Merge branch 'main' into issue-5993-endpoint-rules

.backportrc.json

@@ -1,5 +1,5 @@
 {
   "upstream": "elastic/security-docs",
-  "branches": ["8.x", "8.16", "8.15", "8.14", "8.13", "8.12", "8.11", "8.10", "8.9", "8.8", "8.7", "8.6", "8.5", "8.4", "8.3", "8.2", "8.1", "8.0", "7.17", "7.16", "7.15", "7.14", "7.13", "7.12", "7.11", "7.10", "7.9", "7.8"],
+  "branches": ["8.x", "8.17", "8.16", "8.15", "8.14", "8.13", "8.12", "8.11", "8.10", "8.9", "8.8", "8.7", "8.6", "8.5", "8.4", "8.3", "8.2", "8.1", "8.0", "7.17", "7.16", "7.15", "7.14", "7.13", "7.12", "7.11", "7.10", "7.9", "7.8"],
   "labels": ["backport"]
 }

.mergify.yml

@@ -26,6 +26,20 @@ pull_request_rules:
         branches:
           - "main"
         title: "[{{ destination_branch }}] {{ title }} (backport #{{ number }})"
+  - name: backport patches to 8.x branch
+    conditions:
+      - merged
+      - base=main
+      - label=v8.18.0
+    actions:
+      backport:
+        assignees:
+          - "{{ author }}"
+        branches:
+          - "8.x"
+        title: "[{{ destination_branch }}] {{ title }} (backport #{{ number }})"
+        labels:
+          - backport
   - name: backport patches to 8.17 branch
     conditions:
       - merged
@@ -36,7 +50,7 @@ pull_request_rules:
         assignees:
           - "{{ author }}"
         branches:
-          - "8.x"
+          - "8.17"
         title: "[{{ destination_branch }}] {{ title }} (backport #{{ number }})"
         labels:
           - backport

docs/AI-for-security/knowledge-base.asciidoc

@@ -44,7 +44,7 @@ image::images/knowledge-base-assistant-menu-dropdown.png[AI Assistant's dropdown
 [discrete]
 === Option 2: Enable Knowledge Base from the Security AI settings
 
-. To open Security AI settings, use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field] to find "AI Assistant for Security."
+. To open **Security AI settings**, use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field] to find "AI Assistant for Security."
 . On the **Knowledge Base** tab, click **Setup Knowledge Base**. If the button doesn't appear, Knowledge Base is already enabled.
 
 image::images/knowledge-base-assistant-settings-kb-tab.png[AI Assistant's settings menu open to the Knowledge Base tab]
@@ -57,15 +57,15 @@ When Knowledge Base is enabled, AI Assistant receives `open` or `acknowledged` a
 To enable Knowledge Base for alerts:
 
 . Ensure that knowledge base is <<enable-knowledge-base, enabled>>.
-. Use the slider on the Security AI settings' Knowledge Base tab to select the number of alerts to send to AI Assistant. Click **Save**.
+. On the **Security AI settings** page, go to the **Knowledge Base** tab and use the slider to select the number of alerts to send to AI Assistant. Click **Save**.
 
 NOTE: Including a large number of alerts may cause your request to exceed the maximum token length of your third-party generative AI provider. If this happens, try selecting a lower number of alerts to send.
 
 [discrete]
 [[knowledge-base-add-knowledge]]
 == Add knowledge 
 
-To view all knowledge base entries, go to the Security AI settings and select the **Knowledge Base** tab. You can add individual documents or entire indices containing multiple documents. Each entry in the Knowledge Base (a document or index) has a **Sharing** setting of `private` or `global`. Private entries apply to the current user only and do not affect other users in the {kib} space, whereas global entries affect all users. Each entry can also have a `Required knowledge` setting, which means it will be included as context for every message sent to AI Assistant. 
+To view all knowledge base entries, go to **Security AI settings** and select the **Knowledge Base** tab. You can add individual documents or entire indices containing multiple documents. Each entry in the Knowledge Base (a document or index) has a **Sharing** setting of `private` or `global`. Private entries apply to the current user only and do not affect other users in the {kib} space, whereas global entries affect all users. Each entry can also have a `Required knowledge` setting, which means it will be included as context for every message sent to AI Assistant. 
 
 NOTE: When you enable Knowledge Base, it comes pre-populated with articles from https://www.elastic.co/security-labs[Elastic Security Labs], current through September 30, 2024, which allows AI Assistant to leverage Elastic's security research during your conversations. This enables it to answer questions such as, “Are there any new tactics used against Windows hosts that I should be aware of when investigating my alerts?”
 
@@ -75,7 +75,7 @@ NOTE: When you enable Knowledge Base, it comes pre-populated with articles from
 
 Add an individual document to Knowledge Base when you want AI Assistant to remember a specific piece of information.
 
-. To open Security AI settings, use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field] to find "AI Assistant for Security." Select the **Knowledge Base** tab.
+. To open **Security AI settings**, use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field] to find "AI Assistant for Security." Select the **Knowledge Base** tab.
 . Click **New → Document** and give it a name. 
 . Under **Sharing**, select whether this knowledge should be **Global** or **Private**.
 . Write the knowledge AI Assistant should remember in the **Markdown text** field.
@@ -108,7 +108,7 @@ Add an index as a knowledge source when you want new information added to that i
 
 IMPORTANT: Indices added to Knowledge Base must have at least one field mapped as {ref}/semantic-text.html[semantic text].
 
-. To open Security AI settings, use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field] to find "AI Assistant for Security." Select the **Knowledge Base** tab.
+. To open **Security AI settings**, use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field] to find "AI Assistant for Security." Select the **Knowledge Base** tab.
 . Click **New → Index**.
 . Name the knowledge source.
 . Under **Sharing**, select whether this knowledge should be **Global** or **Private**.
@@ -136,3 +136,51 @@ Refer to the following video for an example of adding an index to Knowledge Base
 </br>
 ++++
 =======
+
+[discrete]
+[[knowledge-base-crawler-or-connector]]
+=== Add knowledge with a connector or web crawler
+
+You can use an {es} connector or web crawler to create an index that contains data you want to add to Knowledge Base. 
+
+This section provides an example of adding a threat intelligence feed to Knowledge Base using a web crawler. For more information on adding data to {es} using a connector, refer to {ref}/es-connectors.html[Ingest data with Elastic connectors]. For more information on web crawlers, refer to {enterprise-search-ref}/crawler.html[Elastic web crawler].
+
+[discrete]
+==== Use a web crawler to add threat intelligence to Knowledge Base
+
+First, you'll need to set up a web crawler to add the desired data to an index, then you'll need to add that index to Knowledge Base.
+
+. From the **Search** section of {kib}, find **Web crawlers** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. 
+. Click **New web crawler**.
+.. Under **Index name**, name the index where the data from your new web crawler will be stored, for example `threat_intelligence_feed_1`. Click **Create index**.
+.. Under **Domain URL**, enter the URL where the web crawler should collect data. Click **Validate Domain** to test it, then **Add domain**. 
+. The previous step opens a page with the details of your new index. Go to its **Mappings** tab, then click **Add field**.
++ 
+NOTE: Remember, each index added to Knowledge Base must have at least one semantic text field.
++
+.. Under **Field type**, select `Semantic text`. Under **Select an inference endpoint**, select `elastic-security-ai-assistant-elser2`. Click **Add field**, then **Save mapping**.
+. Go to the **Scheduling** tab. Enable the **Enable recurring crawls with the following schedule** setting, and define your desired schedule.
+. Go to the **Manage Domains** tab. Select the domain associated with your new web crawler, then go the its **Crawl rules** tab and click **Add crawl rule**. For more information, refer to {enterprise-search-ref}/crawler-extraction-rules.html[Web crawler content extraction rules].
+.. Click **Add crawl rule** again. Under **Policy**, select `Disallow`. Under **Rule**, select `Regex`. Under **Path pattern**, enter `.*`. Click **Save**.
+.. Under **Policy**, select `Allow`. Under **Rule**, select `Contains`. Under **Path pattern**, enter your path pattern, for example `threat-intelligence`. Click **Save**. Make sure this rule appears below the rule created in the previous step on the list.
+.. Click **Crawl**, then **Crawl all domains on this index**. A success message appears. The crawl process will take longer for larger data sources. Once it finishes, your new web crawler's index will contain documents provided by the crawler.
+. Finally, follow the instructions to <<knowledge-base-add-knowledge-index, add an index to Knowledge Base>>. Add the index that contains the data from your new web crawler (`threat_intelligence_feed_1` in this example).
+
+Your new threat intelligence data is now included in Knowledge Base and can inform AI Assistant's responses.
+
+Refer to the following video for an example of creating a web crawler to ingest threat intelligence data and adding it to Knowledge Base.
+
+=======
+++++
+<script type="text/javascript" async src="https://play.vidyard.com/embed/v4.js"></script>
+<img
+  style="width: 100%; margin: auto; display: block;"
+  class="vidyard-player-embed"
+  src="https://play.vidyard.com/eYo1e1ZRwT2mjfM7Yr9MuZ.jpg"
+  data-uuid="eYo1e1ZRwT2mjfM7Yr9MuZ"
+  data-v="4"
+  data-type="inline"
+/>
+</br>
+++++
+=======

docs/cases/cases-manage.asciidoc

@@ -5,7 +5,7 @@
 :frontmatter-tags-content-type: [how-to] 
 :frontmatter-tags-user-goals: [analyze]
 
-You can create and manage cases using the UI or the <<cases-api-overview>>.
+You can create and manage cases using the UI or the {api-kibana}/group/endpoint-cases[cases API].
 
 [float]
 [[cases-ui-open]]

docs/cases/cases-overview.asciidoc

@@ -5,7 +5,7 @@
 :frontmatter-tags-content-type: [overview] 
 :frontmatter-tags-user-goals: [analyze]
 
-Collect and share information about security issues by opening a case in {elastic-sec}. Cases allow you to track key investigation details, collect alerts in a central location, and more. The {elastic-sec} UI provides several ways to create and manage cases. Alternatively, you can use the <<cases-api-overview,cases API>> to perform the same tasks.
+Collect and share information about security issues by opening a case in {elastic-sec}. Cases allow you to track key investigation details, collect alerts in a central location, and more. The {elastic-sec} UI provides several ways to create and manage cases. Alternatively, you can use the {api-kibana}/group/endpoint-cases[cases API] to perform the same tasks.
 
 You can also send cases to these external systems by <<cases-ui-integrations, configuring external connectors>>:
 

docs/cloud-native-security/cloud-native-security-index.asciidoc

@@ -1,5 +1,5 @@
 [[cloud-native-security-overview]]
-= Cloud native security
+= Cloud Security
 Elastic Security for Cloud helps you improve your cloud security posture by comparing your cloud configuration to best practices, and scanning for vulnerabilities. It also helps you monitor and investigate your cloud workloads inside and outside Kubernetes.
 
 This page describes what each solution does and provides links to more information.

docs/cloud-native-security/cspm-get-started-aws.asciidoc

@@ -43,6 +43,9 @@ beta::[]
 . Click **Advanced options**, then select **Agentless (BETA)**.
 . Next, you'll need to authenticate to AWS. Two methods are available:
 .. Option 1: Direct access keys/CloudFormation (Recommended). Under **Preferred method**, select **Direct access keys**. Expand the **Steps to Generate AWS Account Credentials** section, then follow the displayed instructions to automatically create the necessary credentials using CloudFormation.
++
+NOTE: If you don't want to monitor every account in your organization, specify which to monitor using the `OrganizationalUnitIDs` field that appears after you click **Launch CloudFormation**.
++
 .. Option 2: Temporary keys. To authenticate using temporary keys, refer to the instructions for <<cspm-use-temp-credentials, temporary keys>>.  
 . Once you've selected an authentication method and provided all necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes.
 
@@ -76,7 +79,7 @@ For most use cases, the simplest option is to use AWS CloudFormation to automati
 . Return to your {kib} tab. Click *Save and continue* at the bottom of the page.
 . Review the information, then click *Launch CloudFormation*.
 . A CloudFormation template appears in a new browser tab.
-. For organization-level deployments only, you must enter the ID of the organizational unit where you want to deploy into the `OrganizationalUnitIds` field in the CloudFormation template. You can find it in the AWS console under *AWS Organizations -> AWS Accounts* (it appears under the organization name).
+. For organization-level deployments only, you must enter the ID of the organizational units where you want to deploy into the CloudFormation template's `OrganizationalUnitIds` field. You can find organizational unit IDs in the AWS console under *AWS Organizations -> AWS Accounts* (under each organization's name). You can also use this field to specify which accounts in your organization to monitor, and which to skip.
 . (Optional) Switch to the AWS region where you want to deploy using the controls in the upper right corner.
 . Tick the checkbox under *Capabilities* to authorize the creation of necessary resources.
 +

docs/detections/alerts-add-to-cases.asciidoc

@@ -9,7 +9,7 @@ From the Alerts table, you can attach one or more alerts to a <<signals-to-new-c
 
 [NOTE]
 ===============================
-* After you add an alert to a case, you can remove it from the case activity under the alert summary or by using the <<cases-api-overview,Elastic Security Cases API>>.
+* After you add an alert to a case, you can remove it from the case activity under the alert summary or by using the {api-kibana}/group/endpoint-cases[cases API].
 * Each case can have a maximum of 1,000 alerts.
 ===============================
 

docs/es-overview.asciidoc

@@ -18,7 +18,7 @@
 * <<getting-started, Get started>>: Learn about system requirements, workspaces, configuration, and data ingestion.
 * <<es-ui-overview, {elastic-sec} UI overview>>: Navigate {elastic-sec}'s various tools and interfaces.
 * <<about-rules, Detection rules>>: Use {elastic-sec}'s detection engine with custom and prebuilt rules.
-* <<cloud-native-security-overview, Cloud native security>>: Enable cloud native security capabilities such as Cloud and Kubernetes security posture management, cloud native vulnerability management, and cloud workload protection for Kubernetes and VMs.
+* <<cloud-native-security-overview, Cloud security>>: Enable cloud native security capabilities such as Cloud and Kubernetes security posture management, cloud native vulnerability management, and cloud workload protection for Kubernetes and VMs.
 * <<install-endpoint, Install {elastic-defend}>>: Enable key endpoint protection capabilities like event collection and malicious activity prevention.
 * https://www.elastic.co/products/stack/machine-learning[{ml-cap}]: Enable built-in {ml} tools to help you identify malicious behavior.
 * <<advanced-entity-analytics-overview, Advanced entity analytics>>: Leverage {elastic-sec}'s detection engine and {ml} capabilities to generate comprehensive risk analytics for hosts and users.

