Small edits

Author: nastasha-solomon

solutions/security/detect-and-alert/about-detection-rules.md

@@ -52,7 +52,7 @@ You can create the following types of rules:
 When you create a rule, you must either specify the {{es}} index pattens for which you’d like the rule to run, or select a [data view field](/solutions/security/get-started/data-views-elastic-security.md) as the data source. If you select a data view, you can select [runtime fields](/solutions/security/get-started/create-runtime-fields-in-elastic-security.md) associated with that data view to create a query for the rule (with the exception of {{ml}} rules, which do not use queries).
 
 ::::{note}
-To access data views in {{stack}}, ensure you have the [required permissions](/explore-analyze/find-and-organize/data-views.md#data-views-read-only-access). To access them in {{serverless-short}}, you need either the appropriate [predefined Security user role](/deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles) or a [custom role](../../../deploy-manage/users-roles/cloud-organization/user-roles.md) with the right privileges.
+To access data views in {{stack}}, you must have the [required permissions](/explore-analyze/find-and-organize/data-views.md#data-views-read-only-access). To access them in {{serverless-short}}, you must have the appropriate [predefined Security user role](/deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles) or a [custom role](../../../deploy-manage/users-roles/cloud-organization/user-roles.md) with the right privileges.
 ::::
 
 

solutions/security/detect-and-alert/create-detection-rule.md

@@ -81,7 +81,8 @@ Additional configuration is required for detection rules using cross-cluster sea
 ## Create a machine learning rule [create-ml-rule]
 
 ::::{admonition} Requirements
-To create or edit {{ml}} rules, you need: * The appropriate [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md)  
+To create or edit {{ml}} rules, you need: 
+* The appropriate [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md)  
 * The [`machine_learning_admin`](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-roles.md) in {{stack}} or the appropriate [user role](/deploy-manage/users-roles/cloud-organization/user-roles.md) in {{serverless-short}}. 
 * The selected {{ml}} job to be running for the rule to function correctly
 
@@ -204,7 +205,7 @@ To create or edit {{ml}} rules, you need: * The appropriate [{{stack}} subscript
     * **Tiebreaker field**: Sets a secondary field for sorting events (in ascending, lexicographic order) if they have the same timestamp.
     * **Timestamp field**: Contains the event timestamp used for sorting a sequence of events. This is different from the **Timestamp override** advanced setting, which is used for querying events within a range. Defaults to the `@timestamp` ECS field.
 
-4. Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to [Suppress detection alerts](/solutions/security/detect-and-alert/suppress-detection-alerts.md) for more information.
+4. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to [Suppress detection alerts](/solutions/security/detect-and-alert/suppress-detection-alerts.md) for more information.
 5. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn’t affect how the rule actually runs.
 
     1. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field’s name to find it faster, or type in an entirely new custom field.
@@ -566,7 +567,7 @@ When configuring an {{esql}} rule’s **[Custom highlighted fields](/solutions/s
         If you select this option, you can add {{elastic-endpoint}} exceptions on the Rule details page. Additionally, all future exceptions added to [endpoint protection rules](/solutions/security/manage-elastic-defend/endpoint-protection-rules.md) will also affect this rule.
         ::::
 
-    10. **Building block** (optional): Select to create a building-block rule. By default, alerts generated from a building-block rule are not displayed in the UI. See [*About building block rules*](/solutions/security/detect-and-alert/about-building-block-rules.md) for more information.
+    10. **Building block** (optional): Select to create a building-block rule. By default, alerts generated from a building-block rule are not displayed in the UI. See [About building block rules](/solutions/security/detect-and-alert/about-building-block-rules.md) for more information.
     11. **Max alerts per run** (optional): Specify the maximum number of alerts the rule can create each time it runs. Default is 100.
 
