Merge branch 'main' into log-data-sources

mdbirnstiehl · web-flow · commit 0457764f08ee · 2025-07-31T08:54:39.000-05:00
diff --git a/deploy-manage/deploy/elastic-cloud/differences-from-other-elasticsearch-offerings.md b/deploy-manage/deploy/elastic-cloud/differences-from-other-elasticsearch-offerings.md
@@ -110,7 +110,7 @@ This table compares Observability capabilities between {{ech}} deployments and S
 | **APM integration** | ✅ | ✅ | Use **Managed Intake Service** (supports Elastic APM and OTLP protocols) |
 | [**APM Agent Central Configuration**](/solutions/observability/apm/apm-agent-central-configuration.md) | ✅ | ❌ | Not available in Serverless |
 | [**APM Tail-based sampling**](/solutions/observability/apm/transaction-sampling.md#apm-tail-based-sampling) | ✅ | ❌ | - Not available in Serverless <br>- Consider **OpenTelemetry** tail sampling processor as an alternative |
-| [**Android agent/SDK instrumentation**](opentelemetry://reference/edot-sdks/android/index.md) | ✅ | ❌ | Not available in Serverless |
+| [**Android agent/SDK instrumentation**](opentelemetry://reference/edot-sdks/android/index.md) | ✅ | ✅ | |
 | [**AWS Firehose integration**](/solutions/observability/cloud/monitor-amazon-web-services-aws-with-amazon-data-firehose.md) | ✅ | ✅ | |
 | **Custom roles for Kibana Spaces** | ✅ | **Planned** | Anticipated in a future release |
 | [**Data stream lifecycle**](/manage-data/lifecycle/data-stream.md) | ✅ | ✅ | Primary lifecycle management method in Serverless |
@@ -119,7 +119,7 @@ This table compares Observability capabilities between {{ech}} deployments and S
 | **[Fleet Agent policies](/reference/fleet/agent-policy.md)** | ✅ | ✅ | |
 | **[Fleet server](/reference/fleet/fleet-server.md)** | - Self-hosted <br>- Hosted | ✅ | Fully managed by Elastic |
 | [**Index lifecycle management**](/manage-data/lifecycle/index-lifecycle-management.md) | ✅ | ❌ | Use [**Data stream lifecycle**](/manage-data/lifecycle/data-stream.md) instead |
-| **[iOS agent/SDK instrumentation](opentelemetry://reference/edot-sdks/ios/index.md)** | ✅ | ❌ | Not available in Serverless |
+| **[iOS agent/SDK instrumentation](opentelemetry://reference/edot-sdks/ios/index.md)** | ✅ | ✅ | |
 | **[Kibana Alerts](/deploy-manage/monitor/monitoring-data/configure-stack-monitoring-alerts.md)** | ✅ | ✅ | |
 | **[LogsDB index mode](/manage-data/data-store/data-streams/logs-data-stream.md)** | ✅ | ✅ | - Reduces storage footprint <br> - Enabled by default <br>- Cannot be disabled |
 | **[Logs management](/solutions/observability/logs.md)** | ✅ | ✅ | |
diff --git a/docset.yml b/docset.yml
@@ -278,6 +278,7 @@ subs:
   agent-pull:   "https://github.com/elastic/elastic-agent/pull/"
   fleet-server-issue:   "https://github.com/elastic/fleet-server/issues/"
   fleet-server-pull:   "https://github.com/elastic/fleet-server/pull/"
+  es-pull:   "https://github.com/elastic/elasticsearch/pull/"
   kib-pull:   "https://github.com/elastic/kibana/pull/"
   eck_helm_minimum_version: "3.2.0"
   eck_resources_list: "Elasticsearch, Kibana, APM Server, Beats, Elastic Agent, Elastic Maps Server, and Logstash"
diff --git a/reference/security/defend-advanced-settings.md b/reference/security/defend-advanced-settings.md
diff --git a/release-notes/elastic-cloud-serverless/breaking-changes.md b/release-notes/elastic-cloud-serverless/breaking-changes.md
@@ -0,0 +1,11 @@
+---
+navigation_title: Breaking changes
+products:
+  - id: cloud-serverless
+---
+
+# {{serverless-full}} breaking changes [elastic-cloud-serverless-breaking-changes]
+
+## June 23, 2025 [serverless-changelog-06232025]
+
+* {{esql}}: Disallows mixed quoted/unquoted patterns in `FROM` commands [#127636]({{es-pull}}127636)
diff --git a/release-notes/elastic-cloud-serverless/toc.yml b/release-notes/elastic-cloud-serverless/toc.yml
@@ -1,4 +1,5 @@
 toc:
   - file: index.md
+  - file: breaking-changes.md
   - file: known-issues.md
   - file: deprecations.md
diff --git a/release-notes/fleet-elastic-agent/known-issues.md b/release-notes/fleet-elastic-agent/known-issues.md
@@ -17,6 +17,38 @@ Known issues are significant defects or limitations that may impact your impleme
 
