From ee4e5537adef1611ae59428059f8c402f00ef963 Mon Sep 17 00:00:00 2001
From: May Lee <may.lee@datadoghq.com>
Date: Thu, 17 Jul 2025 16:58:16 -0400
Subject: [PATCH 01/11] restructure nav and add new landing page folders

---
 config/_default/menus/main.en.yaml            | 103 +++++++++++-------
 .../cloud_siem/detect_and_monitor/_index.md   |   6 +
 .../cloud_siem/ingest_and_enrich/_index.md    |   6 +
 .../cloud_siem/respond_and_report/_index.md   |   6 +
 .../triage_and_investigate/_index.md          |   6 +
 5 files changed, 88 insertions(+), 39 deletions(-)
 create mode 100644 content/en/security/cloud_siem/detect_and_monitor/_index.md
 create mode 100644 content/en/security/cloud_siem/ingest_and_enrich/_index.md
 create mode 100644 content/en/security/cloud_siem/respond_and_report/_index.md
 create mode 100644 content/en/security/cloud_siem/triage_and_investigate/_index.md

diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml
index 1e1111e5e454c..c71a5c4a98989 100644
--- a/config/_default/menus/main.en.yaml
+++ b/config/_default/menus/main.en.yaml
@@ -5956,66 +5956,91 @@ menu:
       parent: security_platform_heading
       identifier: cloud_siem
       weight: 20000
+    - name: Ingest and Enrich
+      url: security/cloud_siem/ingest_and_enrich/
+      parent: cloud_siem
+      identifier: cloud_siem_ingest_and_enrich
+      weight: 1
     - name: Content Packs
       url: security/cloud_siem/content_packs
-      parent: cloud_siem
+      parent: cloud_siem_ingest_and_enrich
       identifier: cloud_siem_content_packs
-      weight: 1
-    - name: Detection Rules
-      url: security/cloud_siem/detection_rules
+      weight: 101
+    - name: Threat Intelligence
+      url: security/cloud_siem/threat_intelligence
+      parent: cloud_siem_ingest_and_enrich
+      identifier: cloud_siem_threat_intelligence
+      weight: 102
+    - name: Open Cybersecurity Schema Framework
+      url: security/cloud_siem/open_cybersecurity_schema_framework
+      parent: cloud_siem_ingest_and_enrich
+      identifier: cloud_siem_open_cybersecurity_schema_framework
+      weight: 103
+    - name: Detect and Monitor
+      url: security/cloud_siem/detect_and_monitor/
       parent: cloud_siem
-      identifier: cloud_siem_detection_rules
+      identifier: cloud_siem_detect_and_monitor
       weight: 2
+    - name: Custom Detection Rules
+      url: security/cloud_siem/detect_and_monitor/detection_rules
+      parent: cloud_siem_detect_and_monitor
+      identifier: cloud_siem_custom_detection_rules
+      weight: 201
     - name: Signal Correlation Rules
       url: security/cloud_siem/detection_rules/signal_correlation_rules
-      parent: cloud_siem_detection_rules
+      parent: cloud_siem_custom_detection_rules
       identifier: cloud_siem_signal_correlation_rules
-      weight: 20500
-    - name: MITRE ATT&CK Map
-      url: security/cloud_siem/detection_rules/mitre_attack_map
-      parent: cloud_siem_detection_rules
-      identifier: cloud_siem_mitre_attack_map
-      weight: 20510
+      weight: 2101
     - name: OOTB Rules
       url: /security/default_rules/#cat-cloud-siem-log-detection
-      parent: cloud_siem
+      parent: cloud_siem_detect_and_monitor
       identifier: cloud_siem_default_rules
-      weight: 4
-    - name: Threat Intelligence
-      url: /security/cloud_siem/threat_intelligence
-      parent: cloud_siem
-      identifier: cloud_siem_threat_intelligence
-      weight: 5
-    - name: Open Cybersecurity Schema Framework
-      url: /security/cloud_siem/open_cybersecurity_schema_framework
+      weight: 202
+    - name: Suppressions
+      url: security/cloud_siem/suppressions/
+      parent: cloud_siem_detect_and_monitor
+      identifier: cloud_siem_suppressions
+      weight: 203
+    - name: Historical Jobs
+      url: security/cloud_siem/historical_jobs
+      parent: cloud_siem_detect_and_monitor
+      identifier: cloud_siem_log_historical_jobs
+      weight: 204
+    - name: MITRE ATT&CK Map
+      url: security/cloud_siem/detection_rules/mitre_attack_map
+      parent: cloud_siem_detect_and_monitor
+      identifier: cloud_siem_mitre_attack_map
+      weight: 205
+    - name: Triage and Investigate
+      url: security/cloud_siem/triage_and_investigate
       parent: cloud_siem
-      identifier: cloud_siem_open_cybersecurity_schema_framework
-      weight: 5
+      identifier: cloud_siem_triage_and_investigate
+      weight: 3
     - name: Investigate Security Signals
-      url: /security/cloud_siem/investigate_security_signals
-      parent: cloud_siem
+      url: security/cloud_siem/triage_and_investigate/investigate_security_signals
+      parent: cloud_siem_triage_and_investigate
       identifier: cloud_siem_investigate_security_signals
-      weight: 6
+      weight: 301
+    - name: Risk Insights
+      url: security/cloud_siem/entities_and_risk_scoring
+      parent: cloud_siem_triage_and_investigate
+      identifier: cloud_siem_entities_and_risk_scoring
+      weight: 302
     - name: Investigator
       url: security/cloud_siem/investigator
-      parent: cloud_siem
+      parent: cloud_siem_triage_and_investigate
       identifier: cloud_siem_investigator
-      weight: 7
-    - name: Historical Jobs
-      url: security/cloud_siem/historical_jobs
-      parent: cloud_siem
-      identifier: cloud_siem_log_historical_jobs
-      weight: 8
-    - name: Risk Insights
-      url: security/cloud_siem/entities_and_risk_scoring
+      weight: 303
+    - name: Respond and Report
+      url: security/cloud_siem/respond_and_report
       parent: cloud_siem
-      identifier: cloud_siem_entities_and_risk_scoring
-      weight: 9
+      identifier: cloud_siem_respond_and_report
+      weight: 4
     - name: Security Operational Metrics
       url: security/cloud_siem/security_operational_metrics/
-      parent: cloud_siem
+      parent: cloud_siem_respond_and_report
       identifier: siem_security_operational_metrics
-      weight: 10
+      weight: 401
     - name: Guides
       url: security/cloud_siem/guide/
       parent: cloud_siem
diff --git a/content/en/security/cloud_siem/detect_and_monitor/_index.md b/content/en/security/cloud_siem/detect_and_monitor/_index.md
new file mode 100644
index 0000000000000..e7352d88df528
--- /dev/null
+++ b/content/en/security/cloud_siem/detect_and_monitor/_index.md
@@ -0,0 +1,6 @@
+---
+title: Detect and Monitor
+disable_toc: false
+---
+
+TKTK
\ No newline at end of file
diff --git a/content/en/security/cloud_siem/ingest_and_enrich/_index.md b/content/en/security/cloud_siem/ingest_and_enrich/_index.md
new file mode 100644
index 0000000000000..db8231c18f55e
--- /dev/null
+++ b/content/en/security/cloud_siem/ingest_and_enrich/_index.md
@@ -0,0 +1,6 @@
+---
+title: Ingest and Enrich
+disable_toc: false
+---
+
+TKTK
\ No newline at end of file
diff --git a/content/en/security/cloud_siem/respond_and_report/_index.md b/content/en/security/cloud_siem/respond_and_report/_index.md
new file mode 100644
index 0000000000000..7a1ca29b2f36a
--- /dev/null
+++ b/content/en/security/cloud_siem/respond_and_report/_index.md
@@ -0,0 +1,6 @@
+---
+title: Respond and Report
+disable_toc: false
+---
+
+TKTK 
\ No newline at end of file
diff --git a/content/en/security/cloud_siem/triage_and_investigate/_index.md b/content/en/security/cloud_siem/triage_and_investigate/_index.md
new file mode 100644
index 0000000000000..0afdf83e84707
--- /dev/null
+++ b/content/en/security/cloud_siem/triage_and_investigate/_index.md
@@ -0,0 +1,6 @@
+---
+title: Triage and Investigate
+disable_toc: false
+---
+
+TKTK
\ No newline at end of file

