diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml
index 1e1111e5e454c..71b218751ffb9 100644
--- a/config/_default/menus/main.en.yaml
+++ b/config/_default/menus/main.en.yaml
@@ -5956,66 +5956,91 @@ menu:
       parent: security_platform_heading
       identifier: cloud_siem
       weight: 20000
-    - name: Content Packs
-      url: security/cloud_siem/content_packs
+    - name: Ingest and Enrich
+      url: security/cloud_siem/ingest_and_enrich/
       parent: cloud_siem
-      identifier: cloud_siem_content_packs
+      identifier: cloud_siem_ingest_and_enrich
       weight: 1
-    - name: Detection Rules
-      url: security/cloud_siem/detection_rules
+    - name: Content Packs
+      url: security/cloud_siem/ingest_and_enrich/content_packs
+      parent: cloud_siem_ingest_and_enrich
+      identifier: cloud_siem_content_packs
+      weight: 101
+    - name: Threat Intelligence
+      url: security/cloud_siem/ingest_and_enrich/threat_intelligence
+      parent: cloud_siem_ingest_and_enrich
+      identifier: cloud_siem_threat_intelligence
+      weight: 102
+    - name: Open Cybersecurity Schema Framework
+      url: security/cloud_siem/ingest_and_enrich/open_cybersecurity_schema_framework
+      parent: cloud_siem_ingest_and_enrich
+      identifier: cloud_siem_open_cybersecurity_schema_framework
+      weight: 103
+    - name: Detect and Monitor
+      url: security/cloud_siem/detect_and_monitor/
       parent: cloud_siem
-      identifier: cloud_siem_detection_rules
+      identifier: cloud_siem_detect_and_monitor
       weight: 2
+    - name: Custom Detection Rules
+      url: security/cloud_siem/detect_and_monitor/detection_rules
+      parent: cloud_siem_detect_and_monitor
+      identifier: cloud_siem_custom_detection_rules
+      weight: 201
     - name: Signal Correlation Rules
       url: security/cloud_siem/detection_rules/signal_correlation_rules
-      parent: cloud_siem_detection_rules
+      parent: cloud_siem_custom_detection_rules
       identifier: cloud_siem_signal_correlation_rules
-      weight: 20500
-    - name: MITRE ATT&CK Map
-      url: security/cloud_siem/detection_rules/mitre_attack_map
-      parent: cloud_siem_detection_rules
-      identifier: cloud_siem_mitre_attack_map
-      weight: 20510
+      weight: 2101
     - name: OOTB Rules
       url: /security/default_rules/#cat-cloud-siem-log-detection
-      parent: cloud_siem
+      parent: cloud_siem_detect_and_monitor
       identifier: cloud_siem_default_rules
-      weight: 4
-    - name: Threat Intelligence
-      url: /security/cloud_siem/threat_intelligence
-      parent: cloud_siem
-      identifier: cloud_siem_threat_intelligence
-      weight: 5
-    - name: Open Cybersecurity Schema Framework
-      url: /security/cloud_siem/open_cybersecurity_schema_framework
+      weight: 202
+    - name: Suppressions
+      url: security/cloud_siem/suppressions/
+      parent: cloud_siem_detect_and_monitor
+      identifier: cloud_siem_suppressions
+      weight: 203
+    - name: Historical Jobs
+      url: security/cloud_siem/historical_jobs
+      parent: cloud_siem_detect_and_monitor
+      identifier: cloud_siem_log_historical_jobs
+      weight: 204
+    - name: MITRE ATT&CK Map
+      url: security/cloud_siem/detection_rules/mitre_attack_map
+      parent: cloud_siem_detect_and_monitor
+      identifier: cloud_siem_mitre_attack_map
+      weight: 205
+    - name: Triage and Investigate
+      url: security/cloud_siem/triage_and_investigate
       parent: cloud_siem
-      identifier: cloud_siem_open_cybersecurity_schema_framework
-      weight: 5
+      identifier: cloud_siem_triage_and_investigate
+      weight: 3
     - name: Investigate Security Signals
-      url: /security/cloud_siem/investigate_security_signals
-      parent: cloud_siem
+      url: security/cloud_siem/triage_and_investigate/investigate_security_signals
+      parent: cloud_siem_triage_and_investigate
       identifier: cloud_siem_investigate_security_signals
-      weight: 6
+      weight: 301
+    - name: Risk Insights
+      url: security/cloud_siem/entities_and_risk_scoring
+      parent: cloud_siem_triage_and_investigate
+      identifier: cloud_siem_entities_and_risk_scoring
+      weight: 302
     - name: Investigator
       url: security/cloud_siem/investigator
-      parent: cloud_siem
+      parent: cloud_siem_triage_and_investigate
       identifier: cloud_siem_investigator
-      weight: 7
-    - name: Historical Jobs
-      url: security/cloud_siem/historical_jobs
-      parent: cloud_siem
-      identifier: cloud_siem_log_historical_jobs
-      weight: 8
-    - name: Risk Insights
-      url: security/cloud_siem/entities_and_risk_scoring
+      weight: 303
+    - name: Respond and Report
+      url: security/cloud_siem/respond_and_report
       parent: cloud_siem
-      identifier: cloud_siem_entities_and_risk_scoring
-      weight: 9
+      identifier: cloud_siem_respond_and_report
+      weight: 4