 % :::
 
+:::{dropdown} {{agents}} remain in an "Upgrade scheduled" state
+
+**Applies to: {{agent}} 8.18.0, 8.18.1, 8.18.2, 8.18.3, 8.18.4, 8.19.0, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.1.0**
+
+On July 2, 2025, a known issue was discovered where {{agent}} remains in an `Upgrade scheduled` state when a scheduled {{agent}} upgrade is cancelled. Attempting to restart the upgrade on the UI returns an error: `The selected agent is not upgradeable: agent is already being upgraded.`.
+
+For more information, check [Issue #8778](https://github.com/elastic/elastic-agent/issues/8778).
+
+**Workaround**
+
+Call the [Upgrade an agent](https://www.elastic.co/docs/api/doc/kibana/operation/operation-post-fleet-agents-agentid-upgrade) endpoint of the Kibana Fleet API with the `force` parameter set to `true` to force-upgrade the {{agent}}:
+
+```powershell
+curl --request POST \
+  --url https://<KIBANA_HOST>/api/fleet/agents/<AGENT_ID>/upgrade \
+  --user "<SUPERUSER_NAME>:<SUPERUSER_PASSWORD>" \
+  --header 'Content-Type: application/json' \
+  --header 'kbn-xsrf: true' \
+  --data '{"version": "<VERSION>","force": true}'
+```
+
+To force-upgrade multiple {{agents}}, call the [Bulk upgrade agents](https://www.elastic.co/docs/api/doc/kibana/operation/operation-post-fleet-agents-bulk-upgrade) endpoint of the Kibana Fleet API with the `force` parameter set to `true`:
+
+```powershell
+curl --request POST \
+  --url https://<KIBANA_HOST>/api/fleet/agents/bulk_upgrade \
+  --user "<SUPERUSER_NAME>:<SUPERUSER_PASSWORD>" \
+  --header 'Content-Type: application/json' \
+  --header 'kbn-xsrf: true' \
+  --data '{"version": "<VERSION>","force": true,"agents":["<AGENT_IDS>"]}'
+```
+:::
 
 :::{dropdown} [Windows] {{agent}} is unable to re-enroll into {{fleet}}
 
diff --git a/solutions/security/cloud/ingest-aws-security-hub-data.md b/solutions/security/cloud/ingest-aws-security-hub-data.md
@@ -11,9 +11,13 @@ products:
   - id: cloud-serverless
 ---
 
-# Ingest AWS Security Hub data
+# AWS Security Hub
+This page explains how to make data from the AWS Security Hub integration appear in the following places within {{elastic-sec}}:
 
-In order to enrich your {{elastic-sec}} workflows with third-party cloud security posture data collected by AWS Security Hub:
+- **Findings page**: Data appears on the [Misconfigurations](/solutions/security/cloud/findings-page.md) tab.
+- **Alert and Entity details flyouts**: Applicable data appears in the [Insights section](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section).
+
+In order for AWS Security Hub data to appear in these workflows:
 
 * Follow the steps to [set up the AWS Security Hub integration](https://docs.elastic.co/en/integrations/aws/securityhub).
 * Make sure the integration version is at least 2.31.1.
@@ -24,7 +28,6 @@ In order to enrich your {{elastic-sec}} workflows with third-party cloud securit
 :alt: AWS Security Hub integration settings showing the findings toggle
 :::
 
-After you’ve completed these steps, AWS Security Hub data will appear on the Misconfigurations tab of the [Findings](/solutions/security/cloud/findings-page.md) page.
-
-Any available findings data will also appear in the [Insights section](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section) for related alerts. If alerts are present for a user or host that has findings data from AWS Security Hub, the findings will appear on the [entity details flyout](/solutions/security/advanced-entity-analytics/view-entity-details.md#entity-details-flyout).
-
+::::{note}
+You can ingest data from the AWS Security Hub integration for other purposes without following these steps.
+::::
diff --git a/solutions/security/cloud/ingest-cncf-falco-data.md b/solutions/security/cloud/ingest-cncf-falco-data.md
@@ -11,7 +11,7 @@ products:
   - id: cloud-serverless
 ---
 
-# Ingest CNCF Falco data
+# CNCF Falco
 
 CNCF Falco is an open-source runtime security tool that detects anomalous activity in Linux hosts, containers, Kubernetes, and cloud environments. You can ingest Falco alerts into {{es}} to view them on {{elastic-sec}}'s Alerts page and incorporate them into your security workflows by using Falcosidekick, a proxy forwarder which can send alerts from your Falco deployments to {{es}}.
 
diff --git a/solutions/security/cloud/ingest-third-party-cloud-security-data.md b/solutions/security/cloud/ingest-third-party-cloud-security-data.md
@@ -29,5 +29,10 @@ You can ingest third-party cloud security alerts into {{elastic-sec}} to view th
 
 You can ingest third-party data into {{elastic-sec}} to review and investigate it alongside data collected by {{elastic-sec}}'s native cloud security integrations. Once ingested, cloud security posture and vulnerability data appears on the [Findings](/solutions/security/cloud/findings-page.md) page, on the [Cloud Posture dashboard](/solutions/security/dashboards/cloud-security-posture-dashboard.md), and in the [entity details](/solutions/security/advanced-entity-analytics/view-entity-details.md#entity-details-flyout) and [alert details](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section) flyouts.
 
-* Learn to [ingest cloud security posture data from AWS Security Hub](/solutions/security/cloud/ingest-aws-security-hub-data.md).
-* Learn to [ingest cloud security posture and vulnerability data from Wiz](/solutions/security/cloud/ingest-wiz-data.md).
+Data from each of the following integrations can feed into at least some of these workflows:
+
+* [AWS Security Hub](/solutions/security/cloud/ingest-aws-security-hub-data.md).
+* [Wiz](/solutions/security/cloud/ingest-wiz-data.md).
+* [Rapid7 InsightVM](/solutions/security/cloud/integration-rapid7.md).
+* [Tenable VM](/solutions/security/cloud/integration-tenablevm.md).
+* [Qualys VMDR](/solutions/security/cloud/integration-qualys.md).
diff --git a/solutions/security/cloud/ingest-wiz-data.md b/solutions/security/cloud/ingest-wiz-data.md
@@ -11,9 +11,15 @@ products:
   - id: cloud-serverless
 ---
 
-# Ingest Wiz data
+# Wiz
 
-In order to enrich your {{elastic-sec}} workflows with third-party cloud security posture and vulnerability data collected by Wiz:
+This page explains how to make data from the Wiz integration appear in the following places within {{elastic-sec}}:
+
+- **Findings page**: Data appears on the [Vulnerabilities](/solutions/security/cloud/findings-page-3.md) tab and the [Misconfiguations](/solutions/security/cloud/findings-page.md) tab.
+- **Alert and Entity details flyouts**: Applicable data appears in the [Insights section](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section).
+
+
+In order for Wiz data to appear in these workflows:
 
 * Follow the steps to [set up the Wiz integration](https://docs.elastic.co/en/integrations/wiz).
 * Make sure the integration version is at least 2.0.1.
@@ -28,10 +34,8 @@ In order to enrich your {{elastic-sec}} workflows with third-party cloud securit
 :alt: Wiz integration settings showing the vulnerabilities toggle
 :::
 
-After you’ve completed these steps, Wiz data will appear on the [Misconfiguations](/solutions/security/cloud/findings-page.md) and [Vulnerabilities](/solutions/security/cloud/findings-page-3.md) tabs of the Findings page.
+Your Wiz data should now appear throughout {{elastic-sec}}.
 