From 37efa25fc130ff3fe29f1084f19b81c05249a23d Mon Sep 17 00:00:00 2001
From: May Lee <may.lee@datadoghq.com>
Date: Thu, 17 Jul 2025 17:19:26 -0400
Subject: [PATCH 02/11] move i and e docs and r and r docs

---
 config/_default/menus/main.en.yaml                        | 8 ++++----
 .../cloud_siem/{ => ingest_and_enrich}/content_packs.md   | 2 ++
 .../open_cybersecurity_schema_framework.md                | 2 ++
 .../{ => ingest_and_enrich}/threat_intelligence.md        | 2 ++
 .../security_operational_metrics.md                       | 2 ++
 5 files changed, 12 insertions(+), 4 deletions(-)
 rename content/en/security/cloud_siem/{ => ingest_and_enrich}/content_packs.md (97%)
 rename content/en/security/cloud_siem/{ => ingest_and_enrich}/open_cybersecurity_schema_framework.md (98%)
 rename content/en/security/cloud_siem/{ => ingest_and_enrich}/threat_intelligence.md (99%)
 rename content/en/security/cloud_siem/{ => respond_and_report}/security_operational_metrics.md (98%)

diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml
index c71a5c4a98989..71b218751ffb9 100644
--- a/config/_default/menus/main.en.yaml
+++ b/config/_default/menus/main.en.yaml
@@ -5962,17 +5962,17 @@ menu:
       identifier: cloud_siem_ingest_and_enrich
       weight: 1
     - name: Content Packs
-      url: security/cloud_siem/content_packs
+      url: security/cloud_siem/ingest_and_enrich/content_packs
       parent: cloud_siem_ingest_and_enrich
       identifier: cloud_siem_content_packs
       weight: 101
     - name: Threat Intelligence
-      url: security/cloud_siem/threat_intelligence
+      url: security/cloud_siem/ingest_and_enrich/threat_intelligence
       parent: cloud_siem_ingest_and_enrich
       identifier: cloud_siem_threat_intelligence
       weight: 102
     - name: Open Cybersecurity Schema Framework
-      url: security/cloud_siem/open_cybersecurity_schema_framework
+      url: security/cloud_siem/ingest_and_enrich/open_cybersecurity_schema_framework
       parent: cloud_siem_ingest_and_enrich
       identifier: cloud_siem_open_cybersecurity_schema_framework
       weight: 103
@@ -6037,7 +6037,7 @@ menu:
       identifier: cloud_siem_respond_and_report
       weight: 4
     - name: Security Operational Metrics
-      url: security/cloud_siem/security_operational_metrics/
+      url: security/cloud_siem/respond_and_report/security_operational_metrics
       parent: cloud_siem_respond_and_report
       identifier: siem_security_operational_metrics
       weight: 401
diff --git a/content/en/security/cloud_siem/content_packs.md b/content/en/security/cloud_siem/ingest_and_enrich/content_packs.md
similarity index 97%
rename from content/en/security/cloud_siem/content_packs.md
rename to content/en/security/cloud_siem/ingest_and_enrich/content_packs.md
index f972302dad4a4..b9dc1297c6b77 100644
--- a/content/en/security/cloud_siem/content_packs.md
+++ b/content/en/security/cloud_siem/ingest_and_enrich/content_packs.md
@@ -1,6 +1,8 @@
 ---
 title: Content Packs
 disable_toc: true
+aliases:
+  - /security/cloud_siem/content_packs
 further_reading:
 - link: "/security/cloud_siem/detection_rules"
   tag: "Documentation"
diff --git a/content/en/security/cloud_siem/open_cybersecurity_schema_framework.md b/content/en/security/cloud_siem/ingest_and_enrich/open_cybersecurity_schema_framework.md
similarity index 98%
rename from content/en/security/cloud_siem/open_cybersecurity_schema_framework.md
rename to content/en/security/cloud_siem/ingest_and_enrich/open_cybersecurity_schema_framework.md
index 00a20aa7bdcd1..ac092cbe14258 100644
--- a/content/en/security/cloud_siem/open_cybersecurity_schema_framework.md
+++ b/content/en/security/cloud_siem/ingest_and_enrich/open_cybersecurity_schema_framework.md
@@ -1,6 +1,8 @@
 ---
 title: Open Cybersecurity Schema Framework (OCSF) Common Data Model in Datadog
 disable_toc: false
+aliases:
+  - /security/cloud_siem/open_cybersecurity_schema_framework
 further_reading:
 - link: "logs/processing/pipelines"
   tag: "Documentation"
diff --git a/content/en/security/cloud_siem/threat_intelligence.md b/content/en/security/cloud_siem/ingest_and_enrich/threat_intelligence.md
similarity index 99%
rename from content/en/security/cloud_siem/threat_intelligence.md
rename to content/en/security/cloud_siem/ingest_and_enrich/threat_intelligence.md
index b0071ec3c9752..56012e86eb67e 100644
--- a/content/en/security/cloud_siem/threat_intelligence.md
+++ b/content/en/security/cloud_siem/ingest_and_enrich/threat_intelligence.md
@@ -1,6 +1,8 @@
 ---
 title: Threat Intelligence
 disable_toc: false
+aliases:
+  - /security/cloud_siem/threat_intelligence
 further_reading:
 - link: "security/cloud_siem/detection_rules"
   tag: "Documentation"
diff --git a/content/en/security/cloud_siem/security_operational_metrics.md b/content/en/security/cloud_siem/respond_and_report/security_operational_metrics.md
similarity index 98%
rename from content/en/security/cloud_siem/security_operational_metrics.md
rename to content/en/security/cloud_siem/respond_and_report/security_operational_metrics.md
index edad03de2df6b..bf2091ed65015 100644
--- a/content/en/security/cloud_siem/security_operational_metrics.md
+++ b/content/en/security/cloud_siem/respond_and_report/security_operational_metrics.md
@@ -1,6 +1,8 @@
 ---
 title: Security Operational Metrics
 disable_toc: false
+aliases:
+  - /security/cloud_siem/security_operational_metrics
 further_reading:
 - link: "security/cloud_siem/investigate_security_signals"
   tag: "Documentation"

From 3c1ef2b1d723feab98e43aa5bdf1e4b0bd18b410 Mon Sep 17 00:00:00 2001
From: May Lee <may.lee@datadoghq.com>
Date: Thu, 7 Aug 2025 12:10:59 -0400
Subject: [PATCH 03/11] move custom detection rules

---
 config/_default/menus/main.en.yaml                            | 2 +-
 content/en/getting_started/security/cloud_siem.md             | 4 ++--
 content/en/integrations/guide/amazon-eks-audit-logs.md        | 4 ++--
 .../custom_detection_rules}/_index.md                         | 3 ++-
 .../security/cloud_siem/detection_rules/mitre_attack_map.md   | 4 ++--
 .../guide/automate-the-remediation-of-detected-threats.md     | 4 ++--
 .../cloud_siem/guide/aws-config-guide-for-cloud-siem.md       | 2 +-
 .../cloud_siem/guide/azure-config-guide-for-cloud-siem.md     | 2 +-
 .../guide/google-cloud-config-guide-for-cloud-siem.md         | 2 +-
 content/en/security/detection_rules/_index.md                 | 2 +-
 .../security/threats/workload_security_rules/custom_rules.md  | 2 +-
 .../workload_security_rules/custom_rules.md                   | 2 +-
 12 files changed, 17 insertions(+), 16 deletions(-)
 rename content/en/security/cloud_siem/{detection_rules => detect_and_monitor/custom_detection_rules}/_index.md (99%)

diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml
index c144a7227cac2..0f59ab6ef9bd4 100644
--- a/config/_default/menus/main.en.yaml
+++ b/config/_default/menus/main.en.yaml
@@ -6053,7 +6053,7 @@ menu:
       identifier: cloud_siem_detect_and_monitor
       weight: 2
     - name: Custom Detection Rules
-      url: security/cloud_siem/detect_and_monitor/detection_rules
+      url: security/cloud_siem/detect_and_monitor/custom_detection_rules
       parent: cloud_siem_detect_and_monitor
       identifier: cloud_siem_custom_detection_rules
       weight: 201
diff --git a/content/en/getting_started/security/cloud_siem.md b/content/en/getting_started/security/cloud_siem.md
index 1195753653687..eebff3a0946c1 100644
--- a/content/en/getting_started/security/cloud_siem.md
+++ b/content/en/getting_started/security/cloud_siem.md
@@ -140,7 +140,7 @@ Contact [support][26] to disable Cloud SIEM.
 [20]: /security/cloud_siem/investigator
 [21]: https://app.datadoghq.com/dashboard/lists/preset/100
 [22]: /dashboards/#overview
-[23]: /security/cloud_siem/detection_rules/?tab=threshold#advanced-options
-[24]: /security/cloud_siem/detection_rules/
+[23]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/?tab=threshold#advanced-options
+[24]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/
 [25]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/
 [26]: /help/
\ No newline at end of file
diff --git a/content/en/integrations/guide/amazon-eks-audit-logs.md b/content/en/integrations/guide/amazon-eks-audit-logs.md
index dbfd8deb55f3b..3fe08f788bc75 100644
--- a/content/en/integrations/guide/amazon-eks-audit-logs.md
+++ b/content/en/integrations/guide/amazon-eks-audit-logs.md
@@ -76,10 +76,10 @@ To create a rule, navigate to the in-app [Rule Setup and Configuration][13] page
 [5]: /logs/guide/send-aws-services-logs-with-the-datadog-lambda-function/?tab=awsconsole#set-up-triggers
 [6]: https://console.aws.amazon.com/lambda/home#/functions
 [7]: https://app.datadoghq.com/logs
-[8]: /security/cloud_siem/detection_rules/
+[8]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/
 [9]: /getting_started/cloud_siem/#phase-2-signal-exploration
 [10]: https://app.datadoghq.com/security
 [11]: /security/default_rules/#cat-cloud-siem
 [12]: /security/detection_rules/#creating-and-managing-detection-rules
 [13]: https://app.datadoghq.com/security/configuration/rules/new?product=siem
-[14]: /security/cloud_siem/detection_rules/?tab=threshold#choose-a-detection-method
+[14]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/?tab=threshold#choose-a-detection-method
diff --git a/content/en/security/cloud_siem/detection_rules/_index.md b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/_index.md
similarity index 99%
rename from content/en/security/cloud_siem/detection_rules/_index.md
rename to content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/_index.md
index dfb7a54c1e613..55f87eeca86b0 100644
--- a/content/en/security/cloud_siem/detection_rules/_index.md
+++ b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/_index.md
@@ -1,5 +1,5 @@
 ---
-title: Detection Rules
+title: Custom Detection Rules
 type: documentation
 aliases:
  - /security_platform/detection_rules/cloud_siem
@@ -11,6 +11,7 @@ aliases:
  - /security/detection_rules/security_monitoring
  - /security/detection_rules/create_a_new_rule
  - /security/cloud_siem/log_detection_rules/
+ - /security/cloud_siem/detection_rules/
 further_reading:
 - link: "/cloud_siem/default_rules/"
   tag: "Documentation"
diff --git a/content/en/security/cloud_siem/detection_rules/mitre_attack_map.md b/content/en/security/cloud_siem/detection_rules/mitre_attack_map.md
index 38eace9a457c9..4f6066e6db01d 100644
--- a/content/en/security/cloud_siem/detection_rules/mitre_attack_map.md
+++ b/content/en/security/cloud_siem/detection_rules/mitre_attack_map.md
@@ -4,7 +4,7 @@ disable_toc: false
 aliases:
   - /security/cloud_siem/detection_rules/attack_map
 further_reading:
-- link: "/security/cloud_siem/detection_rules/"
+- link: "/security/cloud_siem/detect_and_monitor/custom_detection_rules/"
   tag: "Documentation"
   text: "Create custom detection rules"
 - link: "https://www.datadoghq.com/blog/cloud-siem-mitre-attack-map/"
@@ -63,4 +63,4 @@ This is an example of the format you need to use for tagging custom rules and th
 [1]: https://app.datadoghq.com/security/rules
 [2]: https://docs.datadoghq.com/security/cloud_siem/guide/how-to-setup-security-filters-using-cloud-siem-api/
 [3]: https://app.datadoghq.com/security/rules?query=product=siem&sort=date&viz=attck-map
-[4]: https://docs.datadoghq.com/security/cloud_siem/detection_rules/?tab=threshold
+[4]: https://docs.datadoghq.com/security/cloud_siem/detect_and_monitor/custom_detection_rules/?tab=threshold
diff --git a/content/en/security/cloud_siem/guide/automate-the-remediation-of-detected-threats.md b/content/en/security/cloud_siem/guide/automate-the-remediation-of-detected-threats.md
index 3e41b9f95d1bf..14d7328ca28eb 100644
--- a/content/en/security/cloud_siem/guide/automate-the-remediation-of-detected-threats.md
+++ b/content/en/security/cloud_siem/guide/automate-the-remediation-of-detected-threats.md
@@ -94,6 +94,6 @@ Datadog generates the Security Signal, which details the offense as well as the
 [2]: https://app.datadoghq.com/account/settings#integrations/webhooks
 [3]: /security/detection_rules/
 [4]: https://www.datadoghq.com/blog/new-term-detection-method-datadog/
-[5]: /security/cloud_siem/detection_rules/?tab=threshold#new-value
+[5]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/?tab=threshold#new-value
 [6]: https://www.datadoghq.com/blog/detect-abuse-of-functionality-with-datadog/
-[7]: /security/cloud_siem/detection_rules/?tab=threshold#define-a-search-query
\ No newline at end of file
+[7]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/?tab=threshold#define-a-search-query
\ No newline at end of file
diff --git a/content/en/security/cloud_siem/guide/aws-config-guide-for-cloud-siem.md b/content/en/security/cloud_siem/guide/aws-config-guide-for-cloud-siem.md
index 48b4c55aba0ca..dc176ab158b06 100644
--- a/content/en/security/cloud_siem/guide/aws-config-guide-for-cloud-siem.md
+++ b/content/en/security/cloud_siem/guide/aws-config-guide-for-cloud-siem.md
@@ -7,7 +7,7 @@ further_reading:
 - link: "/security/cloud_siem/investigate_security_signals"
   tag: "Documentation"
   text: "Learn about the Security Signals Explorer"
-- link: "/security/cloud_siem/detection_rules/"
+- link: "/security/cloud_siem/detect_and_monitor/custom_detection_rules/"
   tag: "Documentation"
   text: "Create new detection rules"
 - link: "/getting_started/integrations/aws/"
diff --git a/content/en/security/cloud_siem/guide/azure-config-guide-for-cloud-siem.md b/content/en/security/cloud_siem/guide/azure-config-guide-for-cloud-siem.md
index e1a1dbf297d0d..bce4bdadc96be 100644
--- a/content/en/security/cloud_siem/guide/azure-config-guide-for-cloud-siem.md
+++ b/content/en/security/cloud_siem/guide/azure-config-guide-for-cloud-siem.md
@@ -7,7 +7,7 @@ further_reading:
 - link: "/security/cloud_siem/investigate_security_signals"
   tag: "Documentation"
   text: "Learn about the Security Signals Explorer"
-- link: "/security/cloud_siem/detection_rules/"
+- link: "/security/cloud_siem/detect_and_monitor/custom_detection_rules/"
   tag: "Documentation"
   text: "Create new detection rules"
 ---
diff --git a/content/en/security/cloud_siem/guide/google-cloud-config-guide-for-cloud-siem.md b/content/en/security/cloud_siem/guide/google-cloud-config-guide-for-cloud-siem.md
index ad6de03ce6c54..ab1be1a56b3ef 100644
--- a/content/en/security/cloud_siem/guide/google-cloud-config-guide-for-cloud-siem.md
+++ b/content/en/security/cloud_siem/guide/google-cloud-config-guide-for-cloud-siem.md
@@ -7,7 +7,7 @@ further_reading:
 - link: "/security/cloud_siem/investigate_security_signals"
   tag: "Documentation"
   text: "Learn about the Security Signals Explorer"
-- link: "/security/cloud_siem/detection_rules/"
+- link: "/security/cloud_siem/detect_and_monitor/custom_detection_rules/"
   tag: "Documentation"
   text: "Create new detection rules"
 - link: "/integrations/google_cloud_platform/#log-collection"
diff --git a/content/en/security/detection_rules/_index.md b/content/en/security/detection_rules/_index.md
index 4190d3e92682a..f012992a58215 100644
--- a/content/en/security/detection_rules/_index.md
+++ b/content/en/security/detection_rules/_index.md
@@ -170,7 +170,7 @@ The rule deprecation process is as follows:
 [8]: /tracing/
 [9]: /agent/
 [10]: https://app.datadoghq.com/security/configuration/
-[11]: /security/cloud_siem/detection_rules/
+[11]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/
 [12]: /security/application_security/policies/custom_rules/
 [13]: /security/cloud_security_management/misconfigurations/custom_rules
 [14]: /security/workload_protection/workload_security_rules?tab=host#create-custom-rules
diff --git a/content/en/security/threats/workload_security_rules/custom_rules.md b/content/en/security/threats/workload_security_rules/custom_rules.md
index 7c1c06de21497..2471697f33184 100644
--- a/content/en/security/threats/workload_security_rules/custom_rules.md
+++ b/content/en/security/threats/workload_security_rules/custom_rules.md
@@ -266,7 +266,7 @@ You can also disable a rule by setting the **Then...** section of a rule to **Do
 [6]: https://app.datadoghq.com/security/configuration/workload/agent-rules
 [7]: /security/workload_protection/workload_security_rules
 [8]: /security/workload_protection/
-[9]: /security/cloud_siem/detection_rules/?tab=threshold#set-a-rule-case
+[9]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/?tab=threshold#set-a-rule-case
 [10]: https://app.datadoghq.com/notebook/list?type=runbook
 [11]: /account_management/rbac/permissions/
 [12]: /security/workload_protection/guide/active-protection
diff --git a/content/en/security/workload_protection/workload_security_rules/custom_rules.md b/content/en/security/workload_protection/workload_security_rules/custom_rules.md
index 699b2494ccbc8..88878e60cc3e5 100644
--- a/content/en/security/workload_protection/workload_security_rules/custom_rules.md
+++ b/content/en/security/workload_protection/workload_security_rules/custom_rules.md
@@ -233,7 +233,7 @@ You can also disable a rule by setting the **Then...** section of a rule to **Do
 [6]: https://app.datadoghq.com/security/configuration/workload/agent-rules
 [7]: /security/workload_protection/workload_security_rules
 [8]: /security/workload_protection/
-[9]: /security/cloud_siem/detection_rules/?tab=threshold#set-a-rule-case
+[9]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/?tab=threshold#set-a-rule-case
 [10]: https://app.datadoghq.com/notebook/list?type=runbook
 [11]: /account_management/rbac/permissions/
 [12]: /security/workload_protection/guide/active-protection

