Merge branch 'main' into issue-6254-closed-alerts

.mergify.yml

@@ -29,7 +29,6 @@ pull_request_rules:
   - name: backport patches to 8.x branch
     conditions:
       - merged
-      - base=main
       - label=v8.18.0
     actions:
       backport:
@@ -43,7 +42,6 @@ pull_request_rules:
   - name: backport patches to 8.17 branch
     conditions:
       - merged
-      - base=main
       - label=v8.17.0
     actions:
       backport:
@@ -57,7 +55,6 @@ pull_request_rules:
   - name: backport patches to 8.16 branch
     conditions:
       - merged
-      - base=main
       - label=v8.16.0
     actions:
       backport:
@@ -71,7 +68,6 @@ pull_request_rules:
   - name: backport patches to 8.15 branch
     conditions:
       - merged
-      - base=main
       - label=v8.15.0
     actions:
       backport:
@@ -85,7 +81,6 @@ pull_request_rules:
   - name: backport patches to 8.14 branch
     conditions:
       - merged
-      - base=main
       - label=v8.14.0
     actions:
       backport:
@@ -99,7 +94,6 @@ pull_request_rules:
   - name: backport patches to 8.13 branch
     conditions:
       - merged
-      - base=main
       - label=v8.13.0
     actions:
       backport:
@@ -113,7 +107,6 @@ pull_request_rules:
   - name: backport patches to 8.12 branch
     conditions:
       - merged
-      - base=main
       - label=v8.12.0
     actions:
       backport:
@@ -127,7 +120,6 @@ pull_request_rules:
   - name: backport patches to 8.11 branch
     conditions:
       - merged
-      - base=main
       - label=v8.11.0
     actions:
       backport:
@@ -141,7 +133,6 @@ pull_request_rules:
   - name: backport patches to 8.10 branch
     conditions:
       - merged
-      - base=main
       - label=v8.10.0
     actions:
       backport:
@@ -155,7 +146,6 @@ pull_request_rules:
   - name: backport patches to 8.9 branch
     conditions:
       - merged
-      - base=main
       - label=v8.9.0
     actions:
       backport:
@@ -169,7 +159,6 @@ pull_request_rules:
   - name: backport patches to 8.8 branch
     conditions:
       - merged
-      - base=main
       - label=v8.8.0
     actions:
       backport:
@@ -183,7 +172,6 @@ pull_request_rules:
   - name: backport patches to 8.7 branch
     conditions:
       - merged
-      - base=main
       - label=v8.7.0
     actions:
       backport:
@@ -197,7 +185,6 @@ pull_request_rules:
   - name: backport patches to 8.6 branch
     conditions:
       - merged
-      - base=main
       - label=v8.6.0
     actions:
       backport:
@@ -211,7 +198,6 @@ pull_request_rules:
   - name: backport patches to 8.5 branch
     conditions:
       - merged
-      - base=main
       - label=v8.5.0
     actions:
       backport:
@@ -225,7 +211,6 @@ pull_request_rules:
   - name: backport patches to 8.4 branch
     conditions:
       - merged
-      - base=main
       - label=v8.4.0
     actions:
       backport:
@@ -239,7 +224,6 @@ pull_request_rules:
   - name: backport patches to 8.3 branch
     conditions:
       - merged
-      - base=main
       - label=v8.3.0
     actions:
       backport:
@@ -253,7 +237,6 @@ pull_request_rules:
   - name: backport patches to 8.2 branch
     conditions:
       - merged
-      - base=main
       - label=v8.2.0
     actions:
       backport:
@@ -267,7 +250,6 @@ pull_request_rules:
   - name: backport patches to 8.1 branch
     conditions:
       - merged
-      - base=main
       - label=v8.1.0
     actions:
       backport:
@@ -281,7 +263,6 @@ pull_request_rules:
   - name: backport patches to 7.17 branch
     conditions:
       - merged
-      - base=main
       - label=v7.17.0
     actions:
       backport:

docs/AI-for-security/llm-performance-matrix.asciidoc

@@ -3,13 +3,15 @@
 
 This table describes the performance of various large language models (LLMs) for different use cases in {elastic-sec}, based on our internal testing. To learn more about these use cases, refer to <<attack-discovery, Attack discovery>> or <<security-assistant, AI Assistant>>.
 
