elastic · nastasha-solomon · Apr 16, 2026 · Apr 3, 2026 · Apr 11, 2026 · Apr 13, 2026
@@ -9,7 +9,7 @@ applies_to:
 products:
   - id: security
   - id: cloud-serverless
-description: View, edit, enable, duplicate, and manage detection rules from the Rules page.
+description: View, edit, enable, duplicate, and manage detection rules from the Rules page, including deprecated prebuilt rules.
 ---
 
 # Manage detection rules [security-rules-ui-management]
@@ -48,6 +48,18 @@ You can also filter the rules list by selecting the **Tags**, **Last response**,
 
 The rules list retains your sorting and filtering settings when you navigate away and return to the page. These settings are also preserved when you copy the page’s URL and paste into another browser. Select **Clear filters** above the table to revert to the default view.
 
+## Handle deprecated prebuilt rules [deprecated-prebuilt-rules]
+```yaml {applies_to}
+stack: ga 9.4+
+```
+
+When a prebuilt rule that you installed is deprecated, it is no longer maintained as part of Elastic’s prebuilt rule library. Deprecated rules do not receive new updates or fixes from Elastic. If you want to keep the same detection logic and maintain it yourself, duplicate the rule as a custom rule before you remove the deprecated prebuilt installation.
+
+{{elastic-sec}} surfaces deprecated prebuilt rules in the UI so you can find them and respond. If any are installed, a dismissible callout on the **Installed Rules** tab alerts you. On a rule’s details page, a callout also marks deprecated prebuilt rules and includes a reason if the package provides one. From that page you can choose to delete the deprecated prebuilt rule, or [create a duplicate](#duplicate-rules) as a custom rule before deleting the original prebuilt rule. That way you keep the same detection logic and can maintain it as a custom rule.
+
+:::{tip}
+Staying current with Elastic’s prebuilt rule updates helps you get the latest detection logic and fixes while rules are still supported. Refer to [Update Elastic prebuilt rules](/solutions/security/detect-and-alert/update-prebuilt-rules.md) for more details.
+:::
 
 
 ## Edit rule settings [edit-rules-settings]

@@ -21,6 +21,7 @@ Detection rules only protect your environment when they run reliably. This page
 | Check if a rule succeeded, failed, or has warnings | [Rule execution status](#rule-status) (Rules table) |
 | Get a summary of rule execution details and access individual rules | [Rule Monitoring tab](#rule-monitoring-tab) |
 | Review a specific rule's run history | [Execution results](#rule-execution-logs) (rule details page) |
+| {applies_to}`stack: ga 9.4+` Handle deprecated prebuilt rules | [Handle deprecated prebuilt rules](/solutions/security/detect-and-alert/manage-detection-rules.md#deprecated-prebuilt-rules) (Rules page and rule details) |
 | Fill gaps from missed rule runs | [Fill rule execution gaps](/solutions/security/detect-and-alert/fill-rule-gaps.md) |
 | Run a rule manually for a specific time range | [Run rules manually](/solutions/security/detect-and-alert/manage-detection-rules.md#manually-run-rules) |
 | View rule performance metrics in a dashboard | [Detection rule monitoring dashboard](../dashboards/detection-rule-monitoring-dashboard.md) |
@@ -72,6 +73,7 @@ To learn how to find and fill gaps, refer to [Fill rule execution gaps](/solutio
 
 From the **Execution results** tab on a **rule's details page**, you can review how each run performed, monitor gaps, and check manual runs. To find this tab, select the rule's name to open its details, then scroll down.
 
+### Execution log table [execution-log-table]
 
 ::::{applies-switch}
 

@@ -22,6 +22,9 @@ Elastic maintains a library of prebuilt detection rules mapped to the MITRE ATT&
 **[Update prebuilt rules](/solutions/security/detect-and-alert/update-prebuilt-rules.md)**
 :   Apply Elastic's rule updates to keep your detection coverage current. Explains how to review updates, handle modified rules, and resolve conflicts (Enterprise only).
 
+**[Handle deprecated prebuilt rules](/solutions/security/detect-and-alert/manage-detection-rules.md#deprecated-prebuilt-rules)** {applies_to}`stack: ga 9.4+`
+:   Find deprecated prebuilt rules on the {{rules-ui}} page or a rule's details page, then delete them or duplicate and delete them so they are no longer tied to the prebuilt package.
+
 **[Prebuilt rules in air-gapped environments](/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md)**
 :   Install and update prebuilt rules in air-gapped environments without internet access.