From ec7149e938d612f19ca57e368d32f9cbff9a82b7 Mon Sep 17 00:00:00 2001
From: May Lee <may.lee@datadoghq.com>
Date: Thu, 7 Aug 2025 12:45:36 -0400
Subject: [PATCH 04/11] move signal correlation

---
 config/_default/menus/main.en.yaml                            | 2 +-
 .../custom_detection_rules}/signal_correlation_rules.md       | 1 +
 layouts/partials/nav/left-nav.html                            | 4 ++--
 3 files changed, 4 insertions(+), 3 deletions(-)
 rename content/en/security/cloud_siem/{detection_rules => detect_and_monitor/custom_detection_rules}/signal_correlation_rules.md (98%)

diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml
index 0f59ab6ef9bd4..0a8fe1116058f 100644
--- a/config/_default/menus/main.en.yaml
+++ b/config/_default/menus/main.en.yaml
@@ -6058,7 +6058,7 @@ menu:
       identifier: cloud_siem_custom_detection_rules
       weight: 201
     - name: Signal Correlation Rules
-      url: security/cloud_siem/detection_rules/signal_correlation_rules
+      url: security/cloud_siem/detect_and_monitor/custom_detection_rules/signal_correlation_rules
       parent: cloud_siem_custom_detection_rules
       identifier: cloud_siem_signal_correlation_rules
       weight: 2101
diff --git a/content/en/security/cloud_siem/detection_rules/signal_correlation_rules.md b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/signal_correlation_rules.md
similarity index 98%
rename from content/en/security/cloud_siem/detection_rules/signal_correlation_rules.md
rename to content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/signal_correlation_rules.md
index 724924728d96a..7751734c88ce9 100644
--- a/content/en/security/cloud_siem/detection_rules/signal_correlation_rules.md
+++ b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/signal_correlation_rules.md
@@ -4,6 +4,7 @@ type: documentation
 aliases:
  - /security_platform/cloud_siem/signal_correlation_rules
  - /security/cloud_siem/signal_correlation_rules
+ - /security/cloud_siem/detection_rules/signal_correlation_rules
 further_reading:
 - link: "/cloud_siem/explorer/"
   tag: "Documentation"
diff --git a/layouts/partials/nav/left-nav.html b/layouts/partials/nav/left-nav.html
index 6600d00011ca5..dfb1d66b0555c 100644
--- a/layouts/partials/nav/left-nav.html
+++ b/layouts/partials/nav/left-nav.html
@@ -69,8 +69,8 @@
 
