Merge branch 'main' into 5166-cloudsec-billing-updates

docs/attack-discovery/attack-discovery.asciidoc

@@ -7,36 +7,38 @@
 :frontmatter-tags-content-type: [overview]
 :frontmatter-tags-user-goals: [get-started]
 
-beta::[]
+preview::["This feature is in technical preview. It may change in the future, and you should exercise caution when using it in production environments. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of GA features."]
 
 NOTE: This feature is available starting with {elastic-sec} version 8.14.0.
 
-Attack discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. This makes the most of each security analyst's time, helps fight alert fatigue, and can reduce your mean time to respond.
-
-NOTE: Attack discovery currently only analyzes alerts from the past 24 hours.
+Attack discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. This can help make the most of each security analyst's time, fight alert fatigue, and reduce your mean time to respond.
 
 This page describes:
 
-* <<attack-discovery-generate-discoveries, How to generate discoveries>>.
-* <<attack-discovery-what-info, What information each discovery includes>>.
-* <<attack-discovery-workflows, How you can interact with discoveries to enhance {elastic-sec} workflows>>.
+* <<attack-discovery-generate-discoveries, How to generate discoveries>>
+* <<attack-discovery-what-info, What information each discovery includes>>
+* <<attack-discovery-workflows, How you can interact with discoveries to enhance {elastic-sec} workflows>>
 
 [[attack-discovery-generate-discoveries]]
 [discrete]
 == Generate discoveries
 
-To use Attack discovery:
+When you access Attack discovery for the first time, you'll need to select an LLM connector before you can analyze alerts. Attack discovery uses the same LLM connectors as <<security-assistant>>. To get started:
 
 . Click the **Attack discovery** page from {elastic-sec}'s navigation menu.
-. When you open the page for the first time, you'll need to select an LLM connector before you can analyze alerts. Select an existing connector from the dropdown menu, or add a new one.
+. Select an existing connector from the dropdown menu, or add a new one.
 +
-NOTE: Attack discovery uses the same LLM connectors as <<security-assistant, Elastic AI Assistant>>. If you've already configured one, you can use it here without further configuration. In general, models with larger context windows are more effective for Attack discovery.
+.Recommended models
+[sidebar]
+--
+While Attack discovery is compatible with many different models, our testing found increased performance with Claude 3 Sonnet and Claude 3 Opus. In general, models with larger context windows are more effective for Attack discovery.
+--
 +
 image::images/select-model-empty-state.png[]
 +
 . Once you've selected a connector, click **Generate** to start the analysis.
 
-It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected.
+It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected. Note that Attack discovery only analyzes alerts from the past 24 hours.
 
 IMPORTANT: Attack discovery uses the same data anonymization settings as <<security-assistant, Elastic AI Assistant>>. To configure which alert fields are sent to the LLM and which of those fields are obfuscated, use the Elastic AI Assistant settings. Consider the privacy policies of third-party LLMs before sending them sensitive data.
 

docs/cloud-native-security/session-view.asciidoc

@@ -33,11 +33,11 @@ but this data is not always collected by default. To confirm that Session View d
 
 . Go to *Manage* -> *Policies*, and edit one or more of your {elastic-defend} integration policies.
 . Select the *Policy settings* tab, then scroll down to the Linux event collection section near the bottom.
-. Check the box for *Process* events, and turn on the *Include session data* toggle.
+. Check the box for *Process* events, and turn on the *Collect session data* toggle.
 . If you want to include file and network alerts in Session View, check the boxes for *Network* and *File* events.
 . If you want to enable terminal output capture, turn on the *Capture terminal output* toggle.
 
-Session View can only display data that was collected by {elastic-defend} when *Include session data* was enabled. When this setting is enabled, {elastic-defend} includes additional process context data in captured process, file, and network events. For more information about the additional
+Session View can only display data that was collected by {elastic-defend} when *Collect session data* was enabled. When this setting is enabled, {elastic-defend} includes additional process context data in captured process, file, and network events. For more information about the additional
 fields collected when this setting is enabled, refer to the https://github.com/elastic/ecs/blob/main/rfcs/text/0030-linux-event-model.md[Linux event model RFC].
 
 
@@ -127,7 +127,7 @@ To enable terminal output data capture:
 
 . Go to *Manage* -> *Policies*, then select one or more of your {elastic-defend} integration policies to edit.
 . On the *Policy settings* tab, scroll down to the Linux event collection section near the bottom of the page
-and select the *Include session data* and *Capture terminal output* options.
+and select the *Collect session data* and *Capture terminal output* options.
 
 You can configure several additional settings by clicking *Advanced settings* at the bottom of the page:
 

docs/detections/alerts-view-details.asciidoc

@@ -249,7 +249,7 @@ preview::[]
 
 * **Related cases**: Shows cases to which the alert has been added. Click a case's name to open its details.
 * **Alerts related by source event**: Shows alerts created by the same source event. This can help you find alerts with a shared origin and provide more context about the source event. Click the *Investigate in timeline* button to examine related alerts in Timeline.
-* **Alerts related by session**: Shows alerts generated during the same <<session-view, session>>. These alerts share the same session ID, which is a unique ID for tracking a given Linux session. To use this feature, you must enable the *Include session data* setting in your {elastic-defend} integration policy. Refer to <<enable-session-view, Enable Session View data>> for more information.
+* **Alerts related by session**: Shows alerts generated during the same <<session-view, session>>. These alerts share the same session ID, which is a unique ID for tracking a given Linux session. To use this feature, you must enable the *Collect session data* setting in your {elastic-defend} integration policy. Refer to <<enable-session-view, Enable Session View data>> for more information.
 * **Alerts related by ancestry**: Shows alerts that are related by process events on the same linear branch. Note that alerts generated from processes on child or related branches are not shown. To further examine alerts, click *Investigate in timeline*.
 
 [discrete]

docs/management/admin/blocklist.asciidoc

@@ -50,7 +50,7 @@ NOTE: You can also select the `Per Policy` option without immediately assigning
 
 . When you're done adding entries to the blocklist, ensure that the blocklist is enabled for the {elastic-defend} integration policies that you just assigned:
 .. Go to **Manage** -> **Policies**, then click on an integration policy.
-.. On the **Policy settings** tab, ensure that the **Malware protections enabled** and **Blocklist enabled** toggles are switched on. Both settings are enabled by default.
+.. On the **Policy settings** tab, ensure that the **Malware protections** and **Blocklist** toggles are switched on. Both settings are enabled by default.
 
 [discrete]
 [[manage-blocklist]]

docs/serverless/alerts/view-alert-details.mdx

@@ -242,7 +242,7 @@ In the expanded view, corelation data is organized into several tables:
 * **Suppressed alerts**: <DocBadge template="technical preview" /> Shows how many duplicate alerts were suppressed. This information only appears if alert suppression is enabled for the rule.
 * **Related cases**: Shows cases to which the alert has been added. Click a case's name to open its details.
 * **Alerts related by source event**: Shows alerts created by the same source event. This can help you find alerts with a shared origin and provide more context about the source event. Click the **Investigate in timeline** button to examine related alerts in Timeline.
-* **Alerts related by session**: Shows alerts generated during the same <DocLink id="serverlessSecuritySessionView">session</DocLink>. These alerts share the same session ID, which is a unique ID for tracking a given Linux session. To use this feature, you must enable the **Include session data** setting in your ((elastic-defend)) integration policy. Refer to <DocLink id="serverlessSecuritySessionView" section="enable-session-view-data">Enable Session View data</DocLink> for more information.
+* **Alerts related by session**: Shows alerts generated during the same <DocLink id="serverlessSecuritySessionView">session</DocLink>. These alerts share the same session ID, which is a unique ID for tracking a given Linux session. To use this feature, you must enable the **Collect session data** setting in your ((elastic-defend)) integration policy. Refer to <DocLink id="serverlessSecuritySessionView" section="enable-session-view-data">Enable Session View data</DocLink> for more information.
 * **Alerts related by ancestry**: Shows alerts that are related by process events on the same linear branch. Note that alerts generated from processes on child or related branches are not shown. To further examine alerts, click **Investigate in timeline**.
 
 <div id="prevalence-overview"></div>

docs/serverless/cloud-native-security/session-view.mdx

@@ -37,11 +37,11 @@ but this data is not always collected by default. To confirm that Session View d
 
 1. Go to **Assets** → **Policies**, select a policy and then edit one or more of your ((elastic-defend)) integration policies.
 1. Select the **Settings** tab, then scroll down to the Linux event collection section near the bottom.
-1. Check the box for **Process** events, and turn on the **Include session data** toggle.
+1. Check the box for **Process** events, and turn on the **Collect session data** toggle.
 1. If you want to include file and network alerts in Session View, check the boxes for **Network** and **File** events.
 1. If you want to enable terminal output capture, turn on the **Capture terminal output** toggle.
 
-Session View can only display data that was collected by ((elastic-defend)) when **Include session data** was enabled. When this setting is enabled, ((elastic-defend)) includes additional process context data in captured process, file, and network events. For more information about the additional
+Session View can only display data that was collected by ((elastic-defend)) when **Collect session data** was enabled. When this setting is enabled, ((elastic-defend)) includes additional process context data in captured process, file, and network events. For more information about the additional
 fields collected when this setting is enabled, refer to the [Linux event model RFC](https://github.com/elastic/ecs/blob/main/rfcs/text/0030-linux-event-model.md).
 
 <div id="open-session-view"></div>
@@ -127,7 +127,7 @@ To enable terminal output data capture:
 
 1. Go to **Assets** → **Policies**, select a policy and then edit one or more of your ((elastic-defend)) integration policies.
 1. On the **Settings** tab, scroll down to the Linux event collection section near the bottom of the page
-    and select the **Include session data** and **Capture terminal output** options.
+    and select the **Collect session data** and **Capture terminal output** options.
 
 You can configure several additional settings by clicking **Advanced settings** at the bottom of the page:
 

docs/serverless/edr-manage/blocklist.mdx

@@ -66,7 +66,7 @@ By default, a blocklist entry is recognized globally across all hosts running ((
 
 1. When you're done adding entries to the blocklist, ensure that the blocklist is enabled for the ((elastic-defend)) integration policies that you just assigned:
     1. Go to **Assets** → **Policies**, then click on an integration policy.
-    1. On the **Policy settings** tab, ensure that the **Malware protections enabled** and **Blocklist enabled** toggles are switched on. Both settings are enabled by default.
+    1. On the **Policy settings** tab, ensure that the **Malware protections** and **Blocklist** toggles are switched on. Both settings are enabled by default.
 
 <div id="manage-blocklist"></div>