-[cols="1,1,1,1,1,1,1,1", options="header"]
+[cols="1,1,1,1,1,1,1,1,1,1", options="header"]
 |===
-| *Feature*                     | *Model*               |                    |                   |         |                 |                       |                     
-|                               | *Claude 3: Opus*      | *Claude 3.5: Sonnet* | *Claude 3: Haiku* | *GPT-4o* | *GPT-4 Turbo*  | **Gemini 1.5 Pro ** | **Gemini 1.5 Flash** 
-| *Assistant - General*         | Excellent             | Excellent          | Excellent         | Excellent | Excellent     | Excellent             | Excellent 
-| *Assistant - {esql} generation*| Great                 | Great              | Poor              | Excellent | Poor          | Good                 | Poor 
-| *Assistant - Alert questions* | Excellent             | Excellent          | Excellent         | Excellent | Poor          | Excellent             | Good 
-| *Attack discovery*            | Excellent             | Excellent            | Poor              | Poor      | Good        | Great                 | Poor 
+| *Feature*                     | *Model*         |                           |                    |                    |                   |           |               |                     |                     
+|                               | *Claude 3: Opus*| *Claude 3.5: Sonnet v2* | *Claude 3.5: Sonnet* | *Claude 3.5: Haiku*| *Claude 3: Haiku* | *GPT-4o*  | *GPT-4o-mini* | **Gemini 1.5 Pro 002** | **Gemini 1.5 Flash 002** 
+| *Assistant - General*         | Excellent       |  Excellent              | Excellent            | Excellent          | Excellent         | Excellent | Excellent     | Excellent           | Excellent 
+| *Assistant - {esql} generation*| Excellent      |  Excellent              | Excellent            | Excellent          | Excellent         | Excellent | Great         | Excellent           | Poor 
+| *Assistant - Alert questions* | Excellent       |  Excellent              | Excellent            | Excellent          | Excellent         | Excellent | Great         | Excellent           | Good 
+| *Assistant - Knowledge retrieval* | Good        |  Excellent              | Excellent            | Excellent          | Excellent         | Excellent | Great         | Excellent           | Excellent
+| *Attack Discovery*            | Great           |  Great                  | Excellent            | Poor               | Poor              | Great     | Poor          | Excellent           | Poor 
 |===
-
+
+NOTE: `Excellent` is the best rating, followed by `Great`, then by `Good`, and finally by `Poor`.

docs/cloud-native-security/cloud-native-security-index.asciidoc

@@ -41,6 +41,7 @@ include::cspm.asciidoc[leveloffset=+1]
 include::cspm-get-started-aws.asciidoc[leveloffset=+2]
 include::cspm-get-started-gcp.asciidoc[leveloffset=+2]
 include::cspm-get-started-azure.asciidoc[leveloffset=+2]
+include::cspm-permissions.asciidoc[leveloffset=+2]
 include::cspm-findings.asciidoc[leveloffset=+2]
 include::cspm-benchmark-rules.asciidoc[leveloffset=+2]
 include::cspm-cloud-posture-dashboard.asciidoc[leveloffset=+2]

docs/cloud-native-security/cspm-get-started-aws.asciidoc

@@ -10,17 +10,10 @@ This page explains how to get started monitoring the security posture of your cl
 .Requirements
 [sidebar]
 --
+* Minimum privileges vary depending on whether you need to read, write, or manage CSPM data and integrations. Refer to <<cspm-required-permissions>>.
 * The CSPM integration is available to all {ecloud} users. On-premise deployments require an https://www.elastic.co/pricing[Enterprise subscription].
 * CSPM only works in the `Default` {kib} space. Installing the CSPM integration on a different {kib} space will not work. 
 * CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported. https://github.com/elastic/kibana/issues/new/choose[Click here to request support].
-* `Read` privileges for the following {es} indices:
-** `logs-cloud_security_posture.findings_latest-*`
-** `logs-cloud_security_posture.scores-*`
-* The following {kib} privileges:
-** Security: `Read`
-** Integrations: `Read`
-** Saved Objects Management: `Read` 
-** Fleet: `All`
 * The user who gives the CSPM integration AWS permissions must be an AWS account `admin`.
 --
 

docs/cloud-native-security/cspm-get-started-azure.asciidoc

@@ -10,17 +10,10 @@ This page explains how to get started monitoring the security posture of your cl
 .Requirements
 [sidebar]
 --
+* Minimum privileges vary depending on whether you need to read, write, or manage CSPM data and integrations. Refer to <<cspm-required-permissions>>.
 * The CSPM integration is available to all {ecloud} users. On-premise deployments require an https://www.elastic.co/pricing[Enterprise subscription].
 * CSPM only works in the `Default` {kib} space. Installing the CSPM integration on a different {kib} space will not work. 
 * CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported. https://github.com/elastic/kibana/issues/new/choose[Click here to request support].
-* `Read` privileges for the following {es} indices:
-** `logs-cloud_security_posture.findings_latest-*`
-** `logs-cloud_security_posture.scores-*`
-* The following {kib} privileges:
-** Security: `Read`
-** Integrations: `Read`
-** Saved Objects Management: `Read` 
-** Fleet: `All`
 * The user who gives the CSPM integration permissions in Azure must be an Azure subscription `admin`.
 --
 

docs/cloud-native-security/cspm-get-started-gcp.asciidoc

@@ -10,17 +10,10 @@ This page explains how to get started monitoring the security posture of your GC
 .Requirements
 [sidebar]
 --
+* Minimum privileges vary depending on whether you need to read, write, or manage CSPM data and integrations. Refer to <<cspm-required-permissions>>.
 * The CSPM integration is available to all {ecloud} users. On-premise deployments require an https://www.elastic.co/pricing[Enterprise subscription].
 * CSPM only works in the `Default` {kib} space. Installing the CSPM integration on a different {kib} space will not work. 
 * CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported. https://github.com/elastic/kibana/issues/new/choose[Click here to request support].
-* `Read` privileges for the following {es} indices:
-** `logs-cloud_security_posture.findings_latest-*`
-** `logs-cloud_security_posture.scores-*`
-* The following {kib} privileges:
-** Security: `Read`
-** Integrations: `Read`
-** Saved Objects Management: `Read` 
-** Fleet: `All`
 * The user who gives the CSPM integration GCP permissions must be a GCP project `admin`.
 --
 

docs/cloud-native-security/cspm-permissions.asciidoc

@@ -0,0 +1,61 @@
+[[cspm-required-permissions]]
+= CSPM privilege requirements
+
+This page lists required privileges for {elastic-sec}'s CSPM features. There are three access levels: read, write, and manage. Each access level and its requirements are described below.
+
+[discrete]
+== Read
+
+Users with these minimum permissions can view data on the **Findings** page and the Cloud Posture dashboard.
+
+[discrete]
+=== {es} index privileges
+`Read` privileges for the following {es} indices:
+
+* `logs-cloud_security_posture.findings_latest-*`
+* `logs-cloud_security_posture.scores-*`
+
+[discrete]
+=== {kib} privileges
+
+* `Security: Read`
+
+
+[discrete]
+== Write
+
+Users with these minimum permissions can view data on the **Findings** page and the Cloud Posture dashboard, create detection rules from the findings details flyout, and enable or disable benchmark rules.
+
+[discrete]
+=== {es} index privileges
+`Read` privileges for the following {es} indices:
+
+* `logs-cloud_security_posture.findings_latest-*`
+* `logs-cloud_security_posture.scores-*`
+
+[discrete]
+=== {kib} privileges
+
+* `Security: All`
+
+
+[discrete]
+== Manage
+
+Users with these minimum permissions can view data on the **Findings** page and the Cloud Posture dashboard, create detection rules from the findings details flyout, enable or disable benchmark rules, and install, update, or uninstall CSPM integrations and assets.
+
+[discrete]
+=== {es} index privileges
+`Read` privileges for the following {es} indices:
+
+* `logs-cloud_security_posture.findings_latest-*`
+* `logs-cloud_security_posture.scores-*`
+
+[discrete]
+=== {kib} privileges
+
+* `Security: All`
+* `Spaces: All`
+* `Fleet: All`
+* `Integrations: All`
+

docs/cloud-native-security/environment-variable-capture.asciidoc

@@ -28,9 +28,6 @@ To set up environment variable capture for an {agent} policy:
 . Enter the names of env vars you want to capture, separated by commas. For example: `PATH,USER`
 . Click *Save*.
 
-[role="screenshot"]
-image::images/env-var-capture.png[The "linux.advanced.capture_env_vars" advanced agent policy setting]
-
 [[find-cap-env-vars]]
 [discrete]
 == Find captured environment variables

docs/detections/detection-engine-intro.asciidoc

@@ -167,3 +167,9 @@ and you should contact your {kib} administrator.
 NOTE: For *self-managed* {stack} deployments only, this message may be
 displayed when the <<detections-permissions, `xpack.security.enabled`>>
 setting is not enabled in the `elasticsearch.yml` file. For more information, refer to <<detections-on-prem-requirements>>.
+
+[discrete]
+[[detections-logsdb-index-mode]]
+== Using logsdb index mode 
+
+To learn how your rules and alerts are affected by using the {ref}/logs-data-stream.html[logsdb index mode], refer to <<detections-logsdb-index-mode-impact>>. 

docs/detections/detections-index.asciidoc

@@ -2,6 +2,8 @@ include::detection-engine-intro.asciidoc[]
 
 include::detections-req.asciidoc[leveloffset=+1]
 
+include::detections-logsdb-impact.asciidoc[leveloffset=+1]
+
 include::about-rules.asciidoc[]