Add 'docs/serverless/' from commit '99c397fe4b283b23a245980c3ec7d27db…

…76ac426'

git-subtree-dir: docs/serverless
git-subtree-mainline: 37ed495
git-subtree-split: 99c397f

docs/serverless/.github/CODEOWNERS

@@ -0,0 +1,2 @@
+* @elastic/security-docs
+/.github/workflows/ @elastic/docs-engineering

docs/serverless/.github/workflows/docs-elastic-staging-publish.yml

@@ -0,0 +1,25 @@
+name: Staging Docs
+
+on:
+  pull_request_target:
+    paths:
+      - '**.mdx'
+      - '**.docnav.json'
+      - '**.docapi.json'
+      - '**.devdocs.json'
+      - '**.jpg'
+      - '**.jpeg'
+      - '**.png'
+      - '**.svg'
+      - '**.gif'
+    types: [opened, closed, synchronize]
+
+jobs:
+  publish:
+    name: Vercel Build Check
+    uses: elastic/workflows/.github/workflows/docs-elastic-staging-publish.yml@main
+    secrets:
+      VERCEL_GITHUB_TOKEN: ${{ secrets.VERCEL_GITHUB_TOKEN }}
+      VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }}
+      VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
+      VERCEL_PROJECT_ID_DOCS_CO: ${{ secrets.VERCEL_PROJECT_ID_DOCS_CO }}

docs/serverless/.gitignore

@@ -0,0 +1,8 @@
+# vscode stuff
+.vscode/
+
+# vs stuff
+.vs/
+
+# osx stuff
+.DS_Store

docs/serverless/README.md

@@ -0,0 +1,5 @@
+# staging-serverless-security-docs
+Staging location for serverless Elastic Security docs
+
+## How to contribute
+Please open an issue in [elastic/security-docs](https://github.com/elastic/security-docs/issues/new/choose).

docs/serverless/docs/advanced-entity-analytics/advanced-behavioral-detections.mdx

@@ -0,0 +1,17 @@
+---
+id: serverlessSecurityAdvancedBehavioralDetections
+slug: /serverless/security/advanced-behavioral-detections
+title: Advanced behavioral detections
+description: Learn about advanced behavioral detections and its capabilities.
+tags: [ 'serverless', 'security', 'overview', 'analyze' ]
+status: in review
+---
+
+<DocBadge template="technical preview" />
+
+Elastic's ((ml)) capabilities and advanced correlation, scoring, and visualization techniques can help you identify potential behavioral threats that may be associated with security incidents.
+
+Advanced behavioral detections includes two key capabilities:
+
+* <DocLink id="serverlessSecurityMachineLearning">Anomaly detection</DocLink>
+* <DocLink id="serverlessSecurityBehavioralDetectionUseCases" />

docs/serverless/docs/advanced-entity-analytics/advanced-entity-analytics-overview.mdx

@@ -0,0 +1,17 @@
+---
+id: serverlessSecurityAdvancedEntityAnalytics
+slug: /serverless/security/advanced-entity-analytics
+title: Advanced Entity Analytics
+description: Learn about Advanced Entity Analytics and its capabilities.
+tags: [ 'serverless', 'security', 'overview', 'analyze' ]
+status: in review
+---
+
+<DocBadge template="technical preview" />
+
+Advanced Entity Analytics generates a set of threat detection and risk analytics that allows you to expedite alert triage and hunt for new threats from within an entity's environment. This feature combines the power of the SIEM detection engine and Elastic's ((ml)) capabilities to identify unusual user behaviors and generate comprehensive risk analytics for hosts and users.
+
+Advanced Entity Analytics provides two key capabilities:
+
+* <DocLink id="serverlessSecurityEntityRiskScoring" />
+* <DocLink id="serverlessSecurityAdvancedBehavioralDetections" />