 :::{image} /solutions/images/security-wiz-findings.png
 :alt: Wiz data on the Findings page
 :::
-
-Any available findings data will also appear in the [Insights section](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section) for related alerts. If alerts are present for a user or host that has findings data from Wiz, the findings will appear on the [entity details flyout](/solutions/security/advanced-entity-analytics/view-entity-details.md#entity-details-flyout).
diff --git a/solutions/security/cloud/integration-qualys.md b/solutions/security/cloud/integration-qualys.md
@@ -0,0 +1,32 @@
+---
+applies_to:
+  stack: all 
+  serverless:
+    security: all
+products:
+  - id: security
+  - id: cloud-serverless
+---
+
+# Qualys VMDR
+
+This page explains how to make data from the Qualys Vulnerability Management, Detection and Response integration (Qualys VMDR) appear in the following places within {{elastic-sec}}:
+
+- **Findings page**: Data appears on the [Vulnerabilities](/solutions/security/cloud/findings-page-3.md) tab.
+- **Alert and Entity details flyouts**: Applicable data appears in the [Insights section](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section).
+
+:::{note}
+Data from this integration does not appear on the [CNVM dashboard](/solutions/security/cloud/cnvm-dashboard.md).
+:::
+
+In order for Qualys VMDR data to appear in these workflows:
+
+- Ensure you have read privileges for the following index: `security_solution-*.vulnerability_latest`.
+- Follow the steps to [set up the Qualys VMDR integration](https://www.elastic.co/docs/reference/integrations/qualys_vmdr).
+  - While configuring the integration, in the **Host detection data** section, under **Input parameters**, enter `host_metadata=all`. This enables the ingest of `cloud.*` fields.
+- ({{stack}} users) Ensure you're on at least v8.16.
+- Make sure the integration version is at least 6.0.0.
+
+:::{note}
+You can ingest data from the Qualys VMDR integration for other purposes without following these steps.
+:::
diff --git a/solutions/security/cloud/integration-rapid7.md b/solutions/security/cloud/integration-rapid7.md
@@ -0,0 +1,31 @@
+---
+applies_to:
+  stack: all 
+  serverless:
+    security: all
+products:
+  - id: security
+  - id: cloud-serverless
+---
+
+
+# Rapid7
+This page explains how to make data from the Rapid7 InsightVM integration (Rapid7) appear in the following places within {{elastic-sec}}:
+
+- **Findings page**: Data appears on the [Vulnerabilities](/solutions/security/cloud/findings-page-3.md) tab.
+- **Alert and Entity details flyouts**: Applicable data appears in the [Insights section](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section).
+
+:::{note}
+Data from this integration does not appear on the [CNVM dashboard](/solutions/security/cloud/cnvm-dashboard.md).
+:::
+
+In order for Rapid7 data to appear in these workflows:
+
+- Ensure you have read privileges for the following index: `security_solution-*.vulnerability_latest`.
+- Follow the steps to [set up the Rapid7 integration](https://www.elastic.co/docs/reference/integrations/rapid7_insightvm).
+- ({{stack}} users) Ensure you're on at least v9.1.
+- Make sure the Rapid7 version is at least 2.0.0.
+
+:::{note}
+You can ingest data from the Rapid7 integration for other purposes without following these steps.
+:::
diff --git a/solutions/security/cloud/integration-tenablevm.md b/solutions/security/cloud/integration-tenablevm.md
@@ -0,0 +1,31 @@
+---
+applies_to:
+  stack: all 
+  serverless:
+    security: all
+products:
+  - id: security
+  - id: cloud-serverless
+---
+
+
+# Tenable VM  
+This page explains how to make data from the Tenable Vulnerability Management integration (Tenable VM) appear in the following places within {{elastic-sec}}:
+
+- **Findings page**: Data appears on the [Vulnerabilities](/solutions/security/cloud/findings-page-3.md) tab.
+- **Alert and Entity details flyouts**: Applicable data appears in the [Insights section](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section).
+
+::::{note}
+Data from this integration does not appear on the [CNVM dashboard](/solutions/security/cloud/cnvm-dashboard.md).
+::::
+
+In order for Tenable VM data to appear in these workflows:
+
+- Ensure you have read privileges for the following index: `security_solution-*.vulnerability_latest`.
+- Follow the steps to [set up the Tenable VM integration](https://www.elastic.co/docs/reference/integrations/tenable_io).
+- ({{stack}} users) Ensure you're on at least v9.1.
+- Make sure the Tenable VM version is at least 4.0.0.
+
+::::{note}
+You can ingest data from the Tenable VM integration for other purposes without following these steps.
+::::
diff --git a/solutions/security/investigate/visual-event-analyzer.md b/solutions/security/investigate/visual-event-analyzer.md
@@ -23,12 +23,19 @@ If you’re experiencing performance degradation, you can [exclude cold and froz
 
 ## Find events to analyze [find-events-analyze]
 
-You can only visualize events triggered by hosts configured with the {{elastic-defend}} integration or any `sysmon` data from `winlogbeat`.
+You can visualize events from the following sources:
 
-In KQL, this translates to any event with the `agent.type` set to either:
+* {{elastic-defend}} integration
+* Sysmon data collected through {{winlogbeat}}
+* [CrowdStrike integration](integration-docs://reference/crowdstrike.md) (Falcon logs collected through Event Stream or FDR)
+* [SentinelOne Cloud Funnel integration](integration-docs://reference/sentinel_one_cloud_funnel.md)
+
+In KQL, this translates to any event with the `agent.type` set to:
 
 * `endpoint`
 * `winlogbeat` with `event.module` set to `sysmon`
+* `filebeat` with `event.module` set to `crowdstrike`
+* `filebeat` with `event.module` set to `sentinel_one_cloud_funnel`
 
 To find events that can be visually analyzed:
 
@@ -37,13 +44,12 @@ To find events that can be visually analyzed:
     * Find **Hosts** in the main menu, or search for `Security/Explore/Hosts` by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then select the **Events** tab. A list of all your hosts' events appears at the bottom of the page.
     * Find **Alerts** in the main menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then scroll down to the Alerts table.
 
-2. Filter events that can be visually analyzed by entering either of the following queries in the KQL search bar, then selecting **Enter**:
+2. Filter events that can be visually analyzed by entering one of the following queries in the KQL search bar, then selecting **Enter**:
 
     * `agent.type:"endpoint" and process.entity_id :*`
-
-        Or
-
     * `agent.type:"winlogbeat" and event.module: "sysmon" and process.entity_id : *`
+    * `agent.type:"filebeat" and event.module: "crowdstrike" and process.entity_id : *`
+    * `agent.type:"filebeat" and event.module: "sentinel_one_cloud_funnel" and process.entity_id : *`
 
 3. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer. The event analyzer is accessible from the **Hosts**, **Alerts**, and **Timelines** pages, as well as the alert details flyout.
 
@@ -75,7 +81,7 @@ Within the visual analyzer, each cube represents a process, such as an executabl
 
 To understand what fields were used to create the process, select the **Process Tree** to show the schema that created the graphical view. The fields included are:
 
-* `SOURCE`: Can be either `endpoint` or `winlogbeat`
+* `SOURCE`: Indicates the data source—for example, `endpoint` or `winlogbeat`
 * `ID`: Event field that uniquely identifies a node
 * `EDGE`: Event field which indicates the relationship between two nodes
 
diff --git a/solutions/toc.yml b/solutions/toc.yml
@@ -615,6 +615,9 @@ toc:
               - file: security/cloud/ingest-cncf-falco-data.md
               - file: security/cloud/ingest-aws-security-hub-data.md
               - file: security/cloud/ingest-wiz-data.md
+              - file: security/cloud/integration-qualys.md
+              - file: security/cloud/integration-tenablevm.md
+              - file: security/cloud/integration-rapid7.md
       - file: security/investigate.md
         children:
           - file: security/investigate/timeline.md
diff --git a/troubleshoot/ingest/opentelemetry/contact-support.md b/troubleshoot/ingest/opentelemetry/contact-support.md
diff --git a/troubleshoot/ingest/opentelemetry/toc.yml b/troubleshoot/ingest/opentelemetry/toc.yml