         ::::{note}

solutions/security/detect-and-alert/detections-requirements.md

@@ -6,16 +6,12 @@ mapped_urls:
 
 # Detections requirements
 
-To use the [Detections feature](/solutions/security/detect-and-alert.md), you first need to configure a few settings. You also need the [appropriate license](https://www.elastic.co/subscriptions) to send [notifications](/solutions/security/detect-and-alert/create-detection-rule.md#rule-notifications) when detection alerts are generated.
+To use the [Detections feature](/solutions/security/detect-and-alert.md), you first need to configure a few settings. You also need the appropriate [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md) to send [notifications](/solutions/security/detect-and-alert/create-detection-rule.md#rule-notifications) when detection alerts are generated. Additionally, there are some [advanced settings](/solutions/security/detect-and-alert/detections-requirements.md#adv-list-settings) used to configure {{kib}} [value list](/solutions/security/detect-and-alert/create-manage-value-lists.md) upload limits.
 
 ::::{important}
 Several steps are **only** required for **self-managed** {{stack}} deployments. If you’re using an Elastic Cloud deployment, you only need to [enable detections](/solutions/security/detect-and-alert/detections-requirements.md#enable-detections-ui).
 ::::
 
-
-Additionally, there are some [advanced settings](/solutions/security/detect-and-alert/detections-requirements.md#adv-list-settings) used to configure {{kib}} [value list](/solutions/security/detect-and-alert/create-manage-value-lists.md) upload limits.
-
-
 ## Configure self-managed {{stack}} deployments [detections-on-prem-requirements]
 
 ```yaml {applies_to}
@@ -60,6 +56,10 @@ The following table describes the required privileges to access the Detections f
 
 ### Authorization [alerting-auth-model]
 
+```yaml {applies_to}
+stack:
+```
+
 Rules, including all background detection and the actions they generate, are authorized using an [API key](/deploy-manage/api-keys/elasticsearch-api-keys.md) associated with the last user to edit the rule. Upon creating or modifying a rule, an API key is generated for that user, capturing a snapshot of their privileges. The API key is then used to run all background tasks associated with the rule including detection checks and executing actions.
 
 ::::{important}
@@ -71,6 +71,10 @@ If a rule requires certain privileges to run, such as index privileges, keep in
 
 ## Configure list upload limits [adv-list-settings]
 
+```yaml {applies_to}
+stack:
+```
+
 You can set limits to the number of bytes and the buffer size used to upload [value lists](/solutions/security/detect-and-alert/create-manage-value-lists.md) to {{elastic-sec}}.
 
 To set the value:
@@ -82,9 +86,4 @@ To set the value:
 
         For example, on a Kibana instance with 2 gigabytes of RAM, you can set this value up to 20000000 (20 megabytes).
 
-    * `xpack.lists.importBufferSize`: Sets the buffer size used for uploading {{elastic-sec}} value lists (default `1000`). Change the value if you’re experiencing slow upload speeds or larger than wanted memory usage when uploading value lists. Set to a higher value to increase throughput at the expense of using more Kibana memory, or a lower value to decrease throughput and reduce memory usage.
-
-
-::::{note}
-For information on how to configure Elastic Cloud deployments, refer to [Add Kibana user settings](/deploy-manage/deploy/elastic-cloud/edit-stack-settings.md).
-::::
+    * `xpack.lists.importBufferSize`: Sets the buffer size used for uploading {{elastic-sec}} value lists (default `1000`). Change the value if you’re experiencing slow upload speeds or larger than wanted memory usage when uploading value lists. Set to a higher value to increase throughput at the expense of using more Kibana memory, or a lower value to decrease throughput and reduce memory usage.

solutions/security/detect-and-alert/suppress-detection-alerts.md

@@ -8,7 +8,7 @@ mapped_urls:
 
 
 ::::{admonition} Requirements and notices
-* In {{stack}} alert suppression requires a [Platinum or higher subscription](https://www.elastic.co/pricing).
+* In {{stack}} alert suppression requires a [Platinum or higher subscription](https://www.elastic.co/pricing) or the appropriate [{{serverless-short}} project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md).