docs/serverless/docs/advanced-entity-analytics/analyze-risk-score-data.mdx

@@ -0,0 +1,71 @@
+---
+id: serverlessSecurityAnalyzeRiskScoreData
+slug: /serverless/security/analyze-risk-score-data
+title: View and analyze risk score data
+description: Monitor risk score changes of hosts and users in your environment.
+tags: [ 'serverless', 'security', 'how-to', 'analyze' ]
+status: in review
+---
+
+<DocBadge template="technical preview" />
+
+The ((security-app)) provides several options to monitor the change in the risk posture of hosts and users from your environment. Use the following places in the ((security-app)) to view and analyze risk score data:
+
+* <DocLink id="serverlessSecurityAnalyzeRiskScoreData" section="entity-analytics-dashboard">Entity Analytics dashboard</DocLink>
+* <DocLink id="serverlessSecurityAnalyzeRiskScoreData" section="alerts-page">Alerts page</DocLink>
+* <DocLink id="serverlessSecurityAnalyzeRiskScoreData" section="alert-details-flyout">Alert details flyout</DocLink>
+* <DocLink id="serverlessSecurityAnalyzeRiskScoreData" section="hosts-and-users-pages">Hosts and Users pages</DocLink>
+* <DocLink id="serverlessSecurityAnalyzeRiskScoreData" section="host-and-user-details-pages">Host and user details pages</DocLink>
+
+<DocCallOut title="Tip">
+We recommend that you prioritize <DocLink id="serverlessSecurityAnalyzeRiskScoreData" section="alert-triaging">alert triaging</DocLink> to identify anomalies or abnormal behavior patterns.
+</DocCallOut>
+
+## Entity Analytics dashboard
+
+From the Entity Analytics dashboard, you can access entity key performance indicators (KPIs), risk scores, and levels. You can also click the number link in the **Alerts** column to investigate and analyze the alerts on the Alerts page.
+
+![Entity Analytics dashboard](../images/detection-entity-dashboard/-dashboards-entity-dashboard.png) 
+
+## Alert triaging 
+You can prioritize alert triaging to analyze alerts associated with risky entities using the following features in the ((security-app)). 
+
+### Alerts page
+
+Use the Alerts table to investigate and analyze host and user risk levels and scores. We recommend adding the `user.risk.calculated_level` and `host.risk.calculated_level` columns to the Alerts table to easily display this data. To do this, select **Fields**, search for `user.risk` and `host.risk`, then select the appropriate fields from the list. Learn more about <DocLink id="serverlessSecurityAlertsUiManage" section="customize-the-alerts-table">customizing the Alerts table</DocLink>.
+
+![Risk scores in the Alerts table](../images/analyze-risk-score-data/alerts-table-rs.png) 
+
+You can use the drop-down filter controls to filter alerts by their risk score level. To do this, <DocLink id="serverlessSecurityAlertsUiManage" section="edit-drop-down-filter-controls">edit the default controls</DocLink> to filter by `user.risk.calculated_level` or `host.risk.calculated_level`:
+
+![Alerts filtered by high host risk level](../images/analyze-risk-score-data/filter-by-host-risk-level.png) 
+
+### Alert details flyout
+
+To access risk score data in the alert details flyout, select **Insights** → **Entities** on the **Overview** tab:
+
+![Risk scores in the Alerts flyout](../images/analyze-risk-score-data/alerts-flyout-rs.png)
+
+### Hosts and Users pages
+
+On the Hosts and Users pages, you can access the risk score data:
+
+* In the **Host risk level** or **User risk level** column on the **All hosts** or **All users** tab:
+
+  ![Host risk level data on the All hosts tab of the Hosts page](../images/analyze-risk-score-data/hosts-hr-level.png) 
+
+* On the **Host risk** or **User risk** tab:
+
+  ![Host risk data on the Host risk tab of the Hosts page](../images/analyze-risk-score-data/hosts-hr-data.png)
+
+### Host and user details pages
+
+On the host details and user details pages, you can access the risk score data:
+
+* In the Overview section:
+
+  ![Host risk data in the Overview section of the host details page](../images/analyze-risk-score-data/host-details-overview.png)
+
+* On the **Host risk** or **User risk** tab:
+
+  ![Host risk data on the Host risk tab of the host details page](../images/analyze-risk-score-data/host-details-hr-tab.png)

docs/serverless/docs/advanced-entity-analytics/behavioral-detection-use-cases.mdx

@@ -0,0 +1,33 @@
+---
+id: serverlessSecurityBehavioralDetectionUseCases
+slug: /serverless/security/behavioral-detection-use-cases
+title: Behavioral detection use cases
+description: Detect internal and external threats using behavioral detection integrations.
+tags: [ 'serverless', 'security', 'overview', 'analyze' ]
+status: in review
+---
+
+<DocBadge template="technical preview" />
+
+Behavioral detection identifies potential internal and external threats based on user and host activity. It uses a threat-centric approach to flag suspicious activity by analyzing patterns, anomalies, and context enrichment. 
+
+The behavioral detection feature is built on ((elastic-sec))'s foundational SIEM detection capabilities, leveraging ((ml)) algorithms to enable proactive threat detection and hunting.
+
+## Elastic integrations for behavioral detection use cases
+
+Behavioral detection integrations provide a convenient way to enable behavioral detection capabilities. They streamline the deployment of components that implement behavioral detection, such as data ingestion, transforms, rules, ((ml)) jobs, and scripts.
+
+<DocCallOut title="Requirements">
+* Behavioral detection integrations require the Security Analytics Complete <DocLink id="serverlessGeneralManageProject">project feature</DocLink>.
+* To learn more about the requirements for using ((ml)) jobs, refer to <DocLink id="serverlessSecurityMlRequirements" />.
+</DocCallOut>
+
+Here's a list of integrations for various behavioral detection use cases:
+
+* [Data Exfiltration Detection](((integrations-docs))/ded)
+* [Domain Generation Algorithm Detection](((integrations-docs))/dga)
+* [Lateral Movement Detection](((integrations-docs))/lmd)
+* [Living off the Land Attack Detection](((integrations-docs))/problemchild)
+* [Network Beaconing Identification](((integrations-docs))/beaconing)
+
+To learn more about ((ml)) jobs enabled by these integrations, refer to [Prebuilt job reference](((security-guide))/prebuilt-ml-jobs.html).

docs/serverless/docs/advanced-entity-analytics/entity-risk-scoring.mdx

@@ -0,0 +1,18 @@
+---
+id: serverlessSecurityEntityRiskScoring
+slug: /serverless/security/entity-risk-scoring
+title: Entity risk scoring
+description: Learn about the risk scoring engine and its features.
+tags: [ 'serverless', 'security', 'overview', 'analyze' ]
+status: in review
+---
+
+<DocBadge template="technical preview" />
+
+Entity risk scoring is an advanced ((elastic-sec)) analytics feature that helps security analysts detect changes in an entity's risk posture, hunt for new threats, and prioritize incident response.
+
+Entity risk scoring allows you to monitor risk score changes of hosts and users in your environment. When generating advanced scoring analytics, the risk scoring engine utilizes threats from its end-to-end XDR use cases, such as SIEM, cloud, and endpoint. It leverages the Elastic SIEM detection engine to generate host and user risk scores from the last 30 days.
+
+It also generates risk scores on a recurring interval, and allows for easy onboarding and management. The engine is built to factor in risks from all ((elastic-sec)) use cases, and allows you to customize and control how and when risk is calculated.
+
+Learn how to <DocLink id="serverlessSecurityTurnOnRiskEngine">turn on the risk scoring engine</DocLink>.

