-alert/common-rule-settings.md'
+  'solutions/security/detect-and-alert/rule-settings-reference.md': 'solutions/security/detect-and-alert/common-rule-settings.md'
+  'solutions/security/detect-and-alert/custom-rules.md': 'solutions/security/detect-and-alert/author-rules.md'
+
+  # Prebuilt rules restructure
+  # Note: Cross-file anchor redirects are not supported. Old links to 
+  # install-manage-prebuilt-rules.md#prebuilt-rule-tags, #rule-prerequisites, 
+  # and #select-all-prebuilt-rules will land on install-prebuilt-rules.md.
+  # Internal links have been updated to point to the correct new locations.
+  'solutions/security/detect-and-alert/install-manage-prebuilt-rules.md':
+    to: 'solutions/security/detect-and-alert/install-prebuilt-rules.md'
+    anchors:
+      'load-prebuilt-rules': 'load-prebuilt-rules'
+
+  # Deleted — content consolidated into manage-detection-alerts and cases pages
+  'solutions/security/detect-and-alert/add-detection-alerts-to-cases.md':
+    to: 'solutions/security/detect-and-alert/manage-detection-alerts.md'
+    anchors:
+      '': 'alert-actions'
+
 # Related to cases and alerting documentation restructuring
   # Main pages
   'explore-analyze/alerts-cases.md': 'explore-analyze/alerting.md'
@@ -794,3 +834,6 @@ redirects:
 
 # Related to https://github.com/elastic/docs-content/pull/5222
   'troubleshoot/deployments/cloud-enterprise/node-bootlooping.md': 'troubleshoot/monitoring/node-bootlooping.md'
+
+# Renamed for SEO - URL now matches page title
+  'solutions/security/detect-and-alert/requirements-privileges.md': 'solutions/security/detect-and-alert/turn-on-detections.md'
@@ -259,7 +259,7 @@ $$$glossary-epr$$$ Elastic Package Registry (EPR)
 :   A service hosted by Elastic that stores Elastic package definitions in a central location. See the [EPR GitHub repository](https://github.com/elastic/package-registry).
 
 $$$glossary-elastic-security-indices$$$ {{elastic-sec}} indices
-:   Indices containing host and network source events (such as `packetbeat-*`, `log-*`, and `winlogbeat-*`). When you [create a new rule in {{elastic-sec}}](/solutions/security/detect-and-alert/create-detection-rule.md), the default index pattern corresponds to the values defined in the `securitySolution:defaultIndex` advanced setting.
+:   Indices containing host and network source events (such as `packetbeat-*`, `log-*`, and `winlogbeat-*`). When you [create a new rule in {{elastic-sec}}](/solutions/security/detect-and-alert/using-the-rule-builder.md), the default index pattern corresponds to the values defined in the `securitySolution:defaultIndex` advanced setting.
 
 $$$glossary-elastic-stack$$$ {{stack}}
 :   Also known as the *ELK Stack*, the {{stack}} is the combination of various Elastic products that integrate for a scalable and flexible way to manage your data.
@@ -425,7 +425,7 @@ $$$glossary-indexer$$$ indexer
 :   A {{ls}} instance that is tasked with interfacing with an {{es}} cluster in order to index [event](/reference/glossary/index.md#glossary-event) data.
 
 $$$glossary-indicator-index$$$ indicator index
-:   Indices containing suspect field values in {{elastic-sec}}. [Indicator match rules](/solutions/security/detect-and-alert/create-detection-rule.md#create-indicator-rule) use these indices to compare their field values with source event values contained in [{{elastic-sec}} indices](/reference/glossary/index.md#glossary-elastic-security-indices).
+:   Indices containing suspect field values in {{elastic-sec}}. [Indicator match rules](/solutions/security/detect-and-alert/indicator-match.md) use these indices to compare their field values with source event values contained in [{{elastic-sec}} indices](/reference/glossary/index.md#glossary-elastic-security-indices).
 
 $$$glossary-inference-aggregation$$$ inference aggregation
 :   A pipeline aggregation that references a [trained model](/reference/glossary/index.md#glossary-trained-model) in an aggregation to infer on the results field of the parent bucket aggregation. It enables you to use supervised {{ml}} at search time.