 * {{ml-cap}} rules have [additional requirements](/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md) for alert suppression.
 * This functionality is in technical preview for event correlation rules only and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
 

solutions/security/detect-and-alert/using-logsdb-index-mode-with-elastic-security.md

@@ -7,6 +7,8 @@ mapped_urls:
 # Using logsdb index mode with Elastic Security [detections-logsdb-index-mode-impact]
 
 ::::{note} 
+The following statement applies to {{stack}} users only:
+
 To use the [synthetic `_source`](asciidocalypse://docs/elasticsearch/docs/reference/elasticsearch/mapping-reference/mapping-source-field.md#synthetic-source) feature, you must have the appropriate subscription. Refer to the subscription page for [Elastic Cloud](https://www.elastic.co/subscriptions/cloud) and [Elastic Stack/self-managed](https://www.elastic.co/subscriptions) for the breakdown of available features and their associated subscription tiers.
 ::::
 

solutions/security/detect-and-alert/view-detection-alert-details.md

@@ -37,6 +37,7 @@ From the right panel, you can also:
 * Click the **Share alert** icon (![Share alert icon](../../../images/security-share-alert.png "title =20x20")) to get a shareable alert URL. We *do not* recommend copying the URL from your browser’s address bar, which can lead to inconsistent results if you’ve set up filters or relative time ranges for the Alerts page.
 
     ::::{note}
+    For {{stack}} users only:
     If you’ve configured the [`server.publicBaseUrl`](/deploy-manage/deploy/self-managed/configure.md#server-publicBaseUrl) setting in the `kibana.yml` file, the shareable URL is also in the `kibana.alert.url` field. You can find the field by searching for `kibana.alert.url` on the **Table** tab.
     ::::
 
@@ -279,7 +280,7 @@ The Correlations overview provides the following information:
 * **Alerts related by process ancestry**: Shows the number of alerts that are related by process events on the same linear branch.
 
     ::::{note}
-    To access data about alerts related by process ancestry, you must have a [Platinum or higher subscription](https://www.elastic.co/pricing) in {{stack}}.
+    To access data about alerts related by process ancestry, you must have a [Platinum or higher subscription](https://www.elastic.co/pricing) in {{stack}} or the appropriate [{{serverless-short}} project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md).
     ::::
 
 
@@ -328,7 +329,7 @@ The expanded Prevalence view provides the following details:
 * **Alert count**: Shows the total number of alert documents that have identical highlighted field values, including the alert you’re currently examining. For example, if the `host.name` field has an alert count of 5, that means there are five total alerts with the same `host.name` value. The Alert count column only retrieves documents that contain the [`event.kind:signal`](asciidocalypse://docs/ecs/docs/reference/ecs-allowed-values-event-kind.md#ecs-event-kind-signal) field-value pair.
 * **Document count**: Shows the total number of event documents that have identical field values. A dash (`——`) displays if there are no event documents that match the field value. The Document count column only retrieves documents that don’t contain the [`event.kind:signal`](asciidocalypse://docs/ecs/docs/reference/ecs-allowed-values-event-kind.md#ecs-event-kind-signal) field-value pair.
 
-The following features require a [Platinum subscription](https://www.elastic.co/pricing) or higher in {{stack}}:
+The following features require a [Platinum subscription](https://www.elastic.co/pricing) or higher in {{stack}} or the appropriate [{{serverless-short}} project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md)
 
 * **Host prevalence**: Shows the percentage of unique hosts that have identical field values. Host prevalence for highlighted fields is calculated by taking the number of unique hosts with identical highlighted field values and dividing that number by the total number of unique hosts in your environment.
 * **User prevalence**: Shows the percentage of unique users that have identical highlighted field values. User prevalence for highlighted fields is calculated by taking the number of unique users with identical field values and dividing that number by the total number of unique users in your environment.