Skip to content

Restructure Attack Discovery docs (structural changes only, no content rewrites)#7448

Draft
nastasha-solomon wants to merge 2 commits into
mainfrom
revamp-ad-docs
Draft

Restructure Attack Discovery docs (structural changes only, no content rewrites)#7448
nastasha-solomon wants to merge 2 commits into
mainfrom
revamp-ad-docs

Conversation

@nastasha-solomon

@nastasha-solomon nastasha-solomon commented Jul 19, 2026

Copy link
Copy Markdown
Member

Summary

Fixes https://github.com/elastic/docs-content-internal/issues/1493

The Attack Discovery docs lived almost entirely on one large page, with RBAC, manual runs, scheduling, and settings stacked into a single file alongside two loosely-related siblings.

This made it hard to:

  • Know which page to use for a given task, and why.
  • Tell whether a page covered the full set of related functionality or was missing something.
  • Add new 9.5+ content, maintain existing sections, or clearly mark deprecated/removed content without disturbing unrelated sections.

As a result, reviews were harder to scope, content was harder to find, and the reading experience suffered from one page trying to do too much.

What changed

This is solely a change to the existing structure, not a content rewrite. Every existing instruction stays as written, just relocated and occasionally retitled. The major changes are as follows:

  • Content was moved into a dedicated solutions/security/ai/attack-discovery/ folder, split into focused, predictable pages that each own a single task or concept.
  • The new TOC follows the same overview → subtopic pattern used elsewhere in the docs,
    so the section is now consistent with the rest of the site.
  • Redirects were added for every moved/renamed/deleted page and anchor.

Before → After

Before: One monolithic page plus two loosely attached siblings:

security/ai/
├── attack-discovery.md          # Overview + RBAC + manual runs + scheduling, all in one page
├── attacks-page.md
└── triage-attack-discovery-findings.md

After: Dedicated pages for individual tasks, each flows naturally:

security/ai/attack-discovery/
├── attack-discovery.md                    # Overview only
├── rbac.md                                # How to grant access to Attack Discovery (AD)
├── configure-attack-discovery-settings.md # What alerts AD analyzes
├── run-attack-discovery.md                # How and where to trigger AD
│   └── run-from-ui.md                     #   Trigger AD from the UI (manual + scheduled runs)
├── triage-attack-discovery-findings.md    # What to do with discoveries
└── manage-saved-discoveries.md            # Where to manage saved discoveries 
    ├── attacks-page.md                    #   Manage via the Attacks page (1)
    └── manage-discoveries.md              #   Manage via the Attack Discovery page (2)

(1) Page is applicable to users who are on 9.4+/Serverless and have enabled the "Enable alerts and attacks alignment" advanced setting.
(2) Page is applicable to users who are are on 9.4+/Serverless or earlier and are using the default setup/UI for Attack Discovery. It is not users haven't enabled the "Enable alerts and attacks alignment" advanced setting.

Improvements

  • Findability: Each page answers one question, so readers land on exactly the content they need instead of scanning a long page.
  • Reviewability: Future changes touch one small, purpose-built page instead of one large shared one, making diffs and reviews easier to scope.
  • Scalability: New 9.5+ content, or notes about deprecated/removed functionality, now has an obvious, dedicated home instead of competing for space in a single page. New content can be cleanly added to logical sections or pages now too. For example, with this restructure:
  • Consistency: The new TOC mirrors the overview → subtopic structure used across the rest of the docs, instead of being a one-off layout.

Previews

Attack Discovery

Generative AI disclosure

  1. Did you use a generative AI (GenAI) tool to assist in creating this contribution?
  • Yes - Cursor + Claude
  • No

@nastasha-solomon nastasha-solomon self-assigned this Jul 19, 2026
@github-actions

Copy link
Copy Markdown
Contributor

Elastic Docs AI PR menu

Check the box to run an AI review for this pull request.

  • Review docs changes (docs-review). Status: not started.

Powered by GitHub Agentic Workflows and docs-actions. For more information, reach out to the docs team.

@github-actions

github-actions Bot commented Jul 19, 2026

Copy link
Copy Markdown
Contributor

🔍 Preview links for changed docs

More links …

@github-actions

Copy link
Copy Markdown
Contributor

Elastic Docs Style Checker (Vale)

Summary: 2 warnings, 4 suggestions found

⚠️ Warnings (2): Fix when the suggestion improves clarity or correctness.
File Line Rule Message
explore-analyze/workflows/use-cases/security/automate-security-operations/ai-driven-alert-triage.md 18 Elastic.Spelling 'triages' is a possible misspelling.
solutions/security/ai/attack-discovery/attack-discovery.md 2 Elastic.MappedPages mapped_pages should only be added or updated in rare scenarios. Talk with your local technical writer before pushing changes to this key.
💡 Suggestions (4): Optional style improvements. Apply when helpful.
File Line Rule Message
solutions/security/ai/attack-discovery/attacks-page.md 20 Elastic.Semicolons Use semicolons judiciously.
solutions/security/ai/attack-discovery/manage-discoveries.md 62 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
solutions/security/ai/attack-discovery/manage-discoveries.md 64 Elastic.Wordiness Consider using 'act' instead of 'Take action'.
solutions/security/ai/identify-investigate-document-threats.md 28 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.

The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant