Skip to content

[Issue]: /docs/solutions/security/detect-and-alert isn't a good overview of our detection and alerting capabilities #1210

New issue
New issue
Open
Open
[Issue]: /docs/solutions/security/detect-and-alert isn't a good overview of our detection and alerting capabilities#1210
Assignees
jmikell821nastasha-solomon
Labels
Team:SecurityIssues owned by the Security Docs Teamtriage
@MarkSettleES

Description

@MarkSettleES
MarkSettleES
opened on Apr 18, 2025

Type of issue

Other

What documentation page is affected

https://www.elastic.co/docs/solutions/security/detect-and-alert

What happened?

This page needs to be reconceived if it is to meet the needs of people seeking to understand our overall automated detection capabilities, IMO. Here are the specific observations that brought me to file this ticket:

The conceptual overview I would expect to find in the intro of this page is instead in the third subpage, About detection rules:

Rules run periodically and search for source events, matches, sequences, or machine learning job anomaly results that meet their criteria. When a rule’s criteria are met, a detection alert is created.

The first section of the Detections and alerts page has too much emphasis on Elastic Defend, rather than the centralized capabilities of our detection engine, which should be its core focus. When I saw an Alerts dashboard with alerts only for malware prevention and ransomware prevention, I double-checked that I was on the article for centralized threat detection. One paragraph later, the following text caused me to triple-check:

There are several special prebuilt rules you need to know about:

Endpoint protection rules: Automatically create alerts based on Elastic Defend's threat monitoring and prevention.
External Alerts: Automatically creates an alert for all incoming third-party system alerts (for example, Suricata alerts).

In addition to leading with endpoint protection, rather than the cross-domain detection capabilities for which a SIEM is uniquely suited, this text may do more harm than good because a novice reader could incorrectly conclude that Elastic offers only these two types of prebuilt rules, both of which are as basic as a rule can be. Perhaps the content in the "Rule types" section of the About detection rules subpage would work better.

One more observation: the Using logsdb index mode with Elastic Security subpage seems an odd fit between the "Detection requirements" and "About detection rules" subpages.

cc: @paulewing , @approksiu

Additional info

No response

Metadata

Metadata

Assignees

Labels

Team:SecurityIssues owned by the Security Docs Teamtriage

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions