From 5c7b7e366d9ca5c048a4641b518f39ac975727cf Mon Sep 17 00:00:00 2001
From: Martijn Laarman <Mpdreamz@gmail.com>
Date: Wed, 22 Apr 2026 21:45:05 +0200
Subject: [PATCH] docs: add preface for deprecated prebuilt detection rules
 page

Adds deprecated-rules.md to provide introductory content for the
auto-generated deprecated rules listing on the docs site. Also wires
it into docset.yml via the deprecated_file field so docs-builder
uses it as the page header.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---
 docs/deprecated-rules.md | 25 +++++++++++++++++++++++++
 docs/docset.yml          |  1 +
 2 files changed, 26 insertions(+)
 create mode 100644 docs/deprecated-rules.md

diff --git a/docs/deprecated-rules.md b/docs/deprecated-rules.md
new file mode 100644
index 00000000000..0134cfe0ffb
--- /dev/null
+++ b/docs/deprecated-rules.md
@@ -0,0 +1,25 @@
+# Deprecated prebuilt detection rules
+
+Elastic periodically retires prebuilt detection rules that have been superseded by improved coverage, renamed, or are no longer relevant to current threat landscapes. Deprecated rules are moved to a separate category rather than deleted so that users who have customized or enabled them retain a reference.
+
+## What happens to deprecated rules
+
+Deprecated rules continue to function normally if you have enabled them. Elastic no longer maintains them, which means:
+
+- They do not receive threat intelligence updates or query improvements.
+- They may not reflect current data source field names or index patterns.
+- They are not tested against new Elastic Stack releases.
+
+## Recommended actions
+
+When a rule is deprecated, Elastic typically provides a replacement rule with improved detection logic. To transition:
+
+1. Identify the replacement rule using the rule name or description references in the deprecated rule's documentation.
+2. Enable the replacement rule and tune it to your environment.
+3. Once satisfied with the replacement, you can disable or delete the deprecated rule.
+
+If no replacement is listed, the threat the rule addressed may no longer be relevant, or coverage may have been incorporated into a broader rule.
+
+## Managing deprecated rules in Kibana
+
+To view and manage deprecated rules in Kibana, go to **Security → Rules → Detection Rules** and filter by the **Deprecated** tag. See [manage detection rules](docs-content://solutions/security/detect-and-alert/manage-detection-rules.md) for full instructions.
diff --git a/docs/docset.yml b/docs/docset.yml
index 9b2e80552e3..eb63388a545 100644
--- a/docs/docset.yml
+++ b/docs/docset.yml
@@ -15,6 +15,7 @@ extensions:
 toc:
   - file: index.md
     detection_rules: ['../rules', '../rules_building_block']
+    deprecated_file: deprecated-rules.md
   - folder: audit_policies/windows
     children:
       - file: readme.md