Merge branch 'main' into issue-4226-alert-assign

docs/advanced-entity-analytics/behavioral-detection-use-cases.asciidoc

@@ -1,9 +1,9 @@
 [[behavioral-detection-use-cases]]
 = Behavioral detection use cases
 
-Behavioral detection identifies potential internal and external threats based on user and host activity. It employs a threat-centric approach to flag suspicious activity by analyzing patterns, anomalies, and context enrichment. 
+Behavioral detection identifies potential internal and external threats based on user and host activity. It uses a threat-centric approach to flag suspicious activity by analyzing patterns, anomalies, and context enrichment. 
 
-{elastic-sec} builds the behavioral detection feature  on its foundational SIEM detection capabilities, leveraging {ml} algorithms to enable proactive threat detection and hunting.
+The behavioral detection feature is built on {elastic-sec}'s foundational SIEM detection capabilities, leveraging {ml} algorithms to enable proactive threat detection and hunting.
 
 [float]
 [[ml-integrations]]
@@ -14,7 +14,7 @@ Behavioral detection integrations provide a convenient way to enable behavioral
 .Requirements
 [sidebar]
 --
-* Elastic integrations require a https://www.elastic.co/pricing[Platinum subscription] or higher.
+* Behavioral detection integrations require a https://www.elastic.co/pricing[Platinum subscription] or higher.
 * To learn more about the requirements for using {ml} jobs, refer to <<ml-requirements, Machine learning job and rule requirements>>.
 --
 

docs/detections/alerts-view-details.asciidoc

@@ -94,6 +94,8 @@ The About section has the following information:
 +
 NOTE: The event renderer only displays if an event renderer exists for the alert type. Fields are interactive; hover over them to access the available actions.
 
+* **Last alert status change**: Shows the last time the alert's status was changed, along with the user who changed it.
+
 * **MITRE ATT&CK**: Provides relevant https://attack.mitre.org/[MITRE ATT&CK] framework tactics, techniques, and sub-techniques.
 
 [discrete]

docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc

@@ -0,0 +1,54 @@
+[[allowlist-endpoint-3rd-party-av-apps]]
+= Allowlist Elastic Endpoint in third-party antivirus apps
+
+Third-party antivirus (AV) applications may identify the expected behavior of {elastic-endpoint} as a potential threat. Add {elastic-endpoint}'s digital signatures and file paths to your AV software's allowlist to ensure {elastic-endpoint} continues to function as intended. We recommend you allowlist both the file paths and digital signatures, if applicable. 
+
+NOTE: Your AV software may refer to allowlisted processes as process exclusions, ignored processes, or trusted processes. It is important to note that file, folder, and path-based exclusions/exceptions are distinct from trusted applications and will not achieve the same result. This page explains how to ignore actions taken by processes, not how to ignore the files that spawned those processes.
+
+[[allowlist-endpoint-on-windows]]
+[discrete]
+== Allowlist {elastic-endpoint} on Windows
+
+File paths:
+
+* ELAM driver: `c:\Windows\system32\drivers\elastic-endpoint-driver.sys`
+* Driver: `c:\Windows\system32\drivers\ElasticElam.sys`
+* Executable: `c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe`
++
+NOTE: The executable runs as `elastic-endpoint.exe`.
+
+Digital signatures:
+
+* `Elasticsearch, Inc.`
+* `Elasticsearch B.V.`
+
+For additional information about allowlisting on Windows, refer to https://github.com/elastic/endpoint/blob/main/PerformanceIssues-Windows.md#trusting-elastic-defend-in-other-software[Trusting Elastic Defend in other software].
+
+[[allowlist-endpoint-on-macos]]
+[discrete]
+== Allowlist {elastic-endpoint} on macOS
+
+File paths:
+
+* System extension (recursive directory structure): `/Applications/ElasticEndpoint.app/`
++
+NOTE: The system extension runs as `co.elastic.systemextension`.
+
+* Executable: `/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint`
++
+NOTE: The executable runs as `elastic-endpoint`.
+
+Digital signatures:
+
+* Authority/Developer ID Application: `Elasticsearch, Inc (2BT3HPN62Z)`
+* Team ID: `2BT3HPN62Z`
+
+[[allowlist-endpoint-on-linux]]
+[discrete]
+== Allowlist {elastic-endpoint} on Linux
+
+File path:
+
+* Executable: `/opt/Elastic/Endpoint/elastic-endpoint`
++
+NOTE: The executable runs as `elastic-endpoint`.

docs/management/manage-intro.asciidoc

@@ -15,3 +15,4 @@ include::{security-docs-root}/docs/management/admin/event-filters.asciidoc[level
 include::{security-docs-root}/docs/management/admin/host-isolation-exceptions.asciidoc[leveloffset=+1]
 include::{security-docs-root}/docs/management/admin/blocklist.asciidoc[leveloffset=+1]
 include::{security-docs-root}/docs/management/admin/endpoint-artifacts.asciidoc[leveloffset=+1]
+include::{security-docs-root}/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc[leveloffset=+1]

docs/reference/alert-schema.asciidoc

@@ -124,6 +124,9 @@ Type: keyword
 
 Type: long
 |`signal.status` |`kibana.alert.workflow_status`| Type: keyword
+|N/A |`kibana.alert.workflow_status_updated_at`| The timestamp of when the alert's status was last updated.
+
+Type: date
 |`signal.threshold_result.*`|`kibana.alert.threshold_result.*`| Type: object
 |`signal.group.id` |`kibana.alert.group.id`| Type: keyword
 |`signal.group.index` |`kibana.alert.group.index`| Type: integer