@@ -80,8 +80,8 @@ The non-ECS fields listed below are beta and subject to change.
 | `kibana.alert.original_event.*` | Event information copied from the original source event.<br>Type: object |
 | `kibana.alert.original_time` | The value copied from the source event (`@timestamp`).<br>Type: date |
 | `kibana.alert.reason` | Type: keyword |
-| `kibana.alert.rule.author` | The value of the `author` who created the rule. Refer to [configure advanced rule settings](/solutions/security/detect-and-alert/create-detection-rule.md#rule-ui-advanced-params).<br>Type: keyword |
-| `kibana.alert.building_block_type` | The value of `building_block_type` from the rule that generated this alert. Refer to [configure advanced rule settings](/solutions/security/detect-and-alert/create-detection-rule.md#rule-ui-advanced-params).<br>Type: keyword |
+| `kibana.alert.rule.author` | The value of the `author` who created the rule. Refer to [configure advanced rule settings](/solutions/security/detect-and-alert/common-rule-settings.md#rule-ui-advanced-params).<br>Type: keyword |
+| `kibana.alert.building_block_type` | The value of `building_block_type` from the rule that generated this alert. Refer to [configure advanced rule settings](/solutions/security/detect-and-alert/common-rule-settings.md#rule-ui-advanced-params).<br>Type: keyword |
 | `kibana.alert.rule.created_at` | The value of `created.at` from the rule that generated this alert.<br>Type: date |
 | `kibana.alert.rule.created_by` | Type: keyword |
 | `kibana.alert.rule.description` | Type: keyword |

@@ -23,7 +23,7 @@ Anomaly detection jobs identify anomalous events or patterns in your data. In a
 
 
 ::::{tip}
-Refer to [{{ml-cap}}: Anomaly detection](/explore-analyze/machine-learning/anomaly-detection.md) and [About detection rules](/solutions/security/detect-and-alert/about-detection-rules.md) for more background.
+Refer to [{{ml-cap}}: Anomaly detection](/explore-analyze/machine-learning/anomaly-detection.md) for more background.
 ::::
 
 
@@ -41,7 +41,7 @@ If you have the appropriate role, you can use the **ML job settings** interface
 
 You can also check the status of {{ml}} detection rules, and start or stop their associated {{ml}} jobs:
 
-* On the **Rules** page, the **Last response** column displays the rule’s current [status](/solutions/security/detect-and-alert/manage-detection-rules.md#rule-status). An indicator icon (![Error icon from rules table](/solutions/images/security-rules-table-error-icon.png "title =20x20")) also appears if a required {{ml}} job isn’t running. Click the icon to list the affected jobs, then click **Visit rule details page to investigate** to open the rule’s details page.
+* On the **Rules** page, the **Last response** column displays the rule’s current [status](/solutions/security/detect-and-alert/monitor-rule-executions.md#rule-status). An indicator icon (![Error icon from rules table](/solutions/images/security-rules-table-error-icon.png "title =20x20")) also appears if a required {{ml}} job isn’t running. Click the icon to list the affected jobs, then click **Visit rule details page to investigate** to open the rule’s details page.
 
     :::{image} /solutions/images/security-rules-table-ml-job-error.png
     :alt: Rules table {{ml}} job error
@@ -56,7 +56,7 @@ You can also check the status of {{ml}} detection rules, and start or stop their
     :::
 
 ::::{tip}
-* For instructions on creating {{ml}} rules, refer to [Create a machine learning rule](/solutions/security/detect-and-alert/create-detection-rule.md#create-ml-rule).
+* For instructions on creating {{ml}} rules to detect anomalies, refer to [](/solutions/security/detect-and-alert/machine-learning.md).
 * Alerts generated by {{ml}} rules are displayed on the **Alerts** page. For more information, refer to [Manage detection alerts](/solutions/security/detect-and-alert/manage-detection-alerts.md).
 ::::