                                             <ul class="list-unstyled sub-menu {{ if not (in (slice "automatic_instrumentation" "custom_instrumentation" "observability_pipelines_reference_processing_language" "observability_pipelines_vector_configuration" "cloud_cost_saas_cost_integrations" "csm_setup_enterprise" "csm_setup_pro" "csm_setup_cloud_workload_security" "cspm_frameworks_benchmarks" "cspm_findings_explorer" "cws_workload_security_rules" "otel_integrations" "otel_collector_configuration" "rum_dashboards" 
                                             "rum_browser_setup" "rum_session_replay_browser" "rum_session_replay_mobile" "rum_mobile_android" "rum_mobile_ios" "rum_mobile_flutter" "rum_mobile_kotlin" "rum_mobile_react_native" "rum_mobile_roku" "rum_mobile_unity" "pa_session_replay_mobile" "pa_session_replay_browser" "cloudcraft_api_aws_accounts" "cloudcraft_api_azure_accounts" "cloudcraft_api_blueprints" "cloudcraft_api_budgets" "cloudcraft_api_users" "appsec_enabling_single_step" "appsec_enabling_tracing_libraries" "synthetics_platform_dashboards" "synthetics_private_location" "synthetics_results_explorer" "ndm_netflow" "dashboards_ddsql_editor_reference" "application_security_software_composition_analysis_setup"
-                                            "application_security_code_security_setup" "appsec_threats_management_setup" "observability_pipelines_log_volume_control" "observability_pipelines_dual_ship_logs" "observability_pipelines_archive_logs" "observability_pipelines_split_logs" "observability_pipelines_sensitive_data_redaction" "observability_pipelines_log_enrichment" "csm_setup_agentless_scanning" "observability_pipelines_generate_metrics" "log_explorer_calculated_fields" "test_impact_analysis_setup" "dbm_setup_postgres_rds" "sca_setup_runtime" "ndm_setup" "otel-setup-collector-exporter" "otel-setup-intake-endpoint" "otel_guides_migration" "otel-api-dd-sdk" "otel-setup-agent" "ide_plugins_idea" "otel_guides_migration" "agent_configuration_proxy" 
-                                            "software_catalog_set_up" "software_catalog_entity_model" "asm_serverless") .Identifier) }}d-none{{ end }}">
+                                            "application_security_code_security_setup" "appsec_threats_management_setup" "observability_pipelines_log_volume_control" "observability_pipelines_dual_ship_logs" "observability_pipelines_archive_logs" "observability_pipelines_split_logs" "observability_pipelines_sensitive_data_redaction" "observability_pipelines_log_enrichment" "csm_setup_agentless_scanning" "observability_pipelines_generate_metrics" "log_explorer_calculated_fields" "test_impact_analysis_setup" "dbm_setup_postgres_rds" "sca_setup_runtime" "ndm_setup" "otel-setup-collector-exporter" "otel-setup-intake-endpoint" "otel_guides_migration" "otel-api-dd-sdk" "otel-setup-agent" "ide_plugins_idea" "otel_guides_migration" "agent_configuration_proxy"
+                                            "software_catalog_set_up" "software_catalog_entity_model" "asm_serverless" "cloud_siem_custom_detection_rules") .Identifier) }}d-none{{ end }}">
 
                                             {{/*  LEVEL 4 */}}
                                             {{ range .Children }}

From 248c6793824085b14ffd2c02e7e7e2a05a18e865 Mon Sep 17 00:00:00 2001
From: May Lee <may.lee@datadoghq.com>
Date: Thu, 7 Aug 2025 15:19:21 -0400
Subject: [PATCH 05/11] move historical jobs

---
 config/_default/menus/main.en.yaml                            | 4 ++--
 .../detect_and_monitor/custom_detection_rules/_index.md       | 2 +-
 .../cloud_siem/{ => detect_and_monitor}/historical_jobs.md    | 2 ++
 3 files changed, 5 insertions(+), 3 deletions(-)
 rename content/en/security/cloud_siem/{ => detect_and_monitor}/historical_jobs.md (98%)

diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml
index 0affdd63752f2..daf78d137f836 100644
--- a/config/_default/menus/main.en.yaml
+++ b/config/_default/menus/main.en.yaml
@@ -6073,12 +6073,12 @@ menu:
       identifier: cloud_siem_default_rules
       weight: 202
     - name: Suppressions
-      url: security/cloud_siem/suppressions/
+      url: security/suppressions/
       parent: cloud_siem_detect_and_monitor
       identifier: cloud_siem_suppressions
       weight: 203
     - name: Historical Jobs
-      url: security/cloud_siem/historical_jobs
+      url: security/cloud_siem/detect_and_monitor/historical_jobs
       parent: cloud_siem_detect_and_monitor
       identifier: cloud_siem_log_historical_jobs
       weight: 204
diff --git a/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/_index.md b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/_index.md
index 55f87eeca86b0..25643294f28e9 100644
--- a/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/_index.md
+++ b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/_index.md
@@ -440,5 +440,5 @@ The rule deprecation process is as follows:
 [2]: /security/detection_rules/#clone-a-rule
 [3]: https://app.datadoghq.com/logs/
 [4]: https://app.datadoghq.com/security/rules
-[5]: /security/cloud_siem/historical_jobs/
+[5]: /security/cloud_siem/detect_and_monitor/historical_jobs/
 [6]: /security/default_rules/?category=cat-cloud-siem-log-detection#all
\ No newline at end of file
diff --git a/content/en/security/cloud_siem/historical_jobs.md b/content/en/security/cloud_siem/detect_and_monitor/historical_jobs.md
similarity index 98%
rename from content/en/security/cloud_siem/historical_jobs.md
rename to content/en/security/cloud_siem/detect_and_monitor/historical_jobs.md
index 1db589701361d..fe0e459fe29e9 100644
--- a/content/en/security/cloud_siem/historical_jobs.md
+++ b/content/en/security/cloud_siem/detect_and_monitor/historical_jobs.md
@@ -1,5 +1,7 @@
 ---
 title: Historical Jobs
+aliases:
+    - /security/cloud_siem/historical_jobs/
 further_reading:
 - link: "https://www.datadoghq.com/blog/cloud-siem-historical-jobs/"
   tag: "Blog"

From c9a352fb3698e5b059b4e32a7112c3f795d01267 Mon Sep 17 00:00:00 2001
From: May Lee <may.lee@datadoghq.com>
Date: Thu, 7 Aug 2025 15:22:46 -0400
Subject: [PATCH 06/11] move mitre attack map

---
 config/_default/menus/main.en.yaml                              | 2 +-
 .../{detection_rules => detect_and_monitor}/mitre_attack_map.md | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)
 rename content/en/security/cloud_siem/{detection_rules => detect_and_monitor}/mitre_attack_map.md (98%)

diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml
index daf78d137f836..4138adef3f4cf 100644
--- a/config/_default/menus/main.en.yaml
+++ b/config/_default/menus/main.en.yaml
@@ -6083,7 +6083,7 @@ menu:
       identifier: cloud_siem_log_historical_jobs
       weight: 204
     - name: MITRE ATT&CK Map
-      url: security/cloud_siem/detection_rules/mitre_attack_map
+      url: security/cloud_siem/detect_and_monitor/mitre_attack_map
       parent: cloud_siem_detect_and_monitor
       identifier: cloud_siem_mitre_attack_map
       weight: 205
diff --git a/content/en/security/cloud_siem/detection_rules/mitre_attack_map.md b/content/en/security/cloud_siem/detect_and_monitor/mitre_attack_map.md
similarity index 98%
rename from content/en/security/cloud_siem/detection_rules/mitre_attack_map.md
rename to content/en/security/cloud_siem/detect_and_monitor/mitre_attack_map.md
index 4f6066e6db01d..5f97bc639bc0c 100644
--- a/content/en/security/cloud_siem/detection_rules/mitre_attack_map.md
+++ b/content/en/security/cloud_siem/detect_and_monitor/mitre_attack_map.md
@@ -3,6 +3,7 @@ title: MITRE ATT&CK Map
 disable_toc: false
 aliases:
   - /security/cloud_siem/detection_rules/attack_map
+  - /security/cloud_siem/detection_rules/mitre_attack_map
 further_reading:
 - link: "/security/cloud_siem/detect_and_monitor/custom_detection_rules/"
   tag: "Documentation"

From 14efebd2d434c5484b469c59ab70e56c1fa39c55 Mon Sep 17 00:00:00 2001
From: May Lee <may.lee@datadoghq.com>
Date: Thu, 7 Aug 2025 15:28:45 -0400
Subject: [PATCH 07/11] move investigate security signals

---
 content/en/getting_started/integrations/aws.md                | 2 +-
 content/en/getting_started/security/cloud_siem.md             | 2 +-
 content/en/security/cloud_siem/_index.md                      | 2 +-
 .../guide/automate-the-remediation-of-detected-threats.md     | 2 +-
 .../cloud_siem/guide/aws-config-guide-for-cloud-siem.md       | 4 ++--
 .../cloud_siem/guide/azure-config-guide-for-cloud-siem.md     | 2 +-
 .../guide/google-cloud-config-guide-for-cloud-siem.md         | 2 +-
 .../en/security/cloud_siem/ingest_and_enrich/content_packs.md | 2 +-
 .../respond_and_report/security_operational_metrics.md        | 2 +-
 .../investigate_security_signals.md                           | 2 ++
 10 files changed, 12 insertions(+), 10 deletions(-)
 rename content/en/security/cloud_siem/{ => triage_and_investigate}/investigate_security_signals.md (99%)

diff --git a/content/en/getting_started/integrations/aws.md b/content/en/getting_started/integrations/aws.md
index 3dec35847b954..4d48eed71930c 100644
--- a/content/en/getting_started/integrations/aws.md
+++ b/content/en/getting_started/integrations/aws.md
@@ -279,7 +279,7 @@ If you encounter the error `Datadog is not authorized to perform sts:AssumeRole`
 [49]: /watchdog/
 [50]: /getting_started/cloud_siem/
 [51]: /security/default_rules/#cat-log-detection
-[52]: /security/cloud_siem/investigate_security_signals
+[52]: /security/cloud_siem/triage_and_investigate/investigate_security_signals
 [53]: /security/notifications/rules/
 [54]: /security/cloud_security_management/setup/
 [55]: /security/default_rules/#cat-posture-management-cloud
diff --git a/content/en/getting_started/security/cloud_siem.md b/content/en/getting_started/security/cloud_siem.md
index e5b9e4ffa260f..f9a55e0f5faa2 100644
--- a/content/en/getting_started/security/cloud_siem.md
+++ b/content/en/getting_started/security/cloud_siem.md
@@ -132,7 +132,7 @@ Contact [support][26] to disable Cloud SIEM.
 [12]: /security/default_rules/#cat-cloud-siem-log-detection
 [13]: /security/detection_rules/
 [14]: https://app.datadoghq.com/security?query=%40workflow.rule.type%3A%28%22Log%20Detection%22%20OR%20%22Signal%20Correlation%22%29&column=time&order=desc&product=siem&view=signal&viz=stream&start=1676321431953&end=1676407831953&paused=false
-[15]: /security/cloud_siem/investigate_security_signals
+[15]: /security/cloud_siem/triage_and_investigate/investigate_security_signals
 [16]: https://app.datadoghq.com/security/configuration/notification-rules
 [17]: /security/notifications/rules/
 [18]: https://app.datadoghq.com/security/configuration/reports
diff --git a/content/en/security/cloud_siem/_index.md b/content/en/security/cloud_siem/_index.md
index 64f0519a0fee5..3c4d500aa9e1a 100644
--- a/content/en/security/cloud_siem/_index.md
+++ b/content/en/security/cloud_siem/_index.md
@@ -78,6 +78,6 @@ Threats are surfaced in Datadog as Security Signals and can be correlated and tr
 
 {{< partial name="whats-next/whats-next.html" >}}
 
-[1]: /security/cloud_siem/investigate_security_signals
+[1]: /security/cloud_siem/triage_and_investigate/investigate_security_signals
 [2]: /security/default_rules#cat-cloud-siem
 [3]: /security/detection_rules
diff --git a/content/en/security/cloud_siem/guide/automate-the-remediation-of-detected-threats.md b/content/en/security/cloud_siem/guide/automate-the-remediation-of-detected-threats.md
index 14d7328ca28eb..73456cd383f6e 100644
--- a/content/en/security/cloud_siem/guide/automate-the-remediation-of-detected-threats.md
+++ b/content/en/security/cloud_siem/guide/automate-the-remediation-of-detected-threats.md
@@ -1,7 +1,7 @@
 ---
 title: Automate the Remediation of Detected Threats with Webhooks
 further_reading:
-- link: "/security/cloud_siem/investigate_security_signals"
+- link: "/security/cloud_siem/triage_and_investigate/investigate_security_signals"
   tag: "Documentation"
   text: "Start investigating signals in the Signals Explorer"
 aliases:
diff --git a/content/en/security/cloud_siem/guide/aws-config-guide-for-cloud-siem.md b/content/en/security/cloud_siem/guide/aws-config-guide-for-cloud-siem.md
index dc176ab158b06..241ff739d88d8 100644
--- a/content/en/security/cloud_siem/guide/aws-config-guide-for-cloud-siem.md
+++ b/content/en/security/cloud_siem/guide/aws-config-guide-for-cloud-siem.md
@@ -4,7 +4,7 @@ further_reading:
 - link: "/security/default_rules/#cat-cloud-siem-log-detection"
   tag: "Documentation"
   text: "Explore Cloud SIEM default detection rules"
-- link: "/security/cloud_siem/investigate_security_signals"
+- link: "/security/cloud_siem/triage_and_investigate/investigate_security_signals"
   tag: "Documentation"
   text: "Learn about the Security Signals Explorer"
 - link: "/security/cloud_siem/detect_and_monitor/custom_detection_rules/"
@@ -64,7 +64,7 @@ Since Cloud SIEM applies detection rules to all processed logs, see the [in-app
 
 [1]: https://app.datadoghq.com/security?query=%40workflow.rule.type%3A%22Log%20Detection%22
 [9]: https://app.datadoghq.com/security?query=%40workflow.rule.type%3A%28%22Log%20Detection%22%29%20&column=time&order=desc&product=siem
-[10]: /security/cloud_siem/investigate_security_signals
+[10]: /security/cloud_siem/triage_and_investigate/investigate_security_signals
 [11]: https://app.datadoghq.com/dash/integration/30459/aws-cloudtrail
 [12]: https://docs.datadoghq.com/security/default_rules/#cat-cloud-siem
 [13]: https://docs.datadoghq.com/security/detection_rules/
diff --git a/content/en/security/cloud_siem/guide/azure-config-guide-for-cloud-siem.md b/content/en/security/cloud_siem/guide/azure-config-guide-for-cloud-siem.md
index bce4bdadc96be..d55c114eaad88 100644
--- a/content/en/security/cloud_siem/guide/azure-config-guide-for-cloud-siem.md
+++ b/content/en/security/cloud_siem/guide/azure-config-guide-for-cloud-siem.md
@@ -4,7 +4,7 @@ further_reading:
 - link: "/security/default_rules/#cat-cloud-siem-log-detection"
   tag: "Documentation"
   text: "Explore Cloud SIEM default detection rules"
-- link: "/security/cloud_siem/investigate_security_signals"
+- link: "/security/cloud_siem/triage_and_investigate/investigate_security_signals"
   tag: "Documentation"
   text: "Learn about the Security Signals Explorer"
 - link: "/security/cloud_siem/detect_and_monitor/custom_detection_rules/"
diff --git a/content/en/security/cloud_siem/guide/google-cloud-config-guide-for-cloud-siem.md b/content/en/security/cloud_siem/guide/google-cloud-config-guide-for-cloud-siem.md
index ab1be1a56b3ef..af3b411e93758 100644
--- a/content/en/security/cloud_siem/guide/google-cloud-config-guide-for-cloud-siem.md
+++ b/content/en/security/cloud_siem/guide/google-cloud-config-guide-for-cloud-siem.md
@@ -4,7 +4,7 @@ further_reading:
 - link: "/security/default_rules/#cat-cloud-siem-log-detection"
   tag: "Documentation"
   text: "Explore Cloud SIEM default detection rules"
-- link: "/security/cloud_siem/investigate_security_signals"
+- link: "/security/cloud_siem/triage_and_investigate/investigate_security_signals"
   tag: "Documentation"
   text: "Learn about the Security Signals Explorer"
 - link: "/security/cloud_siem/detect_and_monitor/custom_detection_rules/"
diff --git a/content/en/security/cloud_siem/ingest_and_enrich/content_packs.md b/content/en/security/cloud_siem/ingest_and_enrich/content_packs.md
index b9dc1297c6b77..94692be9a4189 100644
--- a/content/en/security/cloud_siem/ingest_and_enrich/content_packs.md
+++ b/content/en/security/cloud_siem/ingest_and_enrich/content_packs.md
@@ -10,7 +10,7 @@ further_reading:
 - link: "security/cloud_siem/investigator"
   tag: "Documentation"
   text: "Learn more about the Investigator"
-- link: "/security/cloud_siem/investigate_security_signals"
+- link: "/security/cloud_siem/triage_and_investigate/investigate_security_signals"
   tag: "Documentation"
   text: "Investigate security signals"
 - link: "https://www.datadoghq.com/blog/cloud-siem-content-packs-whats-new-2024-09/"
diff --git a/content/en/security/cloud_siem/respond_and_report/security_operational_metrics.md b/content/en/security/cloud_siem/respond_and_report/security_operational_metrics.md
index bf2091ed65015..3d11ecbd1d5d1 100644
--- a/content/en/security/cloud_siem/respond_and_report/security_operational_metrics.md
+++ b/content/en/security/cloud_siem/respond_and_report/security_operational_metrics.md
@@ -4,7 +4,7 @@ disable_toc: false
 aliases:
   - /security/cloud_siem/security_operational_metrics
 further_reading:
-- link: "security/cloud_siem/investigate_security_signals"
+- link: "security/cloud_siem/triage_and_investigate/investigate_security_signals"
   tag: "Documentation"
   text: "Investigate Cloud SIEM Security Signals"
 - link: "getting_started/dashboards"
diff --git a/content/en/security/cloud_siem/investigate_security_signals.md b/content/en/security/cloud_siem/triage_and_investigate/investigate_security_signals.md
similarity index 99%
rename from content/en/security/cloud_siem/investigate_security_signals.md
rename to content/en/security/cloud_siem/triage_and_investigate/investigate_security_signals.md
index c18ea343c4c23..508016ad428cd 100644
--- a/content/en/security/cloud_siem/investigate_security_signals.md
+++ b/content/en/security/cloud_siem/triage_and_investigate/investigate_security_signals.md
@@ -1,6 +1,8 @@
 ---
 title: Investigate Security Signals
 disable_toc: false
+aliases:
+  - /security/cloud_siem/investigate_security_signals
 further_reading:
   - link: "/cloud_siem/detection_rules/"
     tag: "Documentation"

From ba720220b43587db61df30d79d996db80067d1f1 Mon Sep 17 00:00:00 2001
From: May Lee <may.lee@datadoghq.com>
Date: Thu, 7 Aug 2025 15:51:28 -0400
Subject: [PATCH 08/11] move investigator

---
 config/_default/menus/main.en.yaml                            | 4 ++--
 content/en/getting_started/security/cloud_siem.md             | 2 +-
 .../en/security/cloud_siem/ingest_and_enrich/content_packs.md | 2 +-
 .../{ => triage_and_investigate}/entities_and_risk_scoring.md | 2 ++
 .../cloud_siem/{ => triage_and_investigate}/investigator.md   | 1 +
 5 files changed, 7 insertions(+), 4 deletions(-)
 rename content/en/security/cloud_siem/{ => triage_and_investigate}/entities_and_risk_scoring.md (98%)
 rename content/en/security/cloud_siem/{ => triage_and_investigate}/investigator.md (99%)

diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml
index 4138adef3f4cf..166fc3d7c270c 100644
--- a/config/_default/menus/main.en.yaml
+++ b/config/_default/menus/main.en.yaml
@@ -6098,12 +6098,12 @@ menu:
       identifier: cloud_siem_investigate_security_signals
       weight: 301
     - name: Risk Insights
-      url: security/cloud_siem/entities_and_risk_scoring
+      url: security/cloud_siem/triage_and_investigate/entities_and_risk_scoring
       parent: cloud_siem_triage_and_investigate
       identifier: cloud_siem_entities_and_risk_scoring
       weight: 302
     - name: Investigator
-      url: security/cloud_siem/investigator
+      url: security/cloud_siem/triage_and_investigate/investigator
       parent: cloud_siem_triage_and_investigate
       identifier: cloud_siem_investigator
       weight: 303
diff --git a/content/en/getting_started/security/cloud_siem.md b/content/en/getting_started/security/cloud_siem.md
index f9a55e0f5faa2..c19b0e491c221 100644
--- a/content/en/getting_started/security/cloud_siem.md
+++ b/content/en/getting_started/security/cloud_siem.md
@@ -137,7 +137,7 @@ Contact [support][26] to disable Cloud SIEM.
 [17]: /security/notifications/rules/
 [18]: https://app.datadoghq.com/security/configuration/reports
 [19]: https://app.datadoghq.com/security/investigator/
-[20]: /security/cloud_siem/investigator
+[20]: /security/cloud_siem/triage_and_investigate/investigator
 [21]: https://app.datadoghq.com/dashboard/lists/preset/100
 [22]: /dashboards/#overview
 [23]: /security/suppressions/
diff --git a/content/en/security/cloud_siem/ingest_and_enrich/content_packs.md b/content/en/security/cloud_siem/ingest_and_enrich/content_packs.md
index 94692be9a4189..08f94ddfc9fd7 100644
--- a/content/en/security/cloud_siem/ingest_and_enrich/content_packs.md
+++ b/content/en/security/cloud_siem/ingest_and_enrich/content_packs.md
@@ -45,5 +45,5 @@ further_reading:
 
