Merge branch 'main' into eedugon-patch-5

Author: eedugon

deploy-manage/distributed-architecture/discovery-cluster-formation.md

@@ -8,7 +8,7 @@ products:
 ---
 
 ::::{important}
-The information provided in this section is applicable to all deployment types. However, the configuration settings detailed here are only valid for self-managed {{es}} deployments. For {{ecloud}} and {{serverless-full}} deployments this seciton should only be used for general information.
+The information provided in this section is applicable to all deployment types. However, the configuration settings detailed here are only valid for fully self-managed {{es}} deployments. For ECE, ECK, and ECH deployments, this section should only be used for general information and troubleshooting.
 ::::
 
 # Discovery and cluster formation [modules-discovery]

deploy-manage/security/updating-certificates.md

@@ -23,7 +23,7 @@ Regardless of the scenario, {{es}} monitors the SSL resources for updates by def
 
 Because {{es}} doesn’t reload the `elasticsearch.yml` configuration, you must use **the same file names** if you want to take advantage of automatic certificate and key reloading.
 
-If you need to update the `elasticsearch.yml`](/deploy-manage/stack-settings.md) configuration or change passwords for keys or keystores that are stored in the [secure settings](secure-settings.md), then you must complete a [rolling restart](#use-rolling-restarts). {{es}} will not automatically reload changes for passwords stored in the secure settings.
+If you need to update the [`elasticsearch.yml`](/deploy-manage/stack-settings.md) configuration or change passwords for keys or keystores that are stored in the [secure settings](secure-settings.md), then you must complete a [rolling restart](#use-rolling-restarts). {{es}} will not automatically reload changes for passwords stored in the secure settings.
 
 ::::{admonition} Rolling restarts are preferred
 :name: use-rolling-restarts

deploy-manage/upgrade/deployment-or-cluster/reading-indices-from-older-elasticsearch-versions.md

@@ -9,7 +9,7 @@ products:
 
 # Reading indices from older {{es}} versions [archive-indices]
 
-{{es}} has full query and write support for indices created in the previous major version. If you have indices created in {{es}} versions 5 or 6, you can use the archive functionality to import them into newer {{es}} versions as well.
+{{es}} has full query and write support for indices created in the previous major version. If you have indices created in {{es}} versions 5, 6, or 7, you can use the archive functionality to import them into newer {{es}} versions as well.
 
 The archive functionality provides slower read-only access to older {{es}} data, for compliance or regulatory reasons, the occasional lookback or investigation, or to rehydrate parts of it. Access to the data is expected to be infrequent, and can therefore happen with limited performance and query capabilities.
 
@@ -50,7 +50,7 @@ Due to `_source` access, the data can also be [reindexed](https://www.elastic.co
 
 ## Upgrade older {{es}} clusters [_how_to_upgrade_older_es_clusters]
 
-To upgrade older {{es}} 5 or 6 clusters: 
+To upgrade older {{es}} 5, 6, or 7 clusters: 
 
 1. Take a snapshot of the indices in the old cluster. 
 2. Delete any indices created before 8.0.0. 

reference/fleet/alert-templates.md

@@ -1,6 +1,4 @@
 ---
-mapped_pages:
-  - https://www.elastic.co/guide/en/fleet/current/data-streams.html
 applies_to:
   stack: ga 9.2
   serverless: ga
@@ -17,23 +15,34 @@ navigation_title: Built-in alerts and templates
 When you install or upgrade {{agent}}, new alert rules are created automatically. You can configure and customize out-of-the-box alerts to get them up and running quickly. 
 
 ::::{note}
-The built-in alerts feature for {{agent}} is available only for some subscription levels. The license (or a trial license) must be in place before you install or upgrade {{agent}} before this feature is available. 
+The built-in alerts feature for {{agent}} is available only for some subscription levels. The license (or a trial license) must be in place _before_ you install or upgrade {{agent}} for the alert rules to be available. 
 
-Refer [Elastic subscriptions](https://www.elastic.co/subscriptions) for more information. 
+Refer to [Elastic subscriptions](https://www.elastic.co/subscriptions) for more information. 
 ::::
 
 In {{kib}}, you can enable out-of-the-box rules pre-configured with reasonable defaults to provide immediate value for managing agents.
-You can use [ES|QL](/explore-analyze/discover/try-esql.md) to author conditions for each rule.
-
-Connectors are not added to rules automatically, but you can attach a connector to route alerts to your platform of choice -- Slack or email, for example.
-In addition, you can add filters for policies, tags, or hostnames to scope alerts to specific sets of agents  
+You can use [{{esql}}](/explore-analyze/discover/try-esql.md) to author conditions for each rule.
 
 You can find these rules in **Stack Management** > **Alerts and Insights** > **Rules**.
 
+### Available alert rules [available-alert-rules]
+
+| Alert | Description |
+| -------- | -------- |
+| [Elastic Agent] CPU usage spike|  Checks if {{agent}} or any of its processes were pegged at a high CPU for a specified window of time. This could signal a bug in an application and warrant further investigation.<br> - Condition: Alert on `system.process.cpu.total.time.ms` over 80% for 5 minutes<br>- Default: Enabled |
+| [Elastic Agent] Dropped events | Checks ratio of dropped events to acknowledged events. Rows are distinguished by agent ID and component ID. <br> - Condition: Alert on ratio of dropped events to acked events of 5% or more<br>- Default: Enabled|
+| [Elastic Agent] Excessive memory usage|  Checks if {{agent}} or any of its processes have a high memory usage or memory usage that is trending up. This could signal a memory leak in an application and warrant further investigation.<br>- Condition: Alert on `system.process.memory.rss.pct` more than 50%<br>- Default: Enabled |
+| [Elastic Agent] Excessive restarts| Checks for excessive restarts on a host. Some restarts can have a business impact, and getting alerts for them can enable timely mitigation.<br>- Condition: Alert on 11 or more restarts in a 5-minute window<br>- Default: Enabled |
+| [Elastic Agent] High pipeline queue | Checks percentage of pipeline queue. Rows are distinguished by agent ID and component ID. <br> - Condition: Alert on max of `beat.stats.libbeat.pipeline.queue.filled.pct` exceeding 90%  <br>- Default: Enabled|
+| [Elastic Agent] Output errors | Checks errors per minute from an agent component. Rows are distinguished by agent ID and component ID. <br> - Condition: Alert on 6 or more errors per minute  <br>- Default: Enabled|
+| [Elastic Agent] Unhealthy status | Checks agent status. An `unhealthy` status can indicate errors or degraded functionality of the agent. <br> - Condition: Alert on `unhealthy` status <br>- Default: Enabled|
+
+**Connectors** are not added to rules automatically, but you can attach a connector to route alerts to your Slack, email, or other notification platforms.
+In addition, you can add filters for policies, tags, or hostnames to scope alerts to specific sets of agents.  
 
-## Alert templates assets for integrations [alert-templates]
+## Alert template assets for integrations [alert-templates]
 
-Some integration packages include alerting rule template assets that provide pre-made definitions of alerting rules. You can use the templates to create your own custom alerting rules that you can enable and fine tune. 
+Some integration packages include alerting rule template assets that provide pre-made definitions of alerting rules. You can use the templates to create your own custom alerting rules that you can enable and fine-tune. 
 
 When you click a template, you get a pre-filled rule creation form. You can define and adjust values, set up connectors, and define rule actions to create your custom alerting rule.
 

reference/fleet/manage-integrations.md

@@ -47,4 +47,4 @@ You can perform a variety of actions in the **Integrations** app in {{kib}}. Som
 
 ## Customize integrations [customize-integrations]
 
-After you've started using integrations to ingest data, you can customize how the data is managed over time. Refer to [Index lifecycle management](/reference/fleet/data-streams.md#data-streams-ilm) to learn more.
+After you've started using integrations to ingest data, you can customize how the data is managed over time. Refer to [{{ilm-cap}}](/reference/fleet/data-streams.md#data-streams-ilm) to learn more.

reference/fleet/migrate-auditbeat-to-agent.md

@@ -24,20 +24,20 @@ The following table describes the integrations you can use instead of {{auditbea
 
 | If you use… | You can use this instead… | Notes |
 | --- | --- | --- |
-| [Auditd](beats://reference/auditbeat/auditbeat-module-auditd.md) module | [Auditd Manager](integration-docs://reference/auditd_manager/index.md) integration | This integration is a direct replacement of the module. You can port rules andconfiguration to this integration. Starting in {{stack}} 8.4, you can also set the`immutable` flag in the audit configuration. |
-| [Auditd Logs](integration-docs://reference/auditd/index.md) integration | Use this integration if you don’t need to manage rules. It only parses logs fromthe audit daemon `auditd`. Note that the events created by this integrationare different than the ones created by[Auditd Manager](integration-docs://reference/auditd_manager/index.md), since the latter merges allrelated messages in a single event while [Auditd Logs](integration-docs://reference/auditd/index.md)creates one event per message. |
-| [File Integrity](beats://reference/auditbeat/auditbeat-module-file_integrity.md) module | [File Integrity Monitoring](integration-docs://reference/fim/index.md) integration | This integration is a direct replacement of the module. It reports real-timeevents, but cannot report who made the changes. If you need to track thisinformation, use [{{elastic-defend}}](/solutions/security/configure-elastic-defend/install-elastic-defend.md) instead. |
+| [Auditd](beats://reference/auditbeat/auditbeat-module-auditd.md) module | [Auditd Manager](integration-docs://reference/auditd_manager/index.md) integration | This integration is a direct replacement of the module. You can port rules and configuration to this integration. Starting in {{stack}} 8.4, you can also set the`immutable` flag in the audit configuration. |
+| [Auditd Logs](integration-docs://reference/auditd/index.md) integration | Use this integration if you don’t need to manage rules. It only parses logs from the audit daemon `auditd`. Note that the events created by this integration are different than the ones created by [Auditd Manager](integration-docs://reference/auditd_manager/index.md), since the latter merges all related messages in a single event while [Auditd Logs](integration-docs://reference/auditd/index.md) creates one event per message. |
+| [File Integrity](beats://reference/auditbeat/auditbeat-module-file_integrity.md) module | [File Integrity Monitoring](integration-docs://reference/fim/index.md) integration | This integration is a direct replacement of the module. It reports real-time events, but cannot report who made the changes. If you need to track this information, use [{{elastic-defend}}](/solutions/security/configure-elastic-defend/install-elastic-defend.md) instead. |
 | [System](beats://reference/auditbeat/auditbeat-module-system.md) module | It depends… | There is not a single integration that collects all this information. |
 | [System.host](beats://reference/auditbeat/auditbeat-dataset-system-host.md) dataset | [Osquery](integration-docs://reference/osquery/index.md) or [Osquery Manager](integration-docs://reference/osquery_manager/index.md) integration | Schedule collection of information like:<br><br>* [system_info](https://www.osquery.io/schema/5.1.0/#system_info) for hostname, unique ID, and architecture<br>* [os_version](https://www.osquery.io/schema/5.1.0/#os_version)<br>* [interface_addresses](https://www.osquery.io/schema/5.1.0/#interface_addresses) for IPs and MACs<br> |
 | [System.login](beats://reference/auditbeat/auditbeat-dataset-system-login.md) dataset | [Endpoint](/solutions/security/configure-elastic-defend/install-elastic-defend.md) | Report login events. |
 | [Osquery](integration-docs://reference/osquery/index.md) or [Osquery Manager](integration-docs://reference/osquery_manager/index.md) integration | Use the [last](https://www.osquery.io/schema/5.1.0/#last) table for Linux and macOS. |
 | {{fleet}} [system](integration-docs://reference/system/index.md) integration | Collect login events for Windows through the [Security event log](integration-docs://reference/system/index.md#security). |
-| [System.package](beats://reference/auditbeat/auditbeat-dataset-system-package.md) dataset | [System Audit](integration-docs://reference/system_audit/index.md) integration | This integration is a direct replacement of the System Package dataset. Starting in {{stack}} 8.7, you can port rules and configuration settings to this integration. This integration currently schedules collection of information such as:<br><br>* [rpm_packages](https://www.osquery.io/schema/5.1.0/#rpm_packages)<br>* [deb_packages](https://www.osquery.io/schema/5.1.0/#deb_packages)<br>* [homebrew_packages](https://www.osquery.io/schema/5.1.0/#homebrew_packages)<br> |
+| [System.package](beats://reference/auditbeat/auditbeat-dataset-system-package.md) dataset | [System Audit](integration-docs://reference/system_audit/index.md) integration | This integration is a direct replacement for the System Package dataset. Starting in {{stack}} 8.7, you can port rules and configuration settings to this integration. This integration currently schedules collection of information such as:<br><br>* [rpm_packages](https://www.osquery.io/schema/5.1.0/#rpm_packages)<br>* [deb_packages](https://www.osquery.io/schema/5.1.0/#deb_packages)<br>* [homebrew_packages](https://www.osquery.io/schema/5.1.0/#homebrew_packages)<br> |
 | [Osquery](integration-docs://reference/osquery/index.md) or [Osquery Manager](integration-docs://reference/osquery_manager/index.md) integration | Schedule collection of information like:<br><br>* [rpm_packages](https://www.osquery.io/schema/5.1.0/#rpm_packages)<br>* [deb_packages](https://www.osquery.io/schema/5.1.0/#deb_packages)<br>* [homebrew_packages](https://www.osquery.io/schema/5.1.0/#homebrew_packages)<br>* [apps](https://www.osquery.io/schema/5.1.0/#apps) (MacOS)<br>* [programs](https://www.osquery.io/schema/5.1.0/#programs) (Windows)<br>* [npm_packages](https://www.osquery.io/schema/5.1.0/#npm_packages)<br>* [atom_packages](https://www.osquery.io/schema/5.1.0/#atom_packages)<br>* [chocolatey_packages](https://www.osquery.io/schema/5.1.0/#chocolatey_packages)<br>* [portage_packages](https://www.osquery.io/schema/5.1.0/#portage_packages)<br>* [python_packages](https://www.osquery.io/schema/5.1.0/#python_packages)<br> |
-| [System.process](beats://reference/auditbeat/auditbeat-dataset-system-process.md) dataset | [Endpoint](/solutions/security/configure-elastic-defend/install-elastic-defend.md) | Best replacement because out of the box it reports events forevery process in [ECS](integration-docs://reference/index.md) format and has excellent integration in {{kib}}. |
+| [System.process](beats://reference/auditbeat/auditbeat-dataset-system-process.md) dataset | [Endpoint](/solutions/security/configure-elastic-defend/install-elastic-defend.md) | Best replacement because out of the box it reports events for every process in [ECS](integration-docs://reference/index.md) format and has excellent integration in {{kib}}. |
 | [Custom Windows event log](integration-docs://reference/winlog/index.md) and [Sysmon](integration-docs://reference/sysmon_linux/index.md) integrations | Provide process data. |
-| [Osquery](integration-docs://reference/osquery/index.md) or[Osquery Manager](integration-docs://reference/osquery_manager/index.md) integration | Collect data from the [process](https://www.osquery.io/schema/5.1.0/#process) table on some OSeswithout polling. |
-| [System.socket](beats://reference/auditbeat/auditbeat-dataset-system-socket.md) dataset | [Endpoint](/solutions/security/configure-elastic-defend/install-elastic-defend.md) | Best replacement because it supports monitoring network connections on Linux,Windows, and MacOS. Includes process and user metadata. Currently does notdo flow accounting (byte and packet counts) or domain name enrichment (but doescollect DNS queries separately). |
-| [Osquery](integration-docs://reference/osquery/index.md) or [Osquery Manager](integration-docs://reference/osquery_manager/index.md) integration | Monitor socket events via the [socket_events](https://www.osquery.io/schema/5.1.0/#socket_events) tablefor Linux and MacOS. |
+| [Osquery](integration-docs://reference/osquery/index.md) or [Osquery Manager](integration-docs://reference/osquery_manager/index.md) integration | Collect data from the [process](https://www.osquery.io/schema/5.1.0/#process) table on some OSes without polling. |
+| [System.socket](beats://reference/auditbeat/auditbeat-dataset-system-socket.md) dataset | [Endpoint](/solutions/security/configure-elastic-defend/install-elastic-defend.md) | Best replacement because it supports monitoring network connections on Linux, Windows, and MacOS. Includes process and user metadata. Currently does not do flow accounting (byte and packet counts) or domain name enrichment (but does collect DNS queries separately). |
+| [Osquery](integration-docs://reference/osquery/index.md) or [Osquery Manager](integration-docs://reference/osquery_manager/index.md) integration | Monitor socket events via the [socket_events](https://www.osquery.io/schema/5.1.0/#socket_events) table for Linux and MacOS. |
 | [System.user](beats://reference/auditbeat/auditbeat-dataset-system-user.md) dataset | [Osquery](integration-docs://reference/osquery/index.md) or [Osquery Manager](integration-docs://reference/osquery_manager/index.md) integration | Monitor local users via the [user](https://www.osquery.io/schema/5.1.0/#user) table for Linux, Windows, and MacOS. |
 

release-notes/elastic-security/known-issues.md

@@ -20,7 +20,7 @@ Known issues are significant defects or limitations that may impact your impleme
 
 Applies to: 9.2.0
 
-**Details**
+**Impact**
 
 A new feature introduced to the entity store in 9.2.0 caused the transform to scan for nonexistent indices.
 
@@ -54,6 +54,11 @@ Two workarounds are available:
     3. Your agent-based integration deployments will work as expected.
 2. Use agentless deployment. 
     1. Instead of using agent-based deployment, use agentless deployment. Agentless deployment works as expected.
+
+**Resolved**<br>
+
+Resolved in {{stack}} 9.2.1
+
 ::::
 
 

solutions/observability/get-started/quickstart-elastic-cloud-otel-endpoint.md

@@ -3,10 +3,10 @@ description: Learn how to use the Elastic Cloud Managed OTLP Endpoint to send lo
 mapped_pages:
   - https://www.elastic.co/guide/en/serverless/current/collect-data-with-native-otlp.html
 applies_to:
-  serverless:
+  serverless: ga
   deployment:
-    ess:
-  stack: preview 9.2
+    ess: preview
+    self: unavailable
 ---
 
 # Quickstart: Send OTLP data to Elastic Serverless or Elastic Cloud Hosted

solutions/observability/streams/management/extract/manual-pipeline-configuration.md

@@ -5,13 +5,17 @@ applies_to:
 ---
 # Manual pipeline configuration [streams-manual-pipeline-configuration]
 
+:::{note}
+The manual pipeline configuration processor is only available on [classic streams](../../streams.md#streams-classic-vs-wired).
+:::
+
 The **Manual pipeline configuration** lets you create a JSON-encoded array of ingest pipeline processors.This is helpful if you want to add more advanced processing that isn't currently available as part of the UI-based processors.
 
 Refer to the following documentation for more on manually configuring processors:
 
 - [Create readable and maintainable ingest pipelines](../../../../../manage-data/ingest/transform-enrich/readable-maintainable-ingest-pipelines.md)
 - [Error handling in ingest pipelines](../../../../../manage-data/ingest/transform-enrich/error-handling.md)
-- [Ingest processor reference][elasticsearch://reference/enrich-processor.md]
+- [Ingest processor reference](elasticsearch://reference/enrich-processor/index.md)
 
 To manually create an array of ingest pipeline processors: