[DOCS-11549] Cloud SIEM docs restructure

config/_default/menus/main.en.yaml

@@ -6032,66 +6032,91 @@ menu:
       parent: security_platform_heading
       identifier: cloud_siem
       weight: 20000
-    - name: Content Packs
-      url: security/cloud_siem/content_packs
+    - name: Ingest and Enrich
+      url: security/cloud_siem/ingest_and_enrich/
       parent: cloud_siem
-      identifier: cloud_siem_content_packs
+      identifier: cloud_siem_ingest_and_enrich
       weight: 1
-    - name: Detection Rules
-      url: security/cloud_siem/detection_rules
+    - name: Content Packs
+      url: security/cloud_siem/ingest_and_enrich/content_packs
+      parent: cloud_siem_ingest_and_enrich
+      identifier: cloud_siem_content_packs
+      weight: 101
+    - name: Threat Intelligence
+      url: security/cloud_siem/ingest_and_enrich/threat_intelligence
+      parent: cloud_siem_ingest_and_enrich
+      identifier: cloud_siem_threat_intelligence
+      weight: 102
+    - name: Open Cybersecurity Schema Framework
+      url: security/cloud_siem/ingest_and_enrich/open_cybersecurity_schema_framework
+      parent: cloud_siem_ingest_and_enrich
+      identifier: cloud_siem_open_cybersecurity_schema_framework
+      weight: 103
+    - name: Detect and Monitor
+      url: security/cloud_siem/detect_and_monitor/
       parent: cloud_siem
-      identifier: cloud_siem_detection_rules
+      identifier: cloud_siem_detect_and_monitor
       weight: 2
-    - name: Signal Correlation Rules
-      url: security/cloud_siem/detection_rules/signal_correlation_rules
-      parent: cloud_siem_detection_rules
+    - name: Custom Detection Rules
+      url: security/cloud_siem/detect_and_monitor/custom_detection_rules
+      parent: cloud_siem_detect_and_monitor
+      identifier: cloud_siem_custom_detection_rules
+      weight: 201
+    - name: Signal Correlation
+      url: security/cloud_siem/detect_and_monitor/custom_detection_rules/signal_correlation_rules
+      parent: cloud_siem_custom_detection_rules
       identifier: cloud_siem_signal_correlation_rules
-      weight: 20500
-    - name: MITRE ATT&CK Map
-      url: security/cloud_siem/detection_rules/mitre_attack_map
-      parent: cloud_siem_detection_rules
-      identifier: cloud_siem_mitre_attack_map
-      weight: 20510
+      weight: 2101
     - name: OOTB Rules
       url: /security/default_rules/#cat-cloud-siem-log-detection
-      parent: cloud_siem
+      parent: cloud_siem_detect_and_monitor
       identifier: cloud_siem_default_rules
-      weight: 4
-    - name: Threat Intelligence
-      url: /security/cloud_siem/threat_intelligence
-      parent: cloud_siem
-      identifier: cloud_siem_threat_intelligence
-      weight: 5
-    - name: Open Cybersecurity Schema Framework
-      url: /security/cloud_siem/open_cybersecurity_schema_framework
+      weight: 202
+    - name: Suppressions
+      url: security/cloud_siem/detect_and_monitor/suppressions
+      parent: cloud_siem_detect_and_monitor
+      identifier: cloud_siem_suppressions
+      weight: 203
+    - name: Historical Jobs
+      url: security/cloud_siem/detect_and_monitor/historical_jobs
+      parent: cloud_siem_detect_and_monitor
+      identifier: cloud_siem_log_historical_jobs
+      weight: 204
+    - name: MITRE ATT&CK Map
+      url: security/cloud_siem/detect_and_monitor/mitre_attack_map
+      parent: cloud_siem_detect_and_monitor
+      identifier: cloud_siem_mitre_attack_map
+      weight: 205
+    - name: Triage and Investigate
+      url: security/cloud_siem/triage_and_investigate
       parent: cloud_siem
-      identifier: cloud_siem_open_cybersecurity_schema_framework
-      weight: 5
+      identifier: cloud_siem_triage_and_investigate
+      weight: 3
     - name: Investigate Security Signals
-      url: /security/cloud_siem/investigate_security_signals
-      parent: cloud_siem
+      url: security/cloud_siem/triage_and_investigate/investigate_security_signals
+      parent: cloud_siem_triage_and_investigate
       identifier: cloud_siem_investigate_security_signals
-      weight: 6
+      weight: 301
+    - name: Risk Insights
+      url: security/cloud_siem/triage_and_investigate/entities_and_risk_scoring
+      parent: cloud_siem_triage_and_investigate
+      identifier: cloud_siem_entities_and_risk_scoring
+      weight: 302
     - name: Investigator
-      url: security/cloud_siem/investigator
-      parent: cloud_siem
+      url: security/cloud_siem/triage_and_investigate/investigator
+      parent: cloud_siem_triage_and_investigate
       identifier: cloud_siem_investigator
-      weight: 7
-    - name: Historical Jobs
-      url: security/cloud_siem/historical_jobs
-      parent: cloud_siem
-      identifier: cloud_siem_log_historical_jobs
-      weight: 8
-    - name: Risk Insights
-      url: security/cloud_siem/entities_and_risk_scoring
+      weight: 303
+    - name: Respond and Report
+      url: security/cloud_siem/respond_and_report
       parent: cloud_siem
-      identifier: cloud_siem_entities_and_risk_scoring
-      weight: 9
+      identifier: cloud_siem_respond_and_report
+      weight: 4
     - name: Security Operational Metrics
-      url: security/cloud_siem/security_operational_metrics/
-      parent: cloud_siem
+      url: security/cloud_siem/respond_and_report/security_operational_metrics
+      parent: cloud_siem_respond_and_report
       identifier: siem_security_operational_metrics
-      weight: 10
+      weight: 401
     - name: Guides
       url: security/cloud_siem/guide/
       parent: cloud_siem

content/en/getting_started/integrations/aws.md

@@ -279,7 +279,7 @@ If you encounter the error `Datadog is not authorized to perform sts:AssumeRole`
 [49]: /watchdog/
 [50]: /getting_started/cloud_siem/
 [51]: /security/default_rules/#cat-log-detection
-[52]: /security/cloud_siem/investigate_security_signals
+[52]: /security/cloud_siem/triage_and_investigate/investigate_security_signals
 [53]: /security/notifications/rules/
 [54]: /security/cloud_security_management/setup/
 [55]: /security/default_rules/#cat-posture-management-cloud

content/en/getting_started/security/cloud_siem.md

@@ -132,15 +132,15 @@ Contact [support][26] to disable Cloud SIEM.
 [12]: /security/default_rules/#cat-cloud-siem-log-detection
 [13]: /security/detection_rules/
 [14]: https://app.datadoghq.com/security?query=%40workflow.rule.type%3A%28%22Log%20Detection%22%20OR%20%22Signal%20Correlation%22%29&column=time&order=desc&product=siem&view=signal&viz=stream&start=1676321431953&end=1676407831953&paused=false
-[15]: /security/cloud_siem/investigate_security_signals
+[15]: /security/cloud_siem/triage_and_investigate/investigate_security_signals
 [16]: https://app.datadoghq.com/security/configuration/notification-rules
 [17]: /security/notifications/rules/
 [18]: https://app.datadoghq.com/security/configuration/reports
 [19]: https://app.datadoghq.com/security/investigator/
-[20]: /security/cloud_siem/investigator
+[20]: /security/cloud_siem/triage_and_investigate/investigator
 [21]: https://app.datadoghq.com/dashboard/lists/preset/100
 [22]: /dashboards/#overview
 [23]: /security/suppressions/
-[24]: /security/cloud_siem/detection_rules/
+[24]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/
 [25]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/
 [26]: /help/

