Create a detection rule serverless fixes (#6273)

docs/serverless/rules/rules-ui-create.asciidoc

@@ -26,43 +26,6 @@ To create a new detection rule, follow these steps:
 At any step, you can <<preview-rules,preview the rule>> before saving it to see what kind of results you can expect.
 ====
 
-[discrete]
-[[create-ml-rule]]
-== Create a machine learning rule
-
-[IMPORTANT]
-====
-To create or edit {ml} rules, you need an appropriate user role. Additionally, the selected {ml} job must be running for the rule to function correctly.
-====
-
-. Go to **Rules** → **Detection rules (SIEM)** → **Create new rule**. The **Create new rule** page displays.
-. To create a rule based on a {ml} anomaly threshold, select **Machine Learning**,
-then select:
-+
-.. The required {ml} jobs.
-+
-[NOTE]
-====
-If a required job isn't currently running, it will automatically start when you finish configuring and enable the rule.
-====
-.. The anomaly score threshold above which alerts are created.
-. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to <<security-alert-suppression,Suppress detection alerts>> for more information.
-+
-[NOTE]
-====
-Because {ml} rules generate alerts from anomalies, which don't contain source event fields, you can only use anomaly fields when configuring alert suppression.
-====
-+
-////
-/* The following steps are repeated across multiple rule types. If you change anything
-in these steps or sub-steps, apply the change to the other rule types, too. */
-////
-. (Optional) Add **Related integrations** to associate the rule with one or more {integrations-docs}[Elastic integrations]. This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <<rule-prerequisites,installation status>> when viewing the rule.
-+
-.. Click **Add integration**, then select an integration from the list. You can also start typing an integration's name to find it faster.
-.. Enter the version of the integration you want to associate with the rule, using https://semver.org/[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0.
-. Click **Continue** to <<rule-ui-basic-params,configure basic rule settings>>.
-
 [discrete]
 [[create-custom-rule]]
 == Create a custom query rule
@@ -89,7 +52,7 @@ copies.
 +
 [role="screenshot"]
 image::images/rules-ui-create/-detections-rule-query-example.png[Rule query example]
-.. You can use saved queries (image:images/icons/filterInCircle.svg[Filter]) and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions.
+.. You can use saved queries and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions.
 +
 When you use a saved query, the **Load saved query "_query name_" dynamically on each rule execution** check box appears:
 +
@@ -112,6 +75,43 @@ in these steps or sub-steps, apply the change to the other rule types, too. */
 .. Enter the version of the integration you want to associate with the rule, using https://semver.org/[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0.
 . Click **Continue** to <<rule-ui-basic-params,configure basic rule settings>>.
 
+[discrete]
+[[create-ml-rule]]
+== Create a machine learning rule
+
+[IMPORTANT]
+====
+To create or edit {ml} rules, you need an appropriate user role. Additionally, the selected {ml} job must be running for the rule to function correctly.
+====
+
+. Go to **Rules** → **Detection rules (SIEM)** → **Create new rule**. The **Create new rule** page displays.
+. To create a rule based on a {ml} anomaly threshold, select **Machine Learning**,
+then select:
++
+.. The required {ml} jobs.
++
+[NOTE]
+====
+If a required job isn't currently running, it will automatically start when you finish configuring and enable the rule.
+====
+.. The anomaly score threshold above which alerts are created.
+. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to <<security-alert-suppression,Suppress detection alerts>> for more information.
++
+[NOTE]
+====
+Because {ml} rules generate alerts from anomalies, which don't contain source event fields, you can only use anomaly fields when configuring alert suppression.
+====
++
+////
+/* The following steps are repeated across multiple rule types. If you change anything
+in these steps or sub-steps, apply the change to the other rule types, too. */
+////
+. (Optional) Add **Related integrations** to associate the rule with one or more {integrations-docs}[Elastic integrations]. This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <<rule-prerequisites,installation status>> when viewing the rule.
++
+.. Click **Add integration**, then select an integration from the list. You can also start typing an integration's name to find it faster.
+.. Enter the version of the integration you want to associate with the rule, using https://semver.org/[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0.
+. Click **Continue** to <<rule-ui-basic-params,configure basic rule settings>>.
+
 [discrete]
 [[create-threshold-rule]]
 == Create a threshold rule
@@ -125,7 +125,7 @@ alerts.
 +
 [NOTE]
 ====
-You can use saved queries (image:images/icons/filterInCircle.svg[Filter]) and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions.
+You can use saved queries and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions.
 ====
 .. Use the **Group by** and **Threshold** fields to determine which source event field is used as a threshold and the threshold's value.
 .. Use the **Count** field to limit alerts by cardinality of a certain field.
@@ -245,7 +245,7 @@ wildcard expression: `*:*`.
 +
 [NOTE]
 ====
-You can use saved queries (image:images/icons/filterInCircle.svg[Filter]) and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions.
+You can use saved queries and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions.
 ====
 .. **Indicator index patterns**: The indicator index patterns containing field values for which you want to generate alerts. This field is automatically populated with indices specified in the `securitySolution:defaultThreatIndex` advanced setting. For more information, see <<update-threat-intel-indices,Update default Elastic Security threat intelligence indices>>.
 +
@@ -280,8 +280,7 @@ image::images/rules-ui-create/-detections-indicator-rule-example.png[Indicator m
 +
 [TIP]
 ====
-Before you create rules, create <<security-timelines-ui,Timeline templates>> so
-they can be selected here. When alerts generated by the rule are investigated in the Timeline, Timeline query values are replaced with their corresponding alert field values.
+Before you create rules, create <<security-timeline-templates-ui,Timeline templates>> so you can select them under **Timeline template** at the end of the **Define rule** section. When alerts generated by the rule are investigated in the Timeline, Timeline query values are replaced with their corresponding alert field values.
 ====
 . (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to <<security-alert-suppression,Suppress detection alerts>> for more information.
 +
@@ -340,7 +339,7 @@ alerts.
 +
 [NOTE]
 ====
-You can use saved queries (image:images/icons/filterInCircle.svg[Filter]) and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions.
+You can use saved queries and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions.
 ====
 .. Use the **Fields** menu to select a field to check for new terms. You can also select up to three fields to detect a combination of new terms (for example, a `host.ip` and `host.id` that have never been observed together before).
 +
@@ -660,7 +659,7 @@ run exactly at its scheduled time.
 . Click **Continue**. The **Rule actions** pane is displayed.
 . Do either of the following:
 +
-** Continue onto <<security-rules-create,setting up alert notifications>> and <<rule-response-action,Response Actions>> (optional).
+** Continue onto <<rule-notifications,setting up alert notifications>> and <<rule-response-action,Response Actions>> (optional).
 ** Create the rule (with or without activation).
 
 [discrete]
@@ -680,7 +679,7 @@ To use actions for alert notifications, you need the appropriate user role. For
 ====
 Each action type requires a connector. Connectors store the
 information required to send the notification from the external system. You can
-configure connectors while creating the rule or in **Project settings** → **Management** → **{connectors-ui}**. For more
+configure connectors while creating the rule or in **Project settings** → **Stack Management** → **{connectors-ui}**. For more
 information, see {kibana-ref}/action-types.html[Action and connector types].
 
 Some connectors that perform actions require less configuration. For example, you do not need to set the action frequency or variables for the {kibana-ref}/cases-action-type.html[Cases connector].