Merge branch 'main' into 495/496/serverless-estimate

Author: kilfoyle

contribute-docs/_snippets/applies_to-key.md

@@ -1,7 +1,7 @@
 `applies_to` accepts the following keys in this structure.
 
 * `serverless`: Applies to [Elastic Cloud Serverless](https://www.elastic.co/docs/deploy-manage/deploy/elastic-cloud/serverless).
-  * `security`: Applies to Serverless [security projects](https://www.elastic.co/docs/solutions/security/get-started/create-security-project).
+  * `security`: Applies to Serverless [security projects](https://www.elastic.co/docs/solutions/security/get-started#create-sec-serverless-project).
   * `elasticsearch`: Applies to Serverless [search projects](https://www.elastic.co/docs/solutions/search/serverless-elasticsearch-get-started).
   * `observability`: Applies to Serverless [observability projects](https://www.elastic.co/docs/solutions/observability/get-started).
 * `stack`: Applies to the [Elastic Stack](https://www.elastic.co/docs/get-started/the-stack) including any Elastic Stack components.

deploy-manage/deploy/elastic-cloud/create-an-organization.md

@@ -47,7 +47,7 @@ For more information, check the [{{ech}} documentation](cloud-hosted.md).
 
 * [{{es}}](../../../solutions/search.md)
 * [Observability](../../../solutions/observability.md)
-* [Security](../../../solutions/security/elastic-security-serverless.md)
+* [Security](../../../solutions/security.md)
 
 When you create a project, you select the project type applicable to your use case, so only the relevant and impactful applications and features are easily accessible to you.
 

deploy-manage/deploy/elastic-cloud/create-serverless-project.md

@@ -19,5 +19,5 @@ Choose the type of project that matches your needs and we’ll help you get star
 |  |  |
 | ![elasticsearch](../../images/64x64_Color_elasticsearch-logo-color-64px.png "elasticsearch =50%") | **Elasticsearch**<br> Build custom search applications with {{es}}.<br><br>[**View guide →**](/solutions/search/get-started.md)<br> |
 | ![observability](../../images/64x64_Color_observability-logo-color-64px.png "observability =50%") | **Observability**<br> Monitor applications and systems with Elastic Observability.<br><br>[**View guide →**](/solutions/observability/get-started.md)<br> |
-| ![security](../../images/64x64_Color_security-logo-color-64px.png "security =50%") | **Security**<br> Detect, investigate, and respond to threats with Elastic Security.<br><br>[**View guide →**](/solutions/security/get-started/create-security-project.md)<br> |
+| ![security](../../images/64x64_Color_security-logo-color-64px.png "security =50%") | **Security**<br> Detect, investigate, and respond to threats with Elastic Security.<br><br>[**View guide →**](/solutions/security/get-started.md#create-sec-serverless-project)<br> |
 |  |  |

deploy-manage/deploy/elastic-cloud/serverless.md

@@ -29,7 +29,7 @@ Elastic provides three serverless solutions available on {{ecloud}}. Follow thes
 
 * **[{{es-serverless}}](/solutions/search/get-started.md)**: Build powerful applications and search experiences using a rich ecosystem of vector search capabilities, APIs, and libraries.
 * **[{{obs-serverless}}](../../../solutions/observability/get-started.md)**: Monitor your own platforms and services using powerful machine learning and analytics tools with your logs, metrics, traces, and APM data.
-* **[{{sec-serverless}}](../../../solutions/security/get-started/create-security-project.md)**: Detect, investigate, and respond to threats with SIEM, endpoint protection, and AI-powered analytics capabilities.
+* **[{{sec-serverless}}](../../../solutions/security/get-started.md#create-sec-serverless-project)**: Detect, investigate, and respond to threats with SIEM, endpoint protection, and AI-powered analytics capabilities.
 
 Afterwards, you can:
 

deploy-manage/users-roles/cloud-organization/user-roles.md

@@ -96,20 +96,20 @@ You can optionally [create custom roles in a project](/deploy-manage/users-roles
 
 | Name | Description | Available |
 | --- | --- | --- |
-| Admin | Has full access to project management, properties, and security privileges. Admins log into projects with superuser role privileges. | [![Elasticsearch](/deploy-manage/images/serverless-es-badge.svg "")](../../../solutions/search.md)[![Observability](/deploy-manage/images/serverless-obs-badge.svg "")](../../../solutions/observability.md)[![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
+| Admin | Has full access to project management, properties, and security privileges. Admins log into projects with superuser role privileges. | [![Elasticsearch](/deploy-manage/images/serverless-es-badge.svg "")](../../../solutions/search.md)[![Observability](/deploy-manage/images/serverless-obs-badge.svg "")](../../../solutions/observability.md)[![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security.md) |
 | Developer | Creates API keys, indices, data streams, adds connectors, and builds visualizations. | [![Elasticsearch](/deploy-manage/images/serverless-es-badge.svg "")](../../../solutions/search.md) |
-| Viewer | Has read-only access to project details, data, and features. | [![Elasticsearch](/deploy-manage/images/serverless-es-badge.svg "")](../../../solutions/search.md)[![Observability](/deploy-manage/images/serverless-obs-badge.svg "")](../../../solutions/observability.md)[![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
-| Editor | Configures all Observability or Security projects. Has read-only access to data indices. Has full access to all project features. | [![Observability](/deploy-manage/images/serverless-obs-badge.svg "")](../../../solutions/observability.md)[![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
-| Tier 1 analyst | Ideal for initial alert triage. General read access, can create dashboards and visualizations. | [![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
-| Tier 2 analyst | Ideal for alert triage and beginning the investigation process. Can create cases. | [![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
-| Tier 3 analyst | Deeper investigation capabilities. Access to rules, lists, cases, Osquery, and response actions. | [![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
-| Threat intelligence analyst | Access to alerts, investigation tools, and intelligence pages. | [![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
-| Rule author | Access to detection engineering and rule creation. Can create rules from available data sources and add exceptions to reduce false positives. | [![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
-| SOC manager | Access to alerts, cases, investigation tools, endpoint policy management, and response actions. | [![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
-| Endpoint operations analyst | Access to endpoint response actions. Can manage endpoint policies, {{fleet}}, and integrations. | [![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
-| Platform engineer | Access to {{fleet}}, integrations, endpoints, and detection content. | [![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
-| Detections admin | All available detection engine permissions to include creating rule actions, such as notifications to third-party systems. | [![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
-| Endpoint policy manager | Access to endpoint policy management and related artifacts. Can manage {{fleet}} and integrations. | [![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md) |
+| Viewer | Has read-only access to project details, data, and features. | [![Elasticsearch](/deploy-manage/images/serverless-es-badge.svg "")](../../../solutions/search.md)[![Observability](/deploy-manage/images/serverless-obs-badge.svg "")](../../../solutions/observability.md)[![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security.md) |
+| Editor | Configures all Observability or Security projects. Has read-only access to data indices. Has full access to all project features. | [![Observability](/deploy-manage/images/serverless-obs-badge.svg "")](../../../solutions/observability.md)[![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security.md) |
+| Tier 1 analyst | Ideal for initial alert triage. General read access, can create dashboards and visualizations. | [![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security.md) |
+| Tier 2 analyst | Ideal for alert triage and beginning the investigation process. Can create cases. | [![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security.md) |
+| Tier 3 analyst | Deeper investigation capabilities. Access to rules, lists, cases, Osquery, and response actions. | [![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security.md) |
+| Threat intelligence analyst | Access to alerts, investigation tools, and intelligence pages. | [![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security.md) |
+| Rule author | Access to detection engineering and rule creation. Can create rules from available data sources and add exceptions to reduce false positives. | [![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security.md) |
+| SOC manager | Access to alerts, cases, investigation tools, endpoint policy management, and response actions. | [![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security.md) |
+| Endpoint operations analyst | Access to endpoint response actions. Can manage endpoint policies, {{fleet}}, and integrations. | [![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security.md) |
+| Platform engineer | Access to {{fleet}}, integrations, endpoints, and detection content. | [![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security.md) |
+| Detections admin | All available detection engine permissions to include creating rule actions, such as notifications to third-party systems. | [![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security.md) |
+| Endpoint policy manager | Access to endpoint policy management and related artifacts. Can manage {{fleet}} and integrations. | [![Security](/deploy-manage/images/serverless-sec-badge.svg "")](../../../solutions/security.md) |
 
 ## Role scopes [ec-role-scoping]
 

explore-analyze/alerts-cases/alerts/maintenance-windows.md

@@ -12,7 +12,7 @@ products:
 
 # Maintenance windows
 
-This content applies to: [![Observability](/explore-analyze/images/serverless-obs-badge.svg "")](../../../solutions/observability.md) [![Security](/explore-analyze/images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md)
+This content applies to: [![Observability](/explore-analyze/images/serverless-obs-badge.svg "")](../../../solutions/observability.md) [![Security](/explore-analyze/images/serverless-sec-badge.svg "")](../../../solutions/security.md)
 
 
 You can schedule single or recurring maintenance windows to temporarily reduce rule notifications. For example, a maintenance window prevents false alarms during planned outages.

manage-data/ingest/transform-enrich/logstash-pipelines.md

@@ -10,7 +10,7 @@ products:
 
 # Logstash pipelines [logstash-pipelines]
 
-This content applies to: [![Elasticsearch](/manage-data/images/serverless-es-badge.svg "")](../../../solutions/search.md) [![Observability](/manage-data/images/serverless-obs-badge.svg "")](../../../solutions/observability.md) [![Security](/manage-data/images/serverless-sec-badge.svg "")](../../../solutions/security/elastic-security-serverless.md)
+This content applies to: [![Elasticsearch](/manage-data/images/serverless-es-badge.svg "")](../../../solutions/search.md) [![Observability](/manage-data/images/serverless-obs-badge.svg "")](../../../solutions/observability.md) [![Security](/manage-data/images/serverless-sec-badge.svg "")](../../../solutions/security.md)
 
 On the **{{ls-pipelines-app}}** management page, you can control multiple {{ls}} instances and pipeline configurations.
 

redirects.yml

@@ -587,6 +587,11 @@ redirects:
 
 # Related to https://github.com/elastic/docs-team/issues/104
   'solutions/observability/get-started/what-is-elastic-observability': 'solutions/observability.md'
+  'solutions/security/get-started/create-security-project.md': 
+    to: 'solutions/security/get-started.md'
+    anchors:
+      'create-sec-serverless-project':
+  'solutions/security/elastic-security-serverless.md': 'solutions/security.md'
 
 # Related to https://github.com/elastic/docs-content/pull/3808
-  'solutions/observability/get-started/other-tutorials/add-data-from-splunk.md': 'solutions/observability/get-started.md'
+  'solutions/observability/get-started/other-tutorials/add-data-from-splunk.md': 'solutions/observability/get-started.md'

reference/fleet/manage-integrations.md

@@ -43,6 +43,7 @@ You can perform a variety of actions in the **Integrations** app in {{kib}}. Som
 | [Install and uninstall integration assets](/reference/fleet/install-uninstall-integration-assets.md) | Install, uninstall, and reinstall integration assets in {{kib}}. |
 | [View integration assets](/reference/fleet/view-integration-assets.md) | View the {{kib}} assets installed for a specific integration. |
 | [Upgrade an integration](/reference/fleet/upgrade-integration.md) | Upgrade an integration to the latest version. |
+| [Roll back an integration](/reference/fleet/roll-back-integration.md) {applies_to}`stack: ga 9.3` | Roll back an integration to the previously installed version if issues occur after an upgrade. |
 
 ## Customize integrations [customize-integrations]
 

reference/fleet/roll-back-integration.md

@@ -0,0 +1,74 @@
+---
+navigation_title: Roll back an integration
+description: Roll back an Elastic Agent integration to the previously installed version, restoring the integration policies and configurations of the previous version.
+applies_to:
+  stack: ga 9.3
+  serverless: ga
+products:
+  - id: fleet
+  - id: elastic-agent
+---
+
+# Roll back an {{agent}} integration
+
+::::{note}
+This feature is available only for certain subscription levels. For more information, refer to [Elastic subscriptions]({{subscriptions}}).
+::::
+
+If you encounter issues after upgrading an integration, you can roll back the integration to the version installed before the upgrade. During the rollback action, the integration package and all associated integration policies and their configurations are automatically restored to the previously installed version.
+
+Consider rolling back an integration if:
+
+- The upgraded integration introduces breaking changes that affect your data collection.
+- The new version causes unexpected behavior or errors in your environment.
+- You need to revert to a previous version for compatibility reasons.
+
+:::{note}
+By default, the rollback action is available for 7 days following the integration upgrade. After the rollback window expires, you can no longer roll back the integration to the previously installed version.
+
+You can [configure the rollback time-to-live (TTL)](#configure-rollback-ttl) in {{ech}} or self-managed deployments.
+:::
+
+## Requirements
+
+To successfully roll back an integration, you must have access to all of its integration policies across **all spaces**. If you don't have access to the related spaces, the rollback action will not succeed.
+
+## Roll back an integration
+
+1. In {{kib}}, go to **Integrations** > **Installed integrations**.
+2. Select the integration you want to roll back, then open the integration's **Settings** tab.
+3. Click **Rollback <integration>**.
+
+   If the button is disabled for an integration, this may indicate:
+   - The 7-day rollback window has expired.
+   - You don't have access to all integration policies across all spaces.
+   - No previous version is available to roll back to.
+   - The integration was never upgraded.
+   - The integration is not installed from the {{package-registry}}.
+
+4. In the confirmation window, click **Rollback integration**. A confirmation appears if the rollback is successful.
+
+After the rollback of the integration is complete, the associated integration policies, their configurations and related assets are restored to the integration's previous version.
+
+::::{tip}
+You can also roll back an integration from **Integrations** > **Installed integrations**:
+
+1. Click the actions button at the end of the integration's row.
+2. Select **Rollback integration**, then confirm the action.
+::::
+
+:::{note}
+The automatic upgrade of rolled back integrations is disabled until the integrations are manually upgraded.
+:::
+
+## Configure the rollback TTL [configure-rollback-ttl]
+
+The default duration of the rollback window is 7 days. To configure the rollback TTL duration, add the `xpack.fleet.integrationRollbackTTL` setting in the user settings of your {{ech}} deployment or in the `kibana.yml` configuration file of your self-managed deployment.
+
+For example, to extend the rollback window to 14 days, set:
+
+```yml
+xpack.fleet.integrationRollbackTTL: 14d
+```
+
+For more information, refer to [{{fleet}} settings in {{kib}}](kibana://reference/configuration-reference/fleet-settings.md).