     - name: Security Operational Metrics
-      url: security/cloud_siem/security_operational_metrics/
-      parent: cloud_siem
+      url: security/cloud_siem/respond_and_report/security_operational_metrics
+      parent: cloud_siem_respond_and_report
       identifier: siem_security_operational_metrics
-      weight: 10
+      weight: 401
     - name: Guides
       url: security/cloud_siem/guide/
       parent: cloud_siem
diff --git a/content/en/security/cloud_siem/detect_and_monitor/_index.md b/content/en/security/cloud_siem/detect_and_monitor/_index.md
new file mode 100644
index 0000000000000..e7352d88df528
--- /dev/null
+++ b/content/en/security/cloud_siem/detect_and_monitor/_index.md
@@ -0,0 +1,6 @@
+---
+title: Detect and Monitor
+disable_toc: false
+---
+
+TKTK
\ No newline at end of file
diff --git a/content/en/security/cloud_siem/ingest_and_enrich/_index.md b/content/en/security/cloud_siem/ingest_and_enrich/_index.md
new file mode 100644
index 0000000000000..db8231c18f55e
--- /dev/null
+++ b/content/en/security/cloud_siem/ingest_and_enrich/_index.md
@@ -0,0 +1,6 @@
+---
+title: Ingest and Enrich
+disable_toc: false
+---
+
+TKTK
\ No newline at end of file
diff --git a/content/en/security/cloud_siem/content_packs.md b/content/en/security/cloud_siem/ingest_and_enrich/content_packs.md
similarity index 97%
rename from content/en/security/cloud_siem/content_packs.md
rename to content/en/security/cloud_siem/ingest_and_enrich/content_packs.md
index f972302dad4a4..b9dc1297c6b77 100644
--- a/content/en/security/cloud_siem/content_packs.md
+++ b/content/en/security/cloud_siem/ingest_and_enrich/content_packs.md
@@ -1,6 +1,8 @@
 ---
 title: Content Packs
 disable_toc: true
+aliases:
+  - /security/cloud_siem/content_packs
 further_reading:
 - link: "/security/cloud_siem/detection_rules"
   tag: "Documentation"
diff --git a/content/en/security/cloud_siem/open_cybersecurity_schema_framework.md b/content/en/security/cloud_siem/ingest_and_enrich/open_cybersecurity_schema_framework.md
similarity index 98%
rename from content/en/security/cloud_siem/open_cybersecurity_schema_framework.md
rename to content/en/security/cloud_siem/ingest_and_enrich/open_cybersecurity_schema_framework.md
index 00a20aa7bdcd1..ac092cbe14258 100644
--- a/content/en/security/cloud_siem/open_cybersecurity_schema_framework.md
+++ b/content/en/security/cloud_siem/ingest_and_enrich/open_cybersecurity_schema_framework.md
@@ -1,6 +1,8 @@
 ---
 title: Open Cybersecurity Schema Framework (OCSF) Common Data Model in Datadog
 disable_toc: false
+aliases:
+  - /security/cloud_siem/open_cybersecurity_schema_framework
 further_reading:
 - link: "logs/processing/pipelines"
   tag: "Documentation"
diff --git a/content/en/security/cloud_siem/threat_intelligence.md b/content/en/security/cloud_siem/ingest_and_enrich/threat_intelligence.md
similarity index 99%
rename from content/en/security/cloud_siem/threat_intelligence.md
rename to content/en/security/cloud_siem/ingest_and_enrich/threat_intelligence.md
index b0071ec3c9752..56012e86eb67e 100644
--- a/content/en/security/cloud_siem/threat_intelligence.md
+++ b/content/en/security/cloud_siem/ingest_and_enrich/threat_intelligence.md
@@ -1,6 +1,8 @@
 ---
 title: Threat Intelligence
 disable_toc: false
+aliases:
+  - /security/cloud_siem/threat_intelligence
 further_reading:
 - link: "security/cloud_siem/detection_rules"
   tag: "Documentation"
diff --git a/content/en/security/cloud_siem/respond_and_report/_index.md b/content/en/security/cloud_siem/respond_and_report/_index.md
new file mode 100644
index 0000000000000..7a1ca29b2f36a
--- /dev/null
+++ b/content/en/security/cloud_siem/respond_and_report/_index.md
@@ -0,0 +1,6 @@
+---
+title: Respond and Report
+disable_toc: false
+---
+
+TKTK 
\ No newline at end of file
diff --git a/content/en/security/cloud_siem/security_operational_metrics.md b/content/en/security/cloud_siem/respond_and_report/security_operational_metrics.md
similarity index 98%
rename from content/en/security/cloud_siem/security_operational_metrics.md
rename to content/en/security/cloud_siem/respond_and_report/security_operational_metrics.md
index edad03de2df6b..bf2091ed65015 100644
--- a/content/en/security/cloud_siem/security_operational_metrics.md
+++ b/content/en/security/cloud_siem/respond_and_report/security_operational_metrics.md
@@ -1,6 +1,8 @@
 ---
 title: Security Operational Metrics
 disable_toc: false
+aliases:
+  - /security/cloud_siem/security_operational_metrics
 further_reading:
 - link: "security/cloud_siem/investigate_security_signals"
   tag: "Documentation"
diff --git a/content/en/security/cloud_siem/triage_and_investigate/_index.md b/content/en/security/cloud_siem/triage_and_investigate/_index.md
new file mode 100644
index 0000000000000..0afdf83e84707
--- /dev/null
+++ b/content/en/security/cloud_siem/triage_and_investigate/_index.md
@@ -0,0 +1,6 @@
+---
+title: Triage and Investigate
+disable_toc: false
+---
+
+TKTK
\ No newline at end of file