docs/serverless/docs/advanced-entity-analytics/machine-learning.mdx

@@ -0,0 +1,88 @@
+---
+id: serverlessSecurityMachineLearning
+slug: /serverless/security/machine-learning
+title: Detect anomalies
+description: Use the power of machine learning to detect outliers and suspicious events.
+tags: ["serverless","security","overview","manage"]
+status: in review
+---
+
+<DocBadge template="technical preview" />
+<div id="machine-learning"></div>
+
+[((ml-cap))](((ml-docs))/ml-ad-overview.html) functionality is available when
+you have the appropriate role. Refer to <DocLink id="serverlessSecurityMlRequirements">Machine learning job and rule requirements</DocLink> for more information.
+
+You can view the details of detected anomalies within the `Anomalies` table
+widget shown on the Hosts, Network, and associated details pages, or even narrow
+to the specific date range of an anomaly from the `Max anomaly score by job` field
+in the overview of the details pages for hosts and IPs. These interfaces also
+offer the ability to drag and drop details of the anomaly to Timeline, such as
+the `Entity` itself, or any of the associated `Influencers`.
+
+<div id="manage-jobs"></div>
+
+## Manage ((ml)) jobs
+If you have the `machine_learning_admin` role, you can use the **ML job settings** interface on the **Alerts**, **Rules**, and **Rule Exceptions** pages to view, start, and stop ((elastic-sec)) ((ml)) jobs.
+
+![ML job settings UI on the Alerts page](../images/machine-learning/-detections-machine-learning-ml-ui.png)
+
+<div id="manage-ml-rules"></div>
+
+### Manage ((ml)) detection rules
+
+You can also check the status of ((ml)) detection rules, and start or stop their associated ((ml)) jobs:
+
+* On the **Rules** page, the **Last response** column displays the rule's current <DocLink id="serverlessSecurityRulesUiManagement" section="check-the-current-status-of-rules">status</DocLink>. An indicator icon (<DocIcon type="alert" title="Error" size="s"/>) also appears if a required ((ml)) job isn't running. Click the icon to list the affected jobs, then click **Visit rule details page to investigate** to open the rule's details page.
+
+    ![Rules table ((ml)) job error](../images/machine-learning/-detections-machine-learning-rules-table-ml-job-error.png)
+
+* On a rule's details page, check the **Definition** section to confirm whether the required ((ml)) jobs are running. Switch the toggles on or off to run or stop each job.
+
+    ![Rule details page with ML job stopped](../images/machine-learning/-troubleshooting-rules-ts-ml-job-stopped.png)
+
+<div id="included-jobs"></div>
+
+### Prebuilt jobs
+
+((elastic-sec)) comes with prebuilt ((ml)) ((anomaly-jobs)) for automatically detecting
+host and network anomalies. The jobs are displayed in the `Anomaly Detection`
+interface. They are available when either:
+
+* You ship data using [Beats](https://www.elastic.co/products/beats) or the
+    <DocLink id="serverlessSecurityInstallDefend">((agent))</DocLink>, and ((kib)) is configured with the required index
+    patterns (such as `auditbeat-*`, `filebeat-*`, `packetbeat-*`, or `winlogbeat-*`
+    in **Project settings** → **Management** → **Index Management**).
+
+Or
+
+* Your shipped data is ECS-compliant, and ((kib)) is configured with the shipped
+    data's index patterns in **Project settings** → **Management** → **Index Management**.
+
+Or
+
+* You install one or more of the <DocLink id="serverlessSecurityBehavioralDetectionUseCases" section="elastic-integrations-for-behavioral-detection-use-cases">Advanced Analytics integrations</DocLink>.
+
+<DocLink id="serverlessSecurityPrebuiltMlJobs">Prebuilt job reference</DocLink> describes all available ((ml)) jobs and lists which ECS
+fields are required on your hosts when you are not using ((beats)) or the ((agent))
+to ship your data. For information on tuning anomaly results to reduce the
+number of false positives, see <DocLink id="serverlessSecurityTuningAnomalyResults">Optimizing anomaly results</DocLink>.
+
+<DocCallOut title="Note">
+Machine learning jobs look back and analyze two weeks of historical data
+prior to the time they are enabled. After jobs are enabled, they continuously
+analyze incoming data. When jobs are stopped and restarted within the two-week
+time frame, previously analyzed data is not processed again.
+</DocCallOut>
+
+<div id="view-anomalies"></div>
+
+## View detected anomalies
+To view the `Anomalies` table widget and `Max Anomaly Score By Job` details,
+the user must have the `machine_learning_admin` or `machine_learning_user` role.
+
+<DocCallOut title="Note">
+To adjust the `score` threshold that determines which anomalies are shown,
+you can modify the **`securitySolution:defaultAnomalyScore`** advanced setting.
+</DocCallOut>
+

docs/serverless/docs/advanced-entity-analytics/prebuilt-ml-jobs.mdx

@@ -0,0 +1,11 @@
+---
+id: serverlessSecurityPrebuiltMlJobs
+slug: /serverless/security/prebuilt-ml-jobs
+title: Prebuilt ML job reference
+# description: Description to be written
+tags: [ 'serverless', 'security', 'reference' ]
+status: in review
+---
+
+<DocBadge template="technical preview" />
+Refer to [Prebuilt job reference](((security-guide))/prebuilt-ml-jobs.html) for information on available prebuilt ((ml)) jobs.