content/en/integrations/guide/amazon-eks-audit-logs.md

@@ -76,10 +76,10 @@ To create a rule, navigate to the in-app [Rule Setup and Configuration][13] page
 [5]: /logs/guide/send-aws-services-logs-with-the-datadog-lambda-function/?tab=awsconsole#set-up-triggers
 [6]: https://console.aws.amazon.com/lambda/home#/functions
 [7]: https://app.datadoghq.com/logs
-[8]: /security/cloud_siem/detection_rules/
+[8]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/
 [9]: /getting_started/cloud_siem/#phase-2-signal-exploration
 [10]: https://app.datadoghq.com/security
 [11]: /security/default_rules/#cat-cloud-siem
 [12]: /security/detection_rules/#creating-and-managing-detection-rules
 [13]: https://app.datadoghq.com/security/configuration/rules/new?product=siem
-[14]: /security/cloud_siem/detection_rules/?tab=threshold#choose-a-detection-method
+[14]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/?tab=threshold#choose-a-detection-method

content/en/security/cloud_siem/_index.md

@@ -258,6 +258,11 @@ See which rules are the noisiest by calculating the percentage of signals that a
 
 {{< partial name="whats-next/whats-next.html" >}}
 
+<<<<<<< HEAD
+[1]: /security/cloud_siem/triage_and_investigate/investigate_security_signals
+[2]: /security/default_rules#cat-cloud-siem
+[3]: /security/detection_rules
+=======
 [1]: https://securitylabs.datadoghq.com/
 [2]: https://www.datadoghq.com/product/cloud-siem/
 [3]: https://app.datadoghq.com/security/home?
@@ -268,4 +273,5 @@ See which rules are the noisiest by calculating the percentage of signals that a
 [8]: /logs/log_configuration/archives/
 [9]: /security/cloud_siem/content_packs/
 [10]: /logs/explorer/search_syntax/
-[11]: /logs/explorer/
+[11]: /logs/explorer/
+>>>>>>> master

content/en/security/cloud_siem/detect_and_monitor/_index.md

@@ -0,0 +1,6 @@
+---
+title: Detect and Monitor
+disable_toc: false
+---
+
+TKTK

content/en/security/cloud_siem/detection_rules/_index.md → content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/_index.md

@@ -1,5 +1,5 @@
 ---
-title: Detection Rules
+title: Custom Detection Rules
 type: documentation
 aliases:
  - /security_platform/detection_rules/cloud_siem
@@ -11,6 +11,7 @@ aliases:
  - /security/detection_rules/security_monitoring
  - /security/detection_rules/create_a_new_rule
  - /security/cloud_siem/log_detection_rules/
+ - /security/cloud_siem/detection_rules/
 further_reading:
 - link: "/cloud_siem/default_rules/"
   tag: "Documentation"
@@ -439,5 +440,5 @@ The rule deprecation process is as follows:
 [2]: /security/detection_rules/#clone-a-rule
 [3]: https://app.datadoghq.com/logs/
 [4]: https://app.datadoghq.com/security/rules
-[5]: /security/cloud_siem/historical_jobs/
+[5]: /security/cloud_siem/detect_and_monitor/historical_jobs/
 [6]: /security/default_rules/?category=cat-cloud-siem-log-detection#all

content/en/security/cloud_siem/detection_rules/signal_correlation_rules.md → content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/signal_correlation_rules.md

@@ -4,6 +4,7 @@ type: documentation
 aliases:
  - /security_platform/cloud_siem/signal_correlation_rules
  - /security/cloud_siem/signal_correlation_rules
+ - /security/cloud_siem/detection_rules/signal_correlation_rules
 further_reading:
 - link: "/cloud_siem/explorer/"
   tag: "Documentation"

content/en/security/cloud_siem/historical_jobs.md → content/en/security/cloud_siem/detect_and_monitor/historical_jobs.md

@@ -1,5 +1,7 @@
 ---
 title: Historical Jobs
+aliases:
+    - /security/cloud_siem/historical_jobs/
 further_reading:
 - link: "https://www.datadoghq.com/blog/cloud-siem-historical-jobs/"
   tag: "Blog"

content/en/security/cloud_siem/detection_rules/mitre_attack_map.md → content/en/security/cloud_siem/detect_and_monitor/mitre_attack_map.md

@@ -3,8 +3,9 @@ title: MITRE ATT&CK Map
 disable_toc: false
 aliases:
   - /security/cloud_siem/detection_rules/attack_map
+  - /security/cloud_siem/detection_rules/mitre_attack_map
 further_reading:
-- link: "/security/cloud_siem/detection_rules/"
+- link: "/security/cloud_siem/detect_and_monitor/custom_detection_rules/"
   tag: "Documentation"
   text: "Create custom detection rules"
 - link: "https://www.datadoghq.com/blog/cloud-siem-mitre-attack-map/"
@@ -63,4 +64,4 @@ This is an example of the format you need to use for tagging custom rules and th
 [1]: https://app.datadoghq.com/security/rules
 [2]: https://docs.datadoghq.com/security/cloud_siem/guide/how-to-setup-security-filters-using-cloud-siem-api/
 [3]: https://app.datadoghq.com/security/rules?query=product=siem&sort=date&viz=attck-map
-[4]: https://docs.datadoghq.com/security/cloud_siem/detection_rules/?tab=threshold
+[4]: https://docs.datadoghq.com/security/cloud_siem/detect_and_monitor/custom_detection_rules/?tab=threshold

content/en/security/cloud_siem/detect_and_monitor/suppressions.md

@@ -0,0 +1,6 @@
+---
+title: Suppressions
+disable_toc: false
+---
+
+{{< include-markdown "security/suppressions" >}}

content/en/security/cloud_siem/guide/automate-the-remediation-of-detected-threats.md

@@ -1,7 +1,7 @@
 ---
 title: Automate the Remediation of Detected Threats with Webhooks
 further_reading:
-- link: "/security/cloud_siem/investigate_security_signals"
+- link: "/security/cloud_siem/triage_and_investigate/investigate_security_signals"
   tag: "Documentation"
   text: "Start investigating signals in the Signals Explorer"
 aliases:
@@ -94,6 +94,6 @@ Datadog generates the Security Signal, which details the offense as well as the
 [2]: https://app.datadoghq.com/account/settings#integrations/webhooks
 [3]: /security/detection_rules/
 [4]: https://www.datadoghq.com/blog/new-term-detection-method-datadog/
-[5]: /security/cloud_siem/detection_rules/?tab=threshold#new-value
+[5]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/?tab=threshold#new-value
 [6]: https://www.datadoghq.com/blog/detect-abuse-of-functionality-with-datadog/
-[7]: /security/cloud_siem/detection_rules/?tab=threshold#define-a-search-query
+[7]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/?tab=threshold#define-a-search-query

content/en/security/cloud_siem/guide/aws-config-guide-for-cloud-siem.md

@@ -4,10 +4,10 @@ further_reading:
 - link: "/security/default_rules/#cat-cloud-siem-log-detection"
   tag: "Documentation"
   text: "Explore Cloud SIEM default detection rules"
-- link: "/security/cloud_siem/investigate_security_signals"
+- link: "/security/cloud_siem/triage_and_investigate/investigate_security_signals"
   tag: "Documentation"
   text: "Learn about the Security Signals Explorer"
-- link: "/security/cloud_siem/detection_rules/"
+- link: "/security/cloud_siem/detect_and_monitor/custom_detection_rules/"
   tag: "Documentation"
   text: "Create new detection rules"
 - link: "/getting_started/integrations/aws/"
@@ -64,7 +64,7 @@ Since Cloud SIEM applies detection rules to all processed logs, see the [in-app
 
 [1]: https://app.datadoghq.com/security?query=%40workflow.rule.type%3A%22Log%20Detection%22
 [9]: https://app.datadoghq.com/security?query=%40workflow.rule.type%3A%28%22Log%20Detection%22%29%20&column=time&order=desc&product=siem
-[10]: /security/cloud_siem/investigate_security_signals
+[10]: /security/cloud_siem/triage_and_investigate/investigate_security_signals
 [11]: https://app.datadoghq.com/dash/integration/30459/aws-cloudtrail
 [12]: https://docs.datadoghq.com/security/default_rules/#cat-cloud-siem
 [13]: https://docs.datadoghq.com/security/detection_rules/

content/en/security/cloud_siem/guide/azure-config-guide-for-cloud-siem.md

@@ -4,10 +4,10 @@ further_reading:
 - link: "/security/default_rules/#cat-cloud-siem-log-detection"
   tag: "Documentation"
   text: "Explore Cloud SIEM default detection rules"
-- link: "/security/cloud_siem/investigate_security_signals"
+- link: "/security/cloud_siem/triage_and_investigate/investigate_security_signals"
   tag: "Documentation"
   text: "Learn about the Security Signals Explorer"
-- link: "/security/cloud_siem/detection_rules/"
+- link: "/security/cloud_siem/detect_and_monitor/custom_detection_rules/"
   tag: "Documentation"
   text: "Create new detection rules"
 ---

content/en/security/cloud_siem/guide/google-cloud-config-guide-for-cloud-siem.md

@@ -4,10 +4,10 @@ further_reading:
 - link: "/security/default_rules/#cat-cloud-siem-log-detection"
   tag: "Documentation"
   text: "Explore Cloud SIEM default detection rules"
-- link: "/security/cloud_siem/investigate_security_signals"
+- link: "/security/cloud_siem/triage_and_investigate/investigate_security_signals"
   tag: "Documentation"
   text: "Learn about the Security Signals Explorer"
-- link: "/security/cloud_siem/detection_rules/"
+- link: "/security/cloud_siem/detect_and_monitor/custom_detection_rules/"
   tag: "Documentation"
   text: "Create new detection rules"
 - link: "/integrations/google_cloud_platform/#log-collection"

content/en/security/cloud_siem/ingest_and_enrich/_index.md

@@ -0,0 +1,6 @@
+---
+title: Ingest and Enrich
+disable_toc: false
+---
+
+TKTK

content/en/security/cloud_siem/content_packs.md → content/en/security/cloud_siem/ingest_and_enrich/content_packs.md

@@ -1,14 +1,16 @@
 ---
 title: Content Packs
 disable_toc: true
+aliases:
+  - /security/cloud_siem/content_packs
 further_reading:
 - link: "/security/cloud_siem/detection_rules"
   tag: "Documentation"
   text: "Create log detection rules"
 - link: "security/cloud_siem/investigator"
   tag: "Documentation"
   text: "Learn more about the Investigator"
-- link: "/security/cloud_siem/investigate_security_signals"
+- link: "/security/cloud_siem/triage_and_investigate/investigate_security_signals"
   tag: "Documentation"
   text: "Investigate security signals"
 - link: "https://www.datadoghq.com/blog/cloud-siem-content-packs-whats-new-2024-09/"
@@ -43,5 +45,5 @@ further_reading:
 
 [1]: https://app.datadoghq.com/security/content-packs
 [2]: /security/detection_rules/
-[3]: /security/cloud_siem/investigator
+[3]: /security/cloud_siem/triage_and_investigate/investigator
 [4]: /service_management/workflows/

content/en/security/cloud_siem/open_cybersecurity_schema_framework.md → content/en/security/cloud_siem/ingest_and_enrich/open_cybersecurity_schema_framework.md

@@ -1,6 +1,8 @@
 ---
 title: Open Cybersecurity Schema Framework (OCSF) Common Data Model in Datadog
 disable_toc: false
+aliases:
+  - /security/cloud_siem/open_cybersecurity_schema_framework
 further_reading:
 - link: "logs/processing/pipelines"
   tag: "Documentation"

content/en/security/cloud_siem/threat_intelligence.md → content/en/security/cloud_siem/ingest_and_enrich/threat_intelligence.md

@@ -1,6 +1,8 @@
 ---
 title: Threat Intelligence
 disable_toc: false
+aliases:
+  - /security/cloud_siem/threat_intelligence
 further_reading:
 - link: "security/cloud_siem/detection_rules"
   tag: "Documentation"

content/en/security/cloud_siem/respond_and_report/_index.md

@@ -0,0 +1,6 @@
+---
+title: Respond and Report
+disable_toc: false
+---
+
+TKTK