Merge branch 'main' into 5446-crowdstrike-response-actions

docs/AI-for-security/ai-for-security.asciidoc

@@ -15,6 +15,7 @@ include::connector-guides-landing-pg.asciidoc[leveloffset=+1]
 include::connect-to-azure-openai.asciidoc[leveloffset=+2]
 include::connect-to-bedrock.asciidoc[leveloffset=+2]
 include::connect-to-openai.asciidoc[leveloffset=+2]
+include::connect-to-vertex.asciidoc[leveloffset=+2]
 include::connect-to-byo.asciidoc[leveloffset=+2]
 
 

docs/AI-for-security/connect-to-vertex.asciidoc

@@ -0,0 +1,119 @@
+[[connect-to-vertex]]
+= Connect to Google Vertex
+
+:frontmatter-description: Set up a Google Vertex LLM connector.
+:frontmatter-tags-products: [security]
+:frontmatter-tags-content-type: [guide]
+:frontmatter-tags-user-goals: [get-started]
+
+This page provides step-by-step instructions for setting up a Google Vertex AI connector for the first time. This connector type enables you to leverage Vertex AI's large language models (LLMs) within {elastic-sec}. You'll first need to enable Vertex AI, then generate an API key, and finally configure the connector in your {elastic-sec} project.
+
+IMPORTANT: Before continuing, you should have an active project in one of Google Vertex AI's https://cloud.google.com/vertex-ai/docs/general/locations#feature-availability[supported regions]. 
+
+[discrete]
+== Enable the Vertex AI API
+
+1. Log in to the GCP console and navigate to **Vertex AI → Vertex AI Studio → Overview**. 
+2. If you're new to Vertex AI, the **Get started with Vertex AI Studio** popup appears. Click **Vertex AI API**, then click **ENABLE**.
+
+The following video demonstrates these steps.
+
+=======
+++++
+<script type="text/javascript" async src="https://play.vidyard.com/embed/v4.js"></script>
+<img
+  style="width: 100%; margin: auto; display: block;"
+  class="vidyard-player-embed"
+  src="https://play.vidyard.com/vFhtbiCZiKhvdZGy2FjyeT.jpg"
+  data-uuid="vFhtbiCZiKhvdZGy2FjyeT"
+  data-v="4"
+  data-type="inline"
+/>
+</br>
+++++
+=======
+
+NOTE: For more information about enabling the Vertex AI API, refer to https://cloud.google.com/vertex-ai/docs/start/cloud-environment[Google's documentation].
+
+[discrete] 
+== Create a Vertex AI service account
+
+1. In the GCP console, navigate to **APIs & Services → Library**.
+2. Search for **Vertex AI API**, select it, and click **MANAGE**.
+3. In the left menu, navigate to **Credentials** then click **+ CREATE CREDENTIALS** and select **Service account**.
+4. Name the new service account, then click **CREATE AND CONTINUE**. 
+5. Under **Select a role**, select **Vertex AI User**, then click **CONTINUE**.
+6. Click **Done**.
+
+The following video demonstrates these steps.
+
+=======
+++++
+<script type="text/javascript" async src="https://play.vidyard.com/embed/v4.js"></script>
+<img
+  style="width: 100%; margin: auto; display: block;"
+  class="vidyard-player-embed"
+  src="https://play.vidyard.com/tmresYYiags2w2nTv3Gac8.jpg"
+  data-uuid="tmresYYiags2w2nTv3Gac8"
+  data-v="4"
+  data-type="inline"
+/>
+</br>
+++++
+=======
+
+[discrete] 
+== Generate an API key
+
+1. Return to Vertex AI's **Credentials** menu and click **Manage service accounts**.
+2. Search for the service account you just created, select it, then click the link that appears under **Email**.
+3. Go to the **KEYS** tab, click **ADD KEY**, then select **Create new key**.
+4. Select **JSON**, then click **CREATE** to download the key. Keep it somewhere secure.
+
+The following video demonstrates these steps.
+
+=======
+++++
+<script type="text/javascript" async src="https://play.vidyard.com/embed/v4.js"></script>
+<img
+  style="width: 100%; margin: auto; display: block;"
+  class="vidyard-player-embed"
+  src="https://play.vidyard.com/hrcy3F9AodwhJcV1i2yqbG.jpg"
+  data-uuid="hrcy3F9AodwhJcV1i2yqbG"
+  data-v="4"
+  data-type="inline"
+/>
+</br>
+++++
+=======
+
+[discrete]
+== Configure the Google Gemini connector
+
+Finally, configure the connector in your Elastic deployment:
+
+1. Log in to your Elastic deployment.
+2. Navigate to **Stack Management → Connectors → Create Connector → Google Gemini**.
+3. Name your connector to help keep track of the model version you are using.
+4. Under **URL**, enter the URL for your region.
+5. Enter your **GCP Region** and **GCP Project ID**.
+6. Under **Default model**, specify either `gemini-1.5.pro` or `gemini-1.5-flash`. https://cloud.google.com/vertex-ai/generative-ai/docs/learn/models[Learn more about the models].
+7. Under **Authentication**, enter your API key.
+8. Click **Save**.
+
+The following video demonstrates these steps.
+
+=======
+++++
+<script type="text/javascript" async src="https://play.vidyard.com/embed/v4.js"></script>
+<img
+  style="width: 100%; margin: auto; display: block;"
+  class="vidyard-player-embed"
+  src="https://play.vidyard.com/8L2WPm2HKN1cH872Gs5uvL.jpg"
+  data-uuid="8L2WPm2HKN1cH872Gs5uvL"
+  data-v="4"
+  data-type="inline"
+/>
+</br>
+++++
+=======

docs/AI-for-security/connector-guides-landing-pg.asciidoc

@@ -8,4 +8,5 @@ Setup guides are available for the following LLM providers:
 * <<assistant-connect-to-azure-openai, Azure OpenAI>>
 * <<assistant-connect-to-bedrock, Amazon Bedrock>>
 * <<assistant-connect-to-openai, OpenAI>>
+* <<connect-to-vertex, Google Vertex>>
 * <<connect-to-byo-llm, LM Studio (custom local LLM)>>

docs/cloud-native-security/cspm-get-started-gcp.asciidoc

@@ -60,11 +60,6 @@ For most users, the simplest option is to use a Google Cloud Shell script to aut
 +
 image::images/cspm-cloudshell-trust.png[The cloud shell confirmation popup]
 +
-NOTE: Google has deprecated its old Cloud Shell editor. If you continue to use it, you may encounter the following message:
-+
-image::images/cspm-cloudshell-old-editor.png[The cloud shell switch editor popup]
-+
-If the message appears, click **X** or **Try the new Editor** and follow the next steps. When you switch to the new editor, your context should remain unchanged.
 . In Google Cloud Shell, execute the command you copied. Once it finishes, return to {kib} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data.
 
 NOTE: If you encounter any issues running the command, return to {kib} and navigate again to Google Cloud Shell.

docs/getting-started/configure-integration-policy.asciidoc

@@ -212,7 +212,9 @@ register {elastic-sec} as your hosts' antivirus software by enabling **Register
 
 NOTE: Windows Server versions are not supported. Antivirus registration requires Windows Security Center, which is not included in Windows Server operating systems.
 
-You can also choose **Sync with malware protection level** to automatically set antivirus registration based on how you've configured {elastic-defend}'s <<malware-protection,malware protection>>. If malware protection is turned on and set to **Prevent**, antivirus registration will also be enabled; in any other case, antivirus registration will be disabled.
+By default, the **Sync with malware protection level** is selected to automatically set antivirus registration to match how you've configured {elastic-defend}'s <<malware-protection,malware protection>>. If malware protection is turned on _and_ set to **Prevent**, antivirus registration will also be enabled; in any other case, antivirus registration will be disabled.
+
+If you don't want to sync antivirus registration, you can set it manually with **Enabled** or **Disabled**.
 
 [role="screenshot"]
 image::images/register-as-antivirus.png[Detail of Register as antivirus option.]

docs/getting-started/data-views-in-sec.asciidoc

@@ -10,8 +10,7 @@ IMPORTANT: Custom indices are not included in the <<default-data-view-security,
 [discrete]
 == Switch to another {data-source}
 
-You can tell which {data-source} is active by clicking the *{data-source-cap}* menu at the upper right of {elastic-sec} pages that display event or alert data, such as Overview, Alerts, Timelines, or Hosts.
-To switch to another {data-source}, click **Choose {data-source}**, select one of the options, and click **Save**.
+You can tell which {data-source} is active by clicking the *{data-source-cap}* menu at the upper right of {elastic-sec} pages that display event or alert data, such as Overview, Alerts, Timelines, or Hosts. To switch to another {data-source}, click **Choose {data-source}**, select one of the options, and click **Save**.
 
 image::images/dataview-button-highlighted.png[image highlighting how to open the data view selection menu]
 
@@ -20,22 +19,22 @@ image::images/dataview-button-highlighted.png[image highlighting how to open the
 
 To learn how to modify the default **Security Default Data View**, refer to <<update-sec-indices, Update default {elastic-sec} indices>>.
 
-To learn how to modify, create, or delete another {data-source} refer to {apm-app-ref}/data-views.html[{kib} {data-sources-cap}].
+To learn how to modify, create, or delete another {data-source} refer to {kibana-ref}/data-views.html[{kib} {data-sources-cap}].
 
 You can also temporarily modify the active {data-source} from the *{data-source-cap}* menu by clicking *Advanced options*, then adding or removing index patterns.
 
 image::images/dataview-filter-example.gif[video showing how to filter the active data view]
 
 This only allows you to add index patterns that match indices that currently contain data (other index patterns are unavailable). Note that any changes made are saved in the current browser window and won't persist if you open a new tab.
 
-NOTE: You cannot update the data view for the Alerts page. It always shows data from `.alerts-security.alerts-default`.
+NOTE: You cannot update the data view for the Alerts page. This includes referencing a cross-cluster search (CCS) data view or any other data view. The Alerts page always shows data from `.alerts-security.alerts-default`.
 
 [discrete]
 [[default-data-view-security]]
 == The default {data-source}
 
 The default {data-source} is defined by the `securitySolution:defaultIndex` setting, which you can modify in {kib}'s advanced settings (**Stack Management** > **Advanced Settings** > **Security Solution**). To learn more about this setting, including its default value, refer to {security-guide}/advanced-settings.html#update-sec-indices[Advanced settings].
 
-The first time a user visits {elastic-sec} within a given {kib} {apm-app-ref}/xpack-spaces.html[space], the default {data-source} generates in that space and becomes active.
+The first time a user visits {elastic-sec} within a given {kib} {kibana-ref}/xpack-spaces.html[space], the default {data-source} generates in that space and becomes active.
 
 If you delete the active {data-source} when there are no other defined {data-sources}, the default {data-source} will regenerate and become active upon refreshing any {elastic-sec} page in the space.

docs/serverless/cloud-native-security/vuln-management-faq.mdx

@@ -19,6 +19,10 @@ The CNVM integration uses various security data sources. The complete list can b
 
 CNVM uses the open source scanner [Trivy](https://github.com/aquasecurity/trivy) v0.35.
 
+**What system architectures are supported?**
+
+Because of Trivy's limitations, CNVM can only be deployed on ARM-based VMs. However, it can scan hosts regardless of system architecture.
+
 **How often are the security data sources synchronized?**
 
 The CNVM integration fetches the latest data sources at the beginning of every scan cycle to ensure up-to-date vulnerability information.

docs/serverless/cloud-native-security/vuln-management-get-started.mdx

@@ -15,6 +15,7 @@ This page explains how to set up Cloud Native Vulnerability Management (CNVM).
 