docs/getting-started/agentless-troubleshooting.asciidoc

@@ -0,0 +1,47 @@
+[[agentless-integration-troubleshooting]]
+= Agentless integrations FAQ
+
+Frequently asked questions and troubleshooting steps for {elastic-sec}'s agentless CSPM integration.
+
+[discrete]
+== When I make a new integration, when will I see the agent appear on the Integration Policies page?
+
+After you create a new agentless integration, the new integration policy may show a button that says **Add agent** instead of the associated agent for several minutes during agent enrollment. No action is needed other than refreshing the page once enrollment is complete.
+
+[discrete]
+== How do I troubleshoot an `Offline` agent?
+
+For agentless integrations to successfully connect to {elastic-sec}, the {fleet} server host value must be the default. Otherwise, the agent status on the {fleet} page will be `Offline`, and logs will include the error `[elastic_agent][error] Cannot checkin in with fleet-server, retrying`. 
+
+To troubleshoot this issue:
+
+. Find **{fleet}** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. Go to the **Settings** tab.
+. Under **{fleet} server hosts**, click the **Actions** button for the policy named `Default`. This opens the Edit {fleet} Server flyout. The policy named `Default` should have the **Make this {fleet} server the default one** setting enabled. If not, enable it, then delete your integration and create it again.
+
+NOTE: If the **Make this {fleet} server the default one** setting was already enabled but problems persist, it's possible someone changed the default {fleet} server's **URL** value. In this case, contact Elastic Support to find out what the original **URL** value was, update the settings to match this value, then delete your integration and create it again.
+
+[discrete]
+== How do I troubleshoot an `Unhealthy` agent?
+
+On the **{fleet}** page, the agent associated with an agentless integration has a name that begins with `agentless`. To troubleshoot an `Unhealthy` agent:
+
+* Confirm that you entered the correct credentials for the cloud provider you're monitoring. The following is an example of an error log resulting from using incorrect AWS credentials:
++ 
+```
+[elastic_agent.cloudbeat][error] Failed to update registry: failed to get AWS accounts: operation error Organizations: ListAccounts, get identity: get credentials: failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: XXX, api error AccessDenied: User: XXX is not authorized to perform: sts:AssumeRole on resource:XXX
+```
+
+For instructions on checking {{fleet}} logs, refer to {fleet-guide}/fleet-troubleshooting.html[{fleet} troubleshooting]. 
+
+[discrete]
+== How do I delete an agentless integration?
+
+NOTE: Deleting your integration will remove all associated resources and stop data ingestion.
+
+When you create a new agentless CSPM integration, a new agent policy appears within the **Agent policies** tab on the **{fleet}** page, but you can't use the **Delete integration** button on this page. Instead, you must delete the integration from the CSPM Integration's **Integration policies** tab. 
+
+. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then search for and select `CSPM`.
+. Go to the CSPM Integration's **Integration policies** tab.
+. Find the integration policy for the integration you want to delete. Click **Actions**, then **Delete integration**.
+. Confirm by clicking **Delete integration** again.
+

docs/getting-started/configure-integration-policy.asciidoc

@@ -207,8 +207,7 @@ image::images/install-endpoint/event-collection.png[Detail of event collection s
 [[register-as-antivirus]]
 == Register {elastic-sec} as antivirus (optional)
 
-With {elastic-defend} version 7.10 or later on Windows 7 or later, you can
-register {elastic-sec} as your hosts' antivirus software by enabling **Register as antivirus**.
+You can register {elastic-sec} as your hosts' antivirus software by enabling **Register as antivirus**.
 
 NOTE: Windows Server versions are not supported. Antivirus registration requires Windows Security Center, which is not included in Windows Server operating systems.
 

docs/getting-started/index.asciidoc

@@ -18,6 +18,7 @@ include::ingest-data.asciidoc[leveloffset=+1]
 include::threat-intel-integrations.asciidoc[leveloffset=+2]
 include::automatic-import.asciidoc[leveloffset=+2]
 include::agentless-integrations.asciidoc[leveloffset=+2]
+include::agentless-troubleshooting.asciidoc[leveloffset=+3]
 
 include::security-spaces.asciidoc[leveloffset=+1]