 [1]: https://app.datadoghq.com/security/content-packs
 [2]: /security/detection_rules/
-[3]: /security/cloud_siem/investigator
+[3]: /security/cloud_siem/triage_and_investigate/investigator
 [4]: /service_management/workflows/
\ No newline at end of file
diff --git a/content/en/security/cloud_siem/entities_and_risk_scoring.md b/content/en/security/cloud_siem/triage_and_investigate/entities_and_risk_scoring.md
similarity index 98%
rename from content/en/security/cloud_siem/entities_and_risk_scoring.md
rename to content/en/security/cloud_siem/triage_and_investigate/entities_and_risk_scoring.md
index f9a971ad65bf6..04e3549019c91 100644
--- a/content/en/security/cloud_siem/entities_and_risk_scoring.md
+++ b/content/en/security/cloud_siem/triage_and_investigate/entities_and_risk_scoring.md
@@ -1,5 +1,7 @@
 ---
 title: Risk Insights
+aliases:
+- /security/cloud_siem/entities_and_risk_scoring
 further_reading:
     - link: "https://www.datadoghq.com/blog/risk-prioritization-entity-analytics/"
       tag: Blog
diff --git a/content/en/security/cloud_siem/investigator.md b/content/en/security/cloud_siem/triage_and_investigate/investigator.md
similarity index 99%
rename from content/en/security/cloud_siem/investigator.md
rename to content/en/security/cloud_siem/triage_and_investigate/investigator.md
index 45bc169a30dd6..bafff22f47663 100644
--- a/content/en/security/cloud_siem/investigator.md
+++ b/content/en/security/cloud_siem/triage_and_investigate/investigator.md
@@ -6,6 +6,7 @@ aliases:
   - /security_platform/cloud_siem/investigator/
   - /security/cloud_siem/cloud_security_investigator/
   - /security/cloud_siem/cloud_siem_investigator/
+  - /security/cloud_siem/investigator/
 further_reading:
 - link: "/security/cloud_siem/guide/aws-config-guide-for-cloud-siem/"
   tag: "Documentation"

From e47695c2b325ec8c3dbc42002537365d946a428c Mon Sep 17 00:00:00 2001
From: May Lee <may.lee@datadoghq.com>
Date: Thu, 7 Aug 2025 16:02:12 -0400
Subject: [PATCH 09/11] add suppressions doc

---
 config/_default/menus/main.en.yaml                          | 4 ++--
 .../security/cloud_siem/detect_and_monitor/suppressions.md  | 6 ++++++
 2 files changed, 8 insertions(+), 2 deletions(-)
 create mode 100644 content/en/security/cloud_siem/detect_and_monitor/suppressions.md

diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml
index 166fc3d7c270c..2e79651716fec 100644
--- a/config/_default/menus/main.en.yaml
+++ b/config/_default/menus/main.en.yaml
@@ -6062,7 +6062,7 @@ menu:
       parent: cloud_siem_detect_and_monitor
       identifier: cloud_siem_custom_detection_rules
       weight: 201
-    - name: Signal Correlation Rules
+    - name: Signal Correlation
       url: security/cloud_siem/detect_and_monitor/custom_detection_rules/signal_correlation_rules
       parent: cloud_siem_custom_detection_rules
       identifier: cloud_siem_signal_correlation_rules
@@ -6073,7 +6073,7 @@ menu:
       identifier: cloud_siem_default_rules
       weight: 202
     - name: Suppressions
-      url: security/suppressions/
+      url: security/cloud_siem/detect_and_monitor/suppressions
       parent: cloud_siem_detect_and_monitor
       identifier: cloud_siem_suppressions
       weight: 203
diff --git a/content/en/security/cloud_siem/detect_and_monitor/suppressions.md b/content/en/security/cloud_siem/detect_and_monitor/suppressions.md
new file mode 100644
index 0000000000000..4500e95c1769b
--- /dev/null
+++ b/content/en/security/cloud_siem/detect_and_monitor/suppressions.md
@@ -0,0 +1,6 @@
+---
+title: Suppressions
+disable_toc: false
+---
+
+{{< include-markdown "security/suppressions" >}}
\ No newline at end of file

From 9c0f175d2f32b8dda6a310d9fbef3db343640934 Mon Sep 17 00:00:00 2001
From: May Lee <may.lee@datadoghq.com>
Date: Fri, 8 Aug 2025 12:50:52 -0400
Subject: [PATCH 10/11] remove ootb section in custom detection rules

---
 .../custom_detection_rules/_index.md                   | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/_index.md b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/_index.md
index 25643294f28e9..cfcef6decef44 100644
--- a/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/_index.md
+++ b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/_index.md
@@ -43,16 +43,6 @@ further_reading:
 
 Cloud SIEM detection rules analyze logs, Audit Trail events, and events from Event Management to generate security signals when threats are detected. You can use [out-of-the-box detections rules](#out-of-the-box-detection-rules) or [create custom detection rules](#custom-detection-rules). This document walks you through how to create a custom detection rule.
 
-### Out-of-the-box detection rules
-
-After you set up Cloud SIEM, [OOTB detection rules][6] automatically begin analyzing your logs, Audit Trail events, and events from Event Management. You can edit OOTB detection rules and:
-- Change the name of the rule.
-- Extend the query. The original query cannot be edited, but you can add a custom query to it.
-- Change the severity setting in the **Set conditions** section.
-- Modify the playbook.
-
-### Custom detection rules
-
 To create a detection rule in Datadog, navigate to the [Detection Rules page][1] and click **New Rule**.
 
 ## Detection mechanism

From 26742d522c35c904981bf115f3c2127db4402b98 Mon Sep 17 00:00:00 2001
From: May Lee <may.lee@datadoghq.com>
Date: Fri, 8 Aug 2025 12:52:02 -0400
Subject: [PATCH 11/11] revert removal of ootb section

---
 .../custom_detection_rules/_index.md                   | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/_index.md b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/_index.md
index cfcef6decef44..25643294f28e9 100644
--- a/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/_index.md
+++ b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/_index.md
@@ -43,6 +43,16 @@ further_reading:
 
 Cloud SIEM detection rules analyze logs, Audit Trail events, and events from Event Management to generate security signals when threats are detected. You can use [out-of-the-box detections rules](#out-of-the-box-detection-rules) or [create custom detection rules](#custom-detection-rules). This document walks you through how to create a custom detection rule.
 
+### Out-of-the-box detection rules
+
+After you set up Cloud SIEM, [OOTB detection rules][6] automatically begin analyzing your logs, Audit Trail events, and events from Event Management. You can edit OOTB detection rules and:
+- Change the name of the rule.
+- Extend the query. The original query cannot be edited, but you can add a custom query to it.
+- Change the severity setting in the **Set conditions** section.
+- Modify the playbook.
+
+### Custom detection rules
+
 To create a detection rule in Datadog, navigate to the [Detection Rules page][1] and click **New Rule**.
 
 ## Detection mechanism