 * CNVM only works in the `Default` ((kib)) space. Installing the CNVM integration on a different ((kib)) space will not work. 
 * Requires ((agent)) version 8.8 or higher.
+* CNVM can only be deployed on ARM-based VMs. 
 * To view vulnerability scan findings, you need the appropriate user role to read the following indices:
     * `logs-cloud_security_posture.vulnerabilities-*`
     * `logs-cloud_security_posture.vulnerabilities_latest-*`

docs/serverless/edr-install-config/configure-endpoint-integration-policy.mdx

@@ -249,7 +249,9 @@ register ((elastic-sec)) as your hosts' antivirus software by enabling **Registe
 Windows Server is not supported. Antivirus registration requires Windows Security Center, which is not included in Windows Server operating systems.
 </DocCallOut>
 
-You can also choose **Sync with malware protection level** to automatically set antivirus registration based on how you've configured ((elastic-defend))'s <DocLink slug="/serverless/security/configure-endpoint-integration-policy" section="malware-protection">malware protection</DocLink>. If malware protection is turned on and set to **Prevent**, antivirus registration will also be enabled; in any other case, antivirus registration will be disabled.
+By default, the **Sync with malware protection level** is selected to automatically set antivirus registration to match how you've configured ((elastic-defend))'s <DocLink slug="/serverless/security/configure-endpoint-integration-policy" section="malware-protection">malware protection</DocLink>. If malware protection is turned on _and_ set to **Prevent**, antivirus registration will also be enabled; in any other case, antivirus registration will be disabled.
+
+If you don't want to sync antivirus registration, you can set it manually with **Enabled** or **Disabled**.
 
 ![Detail of Register as antivirus option.](../images/configure-endpoint-integration-policy/-getting-started-register-as-antivirus.png)
 

docs/serverless/explore/data-views-in-sec.mdx

@@ -26,21 +26,26 @@ To switch to another ((data-source)), click **Choose ((data-source))**, select o
 
 ## Create or modify a ((data-source))
 
-You can temporarily modify the active ((data-source)) from the **((data-source-cap))** menu by clicking **Advanced options**, then adding or removing index patterns.
+To learn how to modify the default **Security Default Data View**, refer to <DocLink slug="/serverless/security/advanced-settings" section="update-sec-indices" />.
+
+To learn how to modify, create, or delete another ((data-source)) refer to [((data-sources-cap))](((kibana-ref))/data-views.html).
+
+You can also temporarily modify the active ((data-source)) from the **((data-source-cap))** menu by clicking **Advanced options**, then adding or removing index patterns.
 
 ![video showing how to filter the active data view](../images/data-views-in-sec/-getting-started-dataview-filter-example.gif)
 
 This only allows you to add index patterns that match indices that currently contain data (other index patterns are unavailable). Note that any changes made are saved in the current browser window and won't persist if you open a new tab.
 
-To permanently modify a ((data-source)), delete an existing ((data-source)) or create a new one, you need the required permissions.
-To learn more, refer to [((data-sources-cap))](((apm-app-ref))/data-views.html).
+<DocCallOut title="Note">
+    You cannot update the data view for the Alerts page. This includes referencing a cross-cluster search (CCS) data view or any other data view. The Alerts page always shows data from `.alerts-security.alerts-default`.
+</DocCallOut>
 
 <div id="default-data-view-security"></div>
 
 ## The default ((data-source))
 
 The default ((data-source)) is defined by the `securitySolution:defaultIndex` setting, which you can modify in your project's advanced settings{/* path to be updated: (**Stack Management** → **Advanced Settings** → **Security Solution**) */}. To learn more about this setting, including its default value, refer to <DocLink slug="/serverless/security/advanced-settings" />).
 
-The first time a user visits ((elastic-sec)){/* within a given ((kib)) [space](((apm-app-ref))/xpack-spaces.html)*/}, the default ((data-source)) generates{/* in that space*/} and becomes active.
+The first time a user visits ((elastic-sec)){/* within a given ((kib)) [space](((kibana-ref))/xpack-spaces.html)*/}, the default ((data-source)) generates{/* in that space*/} and becomes active.
 
 If you delete the active ((data-source)) when there are no other defined ((data-sources)), the default ((data-source)) will regenerate and become active upon refreshing any ((elastic-sec)) page{